krunja - stock.adobe.com

Visibility and proactive stance needed to secure OT systems

Critical infrastructure operators need to have more visibility into their IT and operational technology environment, and take a more active stance to fend off sophisticated adversaries, expert says

Operators of critical infrastructure are still not investing enough in capabilities to gain visibility into their IT and operational technology (OT) systems, putting them at risk of falling prey to increasingly sophisticated adversaries, according to an industry expert.

Speaking at the Operational Technology Cybersecurity Expert Panel (OTCEP) Forum in Singapore, Robert Lee, CEO and co-founder of Dragos, an industrial cyber security specialist, said one of his biggest concerns is that OT operators are still unable to tell if a plant outage was caused by a cyber attack.

“If we’re not getting the visibility in our environments to understand what’s happening, then you don’t know if the plant tripped and went down, or if it was a cyber attack,” said Lee, adding that plant outages are often not cyber-related.

While some OT operators may claim their chances of being attacked are slim, they do not get to choose if they are a good target or not in the face of increasingly sophisticated threats that target a swathe of industrial control systems (ICS), he noted.

These threats, which can cause physical disruptions to more than one plant on a site and beyond a single industry, were hard to create in the past. But amid the race toward digital transformation and hyperconnectivity, OT operators are using more homogenous systems and common designs to the benefit of threat actors, said Lee.

“We’ve seen adversary capabilities before that have used native ICS protocols like Modbus TCP and OPC [Open Platform Communications] in different industries,” he said. “We’ve seen adversaries go after safety systems before. We’ve also seen a lot of issues where there are common software libraries.”

In January 2022, Dragos got a call from an undisclosed partner that spotted an attack framework which matched what Lee had described. The company started analysing it together with the US intelligence community, including the National Security Agency, and mapped out the framework prior to its deployment on potential targets.

Pipedream

That framework is now known as Pipedream, a modular ICS attack framework that an adversary could use to cause disruption, degradation – and possibly even destruction depending on targets and the environment. It was developed by a threat group called Chernovite.

What is interesting about Pipedream, said Lee, is that it is not a single malware, but a collection of different capabilities that can be leveraged at different sites, including enterprise IT networks connected to OT systems.

“It’s worth noting that Chernovite should be considered an effects team that gets called in to do the disruptive effects,” he said, adding that access teams would have paved the way for effects teams to enter OT systems by compromising IT networks in a variety of ways.

Lee said the whole operation can take place over a period of time in what he described as “long term stealthy operations”.

“A lot of people associate cyber attacks with something that happens quickly,” he said. “In reality, very often, especially in OT, an adversary ends up being in your environment for months, if not years, before the attack happens.

“And so, it’s very important not just to rely on preventing attacks – and that’s why we talk about things like detection and hunting, and trying to root out adversaries that are already there. Because by the time the lights are out, you’ve missed the boat. We want to make sure we’re looking far ahead of that.”

Read more about cyber security in APAC

Lee called for organisations to understand their systems and how they are configured, because the adversary has to learn a targeted environment to be effective.

Pipedream, for instance, paid attention to common communications protocols such as OPC, used in different ICS systems and learned from the OPC malware module that was deployed in the 2016 attack against Ukraine’s power grid, he said.

“But that OPC module was kind of flawed – it worked but it was pretty sloppy,” said Lee. “And whoever was behind Pipedream obviously saw it, studied it and enhanced it.”

Against sophisticated threat actors, he said OT operators that try to look for indicators of compromise are inherently missing the point. “Indicators are irrelevant, because adversaries get those options, and they will choose and do what they need. If you’re just looking for the digital hashes or whatever software packages, you will miss it,” he said.

Instead, Lee called for OT operators to focus on tactics, techniques and procedures, and ask themselves if they are able to tell if somebody is using the OPC protocol in their environment in an unusual way, for example. Taking a proactive rather than reactive stance will enable OT communities to be more resilient against security threats, he said.

Lee is a member of Singapore’s OTCEP, which was set up in 2020 to share insights on handling cyber security incidents and recommend practices to address cyber security challenges and gaps for Singapore’s OT sector.

He also serves on the US Department of Energy’s electricity advisory committee and is a member of the World Economic Forum’s subcommittees on cyber resilience for the oil and gas and electricity communities.

Read more on Hackers and cybercrime prevention