Research from Dragos has highlighted that the industrial sector attracted increased unwanted attention from adversaries last year. With attackers continuing to up the ante and the consequences of an attack proving potentially devastating, defenders must review and prioritise their OT security strategies. Seth Enoka, Principal Industrial Incident Responder, Dragos, talks us through the research and highlights how CISOs can better protect their organisations against these threats.
What are the outcomes of a security breach of critical infrastructure on communities?
The impacts of a security breach on critical infrastructure, whether targeted or opportunistic, are significant. The consequences of a cyberattack in industrial environments are often far more dire than those in IT networks. Attacks on enterprise IT are impactful, too – a data leak because of a phishing incident can wreak havoc – but when it comes to critical infrastructure, adversaries can and have caused massive disruption, including loss of view, loss of control, and even risk to life.
Our Year in Review highlighted that in 2021, the industrial community will attract high-profile attention. Major cybersecurity incidents struck industrial organisations in various sectors, with international headlines detailing everything from a compromise of a water treatment facility with the intent to poison its community to a ransomware attack against a pipeline operator that disrupted gas supplies to the south-eastern United States.
These reports underscored the potentially devastating outcomes a security breach of critical infrastructure could have on communities and a country’s economy. They also elevated the ICS/OT community’s discussion on cyber-readiness and brought them to the fore – and the policymakers’ and regulators’ attention, too.
Can you tell us more about the report findings and how they will aid the CISO community?
The report provides industrial organisations with meaningful insights to help them better understand the cyber-risks surrounding their most important assets – their ICS/OT environments.
It adds data-driven insights that provide context to the sensational stories and evidence from the field of how industrial organisations are progressing in their cybersecurity readiness and where they need to continue their work to provide safe and reliable operations into 2022 and beyond.
Among other findings, the report identified three new activity groups with the assessed motivation of targeting OT. Two groups have achieved Stage 2 of the ICS Cyber Kill Chain showing their ability to access OT networks directly.
In March 2021, KOSTOVITE compromised the perimeter of an energy operation and maintenance provider network, exploiting a zero-day vulnerability in the popular remote access solution, Ivanti Connect Secure. KOSTIVITE used dedicated operational relay infrastructure against this target to obfuscate the origin of its activities, then stole and used legitimate account credentials for its intrusion.
PETROVITE targets mining and energy operations in Kazakhstan. One targeted group has 16 business units that focus on mining and power generation throughout Kazakhstan. Dragos is aware of targeted operations that started during the third quarter of 2019 and intermittently continued throughout 2021.
ERYTHRITE is an activity group that broadly targets organisations in the US and Canada with ongoing iterative malware campaigns. Dragos has observed ERYTHRITE compromising the OT environments of a Fortune 500 company and the IT networks of large electrical utility, food and beverage companies, auto manufacturers, IT service providers and multiple oil and natural gas service firms.
While the industrial community has discussed the importance of OT cybersecurity for years, 2021 brought high-profile attacks that showed real-world outcomes on local communities and global economies.
The cyber risk to industrial sectors is accelerating at a time of rising geopolitical tensions and Digital Transformation initiatives driving hyper-connectivity. The real-world observations and data-backed insights can serve as practical, timely guidance as the industrial community strives to understand where they are exposed, what threat groups are doing and how to build security and resiliency into their OT systems.
How much of a threat is ransomware to ICT/OT?
According to the Year in Review report, ransomware has become the number one attack vector in the industrial sector. Dragos assessed that manufacturing accounted for 65% of all ransomware attacks. Two ransomware groups, Conti and Lockbit 2.0, caused 51% of attacks – with 70% of their malicious activity targeting manufacturing.
The marked uptick in ransomware attacks is largely attributed to the emerging Ransomware-as-a-Service (RaaS) phenomena. Ransomware groups like Conti and Lockbit 2.0 have mobilised into an underground marketplace where developers outsource operations to affiliate who execute the attacks.
How does Dragos support OT defenders to be able to mitigate the physical consequences of OT cyberattacks?
Dragos works with the community to help vendors provide more accurate, actionable and easier-to-track advisories. In 2021, we significantly enhanced the vulnerability management features offered to customers through the Dragos Platform.
We assess vulnerabilities in our WorldView Intelligence reports in the Dragos Platform and categorise them by threat levels: Immediate Action; Limited Threat; Possible Threat; No Action; and Hype. Dragos also recommends four different responses to those threats: Remediate; Mitigate; Monitor; or Ignore.
Talk us through Dragos’ Crown Jewel Analysis (CJA) Model – how does this help organisations?
Dragos uses a consequence-driven approach, the Crown Jewel Analysis (CJA) Model when scoping and conducting OT cybersecurity assessments. The CJA Model is a repeatable scoping approach that helps visualise how an attacker assesses a system to achieve a specific consequence. Using CJA and credible threat intelligence, Dragos creates plausible attack scenarios to educate asset owners and operators on their potential exposure to adversaries and threat groups and to better prioritise the findings and recommendations in our reports.
What five recommendations would you offer CISOs to be better protected against these threats?
- Build a more defensible architecture (external connections, poor perimeters)
70% of Dragos Professional Services engagements found external connections from OEMs, IT networks, or the Internet to the OT network, and 77% of engagements found improper network segmentation. To reduce cyber risk, network architects can leverage traditional tools and concepts such as strong segmentation, firewalls, or software-defined networks. This can take various forms, such as IEC62443 zones and conduits, DMZs, jumphosts, etc.
- Bolster OT monitoring capabilities
86% of service engagements included a finding around lack of visibility across OT networks, making detections, triage and response incredibly difficult at scale. Visibility gained from monitoring your industrial assets validates the security controls implemented in a defensible architecture. Threat detection from monitoring allows for scaling and automation for large and complex networks. Additionally, monitoring can also identify vulnerabilities easily for action.
- Strengthen remote access authentication
A total of 44% of service engagements included a finding of shared credentials in OT systems, the most common method of lateral movement and privilege escalation. Multi-Factor Authentication (MFA) is the most effective control for remote access authentication. Where MFA is not possible, consider alternate controls such as jumphosts with focused monitoring. The focus should be placed on connections in and out of the OT network and not on connections inside the network.
- Prioritise OT vulnerability management
The number of known ICS/OT vulnerabilities doubled in 2021. Still, only 4% of flaws require immediate action because they are being actively exploited in the wild or for which a public exploit is available. Dragos recommends defenders prioritise those that bridge IT and OT over those residing deep within the ICS/OT network or those that fall into the ‘Remediate’ category in Dragos’ vulnerability analysis.
- Develop, implement and continually improve the ICS/OT Incident Response plan
Tabletop Exercise (TTX) testing of existing ICS/OT Incident Response (IR) plans in 2021 showed that most organisations faced at least some challenges in five out of seven core IR capabilities. Dragos recommends that industrial organisations have a dedicated IR plan for their ICS/OT environments that they regularly exercise against real threat scenarios with cross-disciplinary teams (IT, OT, executives, etc.)