Uniform Infrastructure Raises Risk for Industrial AttacksDragos CEO: Unpatched Vulnerabilities Less of a Problem in OT Than Outsiders Think
The increased physical connectivity of digital assets has expanded the attack surface and added complexity for engineers in industrial environments, says Dragos CEO Robert Lee.
More deployment of industrial automation and new systems have made it tougher for plant operators to conduct root cause analysis and bring systems back up in the event of an outage, Lee says during a virtual panel Thursday. Industrial facilities have been forced to rely more heavily on original equipment manufacturers, vendors and integrators to conduct root cause analysis in a worsening threat landscape, Lee says.
"You don't have as much time to respond anymore," Lee says. "We are seeing nation-states allocate a significant pool of resources to targeting industrial infrastructure, not just for espionage but for political and military value."
Lee says more than 95% of focus, standards, investment, resources and budget focuses on the enterprise IT environment of critical infrastructure, and the OT side that's responsible for generating revenue and maintaining environmental safety gets just 5% of resources and focus. Stakeholders are becoming increasingly aware that investment priorities have to change, according to Lee (see: OT Cybersecurity Strategies for Executives).
"When people understand the challenge, I don't see any reservation from the industrial asset owners and operators of going and fixing it," Lee says. "But it's not going to be something that's done in a six-month period."
'Time Is Running Out Against Certain Types of Threats'
In early 2022, Dragos for the first time saw an adversary develop and deploy a capability that was ready to be disruptive inside of U.S. critical infrastructure and go after liquid natural gas and electric sites. The capabilities were eye-opening since they were scalable, reusable, cross-industry and took advantage of the move toward more homogeneous infrastructure and common software stacks inside controllers.
"There are these commonalities, this homogeneous nature that's formed. It's a good idea from a business perspective," Lee says. "But there's also this risk now that we have adversaries that can create reusable, scalable capabilities, and they're no longer site- or subindustry-specific."
Lee is highly confident adversaries are still working on this capability and continuing with development since there's no way to eliminate the risk through patching. Since the attack method doesn't need to hit a vulnerability to leverage its capabilities, it's not going to go away anytime soon, Lee says. Although development is continuing, the capabilities haven't been deployed anywhere in the wild, he adds.
From a defensive standpoint, Lee says, critical infrastructure firms must focus not only on preventing attacks but also on detecting them, responding to them and recovering from them. Organizations should understand not only the indicators of compromise but also the tactics, techniques, procedures and methods of adversaries in order to mount a robust defense against the latest generation of attacks.
"Time is running out against certain types of threats," Lee says. "With the growing industrial automation, complexity and growing homogeneous infrastructure, we need to be astute to what this might mean for our communities."
'There's So Much Pressure … to Always Be Patching'
Lee says companies must refrain from blindly copying their IT security practices into OT - chief among them that legacy equipment such as Windows XP or Windows 7 increases the risk of industrial attack. In a similar vein, Lee says, unpatched vulnerabilities are less of a concern than IT departments think since there are no known cases of industrial control system-specific vulnerabilities being leveraged in an ICS attack.
"We put it as the number one thing, when it's probably not the top four in terms of what we need to do," Lee says.
Just 4% of vulnerabilities have either been used in an industrial attack or could realistically be used in an industrial attack that could cause outages or jeopardize safety and operations, Lee says. An additional 30% to 40% of known vulnerabilities could be leveraged in an industrial attack, but the attack wouldn't have much of an impact, according to Lee.
"There's so much pressure on asset owners and operators to always be patching, and I have responded to more IT people about patching than Russia, China and Iran combined," Lee says. "So I just want us to be careful with the risk."