The Dragos Threat Operations Center’s (TOC) mission is to improve customer ICS defenses through sharing our expertise, engaging our clients, and educating whenever and wherever we have an opportunity. Through each of our projects and engagements, our main focus is on improvement–not only for clients, but for the ICS community as a whole–because we believe that human lives, industrial environments, and the underpinnings of civilization are constantly at risk. To continue the focus on improvement, the Dragos TOC Year in Review reports aim to provide the ICS community with actionable steps to build their defenses by sharing our first-hand experience hunting industrial adversaries and responding to intrusions in industrial environments.
The TOC’s 2017 Year In Review focused on teasing out improvements and observations from our hunting and incident response engagements. This year, we’ve expanded the scope of our Year in Review to encompass all of our engagements, and we’ve divided them between proactive and responsive engagements. Proactive engagements include: threat hunts, vulnerability assessments, architecture reviews, and penetration tests. Responsive engagements include: incident response retainers and rapid response. This year, we also provided a breakdown of the verticals we engaged with, so we can provide better insight into trends, how organizations are learning about their networks, and proactive observations of potential improvements in ICS security measures.
- The majority of Dragos TOC engagements in 2018 were in response to our clients requesting help to gain an understanding of their industrial environments and to identify active threats through threat hunting.
- Dragos’ second most requested engagement in 2018 stemmed from our clients wanting to be better prepared to handle incidents and respond to active intrusions. These engagements concentrated on handling an event either through practice or confirmed compromise.
Highlights of 2018 Year in Review
- 56% of Dragos’ engagements focused on energy (oil, gas, electric, transmission, generation, management, and renewables). The remaining 44% was equally split between engineering and production of chemical, biomedical, and pharmaceutical products; manufacturing; transportation and shipping; water utilities and wastewater treatment
- 37% of Dragos’ incident response engagements involved an initial vector dating over 365 days, while all other engagements were either inconclusive or detected and contained by facility teams and Dragos as they occurred
- Dragos observed communication and data sharing taking place within industrial sectors, and noted organizations are leveraging trusted relationships with peers to better the ICS industry
From-the-field insights are notoriously hard to find in the ICS community, due to a range of sensitivities that prevent companies from openly or privately sharing incident response lessons, maturity of their ICS environments, what has been successful, and where there is still room for improvement. It’s not a small undertaking, but it is valuable and needed in order for organizations to be as defensible as possible–which is why Dragos will continue to share our insights annually, so we can encourage education, foster improvement, and provide the community with the tools to empower itself.
Note: This is a summary of one of three reports as part of our Year in Review. The other two reports focus on our intel team’s view into vulnerabilities and threats. Collectively, these make up a comprehensive view into the state of industrial environments for 2018. To read the reports, visit: https://www.dragos.com/year-in-review/