Brian Jackson - Fotolia
While investments in cyber attacks against industrial control systems are growing, so too are organizations' awareness of the potentially debilitating threats.
Dragos Inc. released its "Year in Review 2020" report on Wednesday which provides an analysis of industrial control systems (ICS) and operational technology (OT) cyberthreats, vulnerabilities, assessments and incident response insights. The annual report determined that the threats have increased threefold, in part because of the emergence of four new threat groups.
Dragos' report also said awareness of these threats within private and public organizations is growing, especially over the last five years, as they have recognized they are being targeted. However, security surrounding these attacks, including visibility, shared credentials and the reliance on the Common Vulnerability Scoring System (CVSS), which is geared toward traditional IT, remains a problem.
ICS and OT hacking capabilities and knowledge are still relatively narrow in terms of groups that can achieve it. But Sergio Caltagirone, vice president of threat intelligence for Dragos, told SearchSecurity the number of such capable threat groups is growing faster than they anticipated.
As noted in the report, Dragos is seeing a threefold increase of active groups affecting ICS systems. Normally, Caltagirone said, groups become active then eventually go dormant, evolve into a different kind of threat group, or go away entirely.
"What we're seeing is the groups are growing three times faster than the number that are going quiet, and that's concerning primarily because it just shows that over the last several years that ICS threats are growing but we never knew how to quantify that exactly. And this shows us," Caltagirone said.
According to Caltagirone, these groups currently have two goals: reconnaissance and intelligence building.
"It looks like a lot of groups are still learning how to do reconnaissance of the OT, so they are basically gaining access to these environments to learn. They're pulling out very sensitive documents about the ICS that they're attacking and they're mapping out the networks and so forth. They're probably building their own network somewhere else that models what they're seeing in real life so they can build and test capabilities and things later," Caltagirone. "We aren't seeing a huge number of what we could call effects, which are people who are touching and modifying ICS systems. It is happening, but it's not happening a lot yet."
Caltagirone said Dragos is still seeing what they categorize as likely nation-state or state-associated adversaries "given the amount of resources that would need to be applied in these operations that we watch."
"What's interesting overall, our current assessment is that it takes an adversary three to five years of practice, knowledge, learning, understanding, intruding into ICS networks in order to do something capable -- what we call a capable adversary. Anyone can kind of go in and push buttons and see what happens, but if you really want to know what you're doing, it takes three to five years right now," he said.
When Dragos first started in 2013, Caltagirone said investment in ICS security threats was just starting. Adversaries were just entering the industry in what he refers to as a "honeymoon period." Dragos knew that period wouldn't last long.
"We're now past the honeymoon period and into a dangerous time for critical infrastructure and manufacturing and other ICS environments. We're moving into giving adversaries a clear freedom of movement within these organizations in that they can pretty much start doing whatever they want and they'll be able to have control over what happens," he said.
One way to enable that control is with ransomware. Caltagirone said Dragos is seeing an increase in ransomware families that are ICS-aware, though it is mostly criminal organizations.
"So, they identify that they are in an ICS environment and then they take action against ICS networks specifically. So, they're looking for specific processes, vendors and things like that where they will actually go and shut down to run ransomware."
When it comes to ransomware, attackers use credentials to determine how they can move across defensive perimeters.
According to the report, the abuse of valid user accounts was the number one technique used by the new activity groups in 2020. Ben Miller, vice president of professional services and R&D at Dragos, told SearchSecurity that shared credentials within the industrial environment are fairly commonplace.
"That's due to sometimes the criticality of system operators always having the same access and rotations and everything, they may not have a large authentication system, so they have a system operator account and that's what everyone uses to log in," he said.
However, the top security concern organizations are having is the visibility into their environment. Miller said it comes down to not only what machines are in their environment, but what pieces of equipment are part of the industrial process, what the critical aspects are and what behaviors they're exhibiting.
"Whether they are normal or malicious essentially, but the number and length of logs they have available to them to understand who has logged on and what time, that largely doesn't exist in industrial environments because they were never built for that," he said. "So that is where a lot of the investment is right now -- not just putting up perimeters but also making it a more defensive posture where you can defend them, identify intrusions after the fact and be able to do that root cause analysis."
Two more things like largely don't exist for ICS vendors: security teams and a suitable CVSS.
The absence of security teams within ICS and OT manufacturers is difficult because they don't understand the cybersecurity world and what vulnerabilities mean to the owners and operators of their equipment. Even with a security team, the CVSS remains problematic. That problem, said Caltagirone, is that the CVSS is trying capture severity impact.
"That is the fundamental measure of CVSS. Of course, ICS is a fundamentally different impact than a normal IT network of computers, so using CVSS generally as an approach to measure the impact of ICS if hugely flawed."
According to the report, Dragos analyzed 29% more vulnerabilities in 2020 than 2019, "demonstrating a rise in publicly known flaws in systems supporting industrial operations. Of individually reviewed vulnerabilities, 33 percent contained errors in the CVSS score, potentially impacting patching decisions made by asset owners and operators. Over one third of vulnerabilities could cause a loss of view and control if exploited by an adversary."
Additionally, the report determined that 73% of corrected advisories were more severe than the public advisories, meaning they are far more underscored.
"The vendors and analysts who are scoring vulnerabilities for ICS have never seen an ICS environment in their lives and they're basically using the traditional IT measurement which is why we basically rescore them, and then we also reclassify them as to exactly what kind of impact and damage they would do to ICS," Caltagirone said. "CVSS scores are not ICS impact scores. The industry should not be using them to do their prioritization."
Dragos' reclassification system focuses on two major areas: denial of control and denial of view. "If it's one or the other, it's bad. If it's both, it's pretty terrible," Caltagirone said.
While ICS organizations face many challenges, Miller said he is optimistic in security moving forward.
"I would say, about five years ago, it was largely, 'Well, I'm not being targeted so I don't have to worry about it,' but as the systems have become more interconnected and you see the digital conversion of these systems, they are asking those questions, bringing in more individuals across their organizations."
While challenges remain, Miller is optimistic that securing against ICS attacks is attainable.
"Being able to put one block in their way reverts them back on that timeframe [three to five years] a couple tweaks adds another two years," he said. "We can defend these systems, it just takes some work and investment."