Dragos hosted our annual Year in Review webinar discussing research, trends, and vulnerabilities in industrial control system (ICS) cybersecurity in 2019. The findings came from three reports: one providing an overview of the ICS threat landscape and activity groups targeting this space, a vulnerability report that included assessed data from over 400 vulnerabilities affecting ICS, and findings from Dragos’ incident response and penetration testing team that worked with industrial infrastructure companies around the world to respond to and prevent cybersecurity events.
Dragos Vice President of Professional Services and R&D Ben Miller, Senior Vulnerability Analyst Kate Vajda, and Cyber Threat Intelligence Analyst Selena Larson joined Dragos Vice President of Threat Intelligence Sergio Caltagirone in conversation about key findings from each report.
The discussion covered attack trends and adversary behaviors Dragos observed in threat hunting and incident response, including the proliferation of threats that now target multiple industrial sectors. Additionally, panelists discussed key behaviors observed in victim environments, including the 66% of incident response cases involving adversaries accessing ICS networks directly from the Internet.
Dragos panelists received a number of questions from the audience, many of which we were unable to answer live during the webinar. However, we collected them all and they are answered below.
Q: 'One of the interesting findings in the report is the fact that 0% of the incidents had aggregated logs for you to look at. Would you go so far as to say that simply gathering and looking at logs would help detect adversaries or reduce dwell time in OT networks? Similar question about EDR - do you expect EDR tools to be useful in OT environments? Or would that add too much surface area of attack and we'd be better off continuing to use EDR in IT only. Does aggregated logging become more important than other controls? (I'm very glad you called it out in the reports).'
Q: ‘What guidance do you offer to protect against supply chain attacks on software patches?'
Q: 'What are the datapoints that you use to determine probability or likelihood of a threat occurring?'
Q: 'In the reports, you say there’s been a ‘spike’ in ransomware incidents. We're only hearing of a low number out of 1000s and 1000s of targets. How many ransomware cases in 2019 are you aware of?'
Q: 'In reviewing your ICS Vulnerabilities report, I see you have Loss of View and Loss of Control impact types. But you are missing the Loss of Protection impact type. Had TRISIS been ‘successful’ it would have been a Loss of Protection incident?'
Q: 'As IT security reaches into the OT environment for management of security, how do we talk traditional IT security folks out of the mindset that constant software/firmware patching will solve inherent risks of the ICS environment due to the 'insecure by design' reality of ICS infrastructure? I find that there is a severe disconnect between experienced ICS/OT folks and IT folks on this subject.'
I think it’s very important that you have your security team open their hearts and minds and put themselves into ‘learning mode’ when entering a plant and meeting OT personnel. No OT person likes to be told that their system is broken, they’ve been caring and feeding it for possibly decades, they deserve to be respected, regardless of how bad their plant may look from an IT perspective. Trust has to be earned as well. It’s more important that trust is built between the teams so that IT security is called when a potential cyber-related incident takes place, instead of working around whatever the issue is (as most people in that space are willing to do). To be secure in OT, you have to make the secure option the easiest option. That means not causing a big commotion when basic IT security controls aren’t met, but instead understanding and training on the easy/right way to proceed.
Patching in OT is something that IT people like, mostly because it’s easy to measure and show improvement (or not). But the ROI on patching these devices just might not be there. Let’s say a Modicon controller has a vulnerability that allows you to configure the device remotely and a patch comes out that fixes the web certificate of the device. Fixing the certificate is generally to stop man-in-the-middle attacks, where the attacker is already on the same network as the controller. If you haven’t mitigated the first vulnerability, mitigating the second one doesn’t mean anything. And in some cases, the ‘bugs’ that were identified are part of the “feature” set in OT and are needed for the functionality of the device.
Some patching is good, especially if vendors have approved, etc but focusing solely on patching when you could be documenting what protocols are in use and monitoring for abnormalities, that can protect you against these forever-days that the devices are vulnerable to.‘ -Ben
Q: 'As Dragos has grown over the last year and increased its customer base, have there been any surprises in how ICS networks are set up around the world? Non-intuitive commonalities or differences by geographic region or sector?'
Q: 'What is the best way to discover if ICS activity groups have launched a campaign in my network?'
Q: 'You mentioned monitoring as best practice. What tools can organizations deploy for proactive monitoring?'
Q: 'Is OT awareness training different from IT in these days?'
Q: 'Have you seen any OT Ransomware attack that actually threatened to control an end device directly... i.e. shut a control valve... shut down a pump?'
Q: 'Have you seen any entry into the OT environment from the supply chain... like a compromised control valve? And, what about the new wave of cheaper IIoT devices, are those a point of a concern?'
If you’d like to read the 2019 Year In Review reports or watch the recorded webinar, you can find them here.