Protecting Critical Infrastructure: Insights from the Dragos ICS & OT Year in Review for 2022

One of the sessions I attended at the RSA Conference was "The Industrial Cyberthreat Landscape: Year in Review Report with Updates." The speaker was Robert Lee, CEO and Founder of Dragos, Inc. Robert Lee is a well-known cybersecurity expert, and his company, Dragos, specializes in industrial control system (ICS) security. The Dragos ICS & OT Year in Review for 2022 is a comprehensive report on the state of ICS cybersecurity, focusing on the threats and trends in the previous year. He covered the highlights of the report during his talk.

It's a common misconception that industrial control systems (ICS) or operational technology (OT) environments are completely isolated and protected by an "air gap" from the internet and other external networks. However, the reality is that ICS and OT systems are often highly connected, with vendors and other third-party suppliers accessing them through various methods. This makes them vulnerable to cyber threats, including malware, ransomware, and other attacks. In order to mitigate these risks, it's important to implement a strong remote connection capability that allows authorized users to access the system securely from remote locations. This can include measures such as two-factor authentication, encryption, and monitoring for suspicious activity. By taking these steps, organizations can improve their ICS cybersecurity posture and better protect their critical infrastructure.

According to Mr. Lee, vulnerabilities in operational technology (OT) environments are on the rise, and many vulnerability advisories contain errors that are not actionable. With so many vulnerabilities to address, it can be challenging to prioritize which ones to focus on first. Mr. Lee recommended focusing on addressing the top 2% of vulnerabilities; he views this as an effective vulnerability management strategy. It's important to focus on vulnerabilities that pose the greatest risk to the organization, considering factors such as the likelihood of exploitation and the potential impact on critical systems and infrastructure. While I agree with prioritizing vulnerabilities, I have concerns that following this approach might lead people to focus on only high-severity vulnerabilities neglecting potentially less severe vulnerabilities that might be exploited in the future. It's important to remember that we don't have a crystal ball and cannot predict which vulnerabilities will be exploited in the future.

Mr. Lee recommended that the Active Directory (AD) used for operational technology (OT) environments should be kept separate and not connected to the AD used for IT. This is because threat actors often use AD as a tool for lateral movement around an organization. By keeping the AD for OT separate, organizations can limit the potential for an attacker to move from IT systems to OT systems through AD. Additionally, separate ADs can help minimize the risk of accidental changes or updates to OT systems by IT staff who may not be familiar with the specific requirements of these critical systems.

Mr. Lee highlighted several concerning trends in the OT security landscape. With many essential systems and services relying on OT environments, any disruption caused by a cyber-attack can have serious consequences. Ransomware attacks targeting OT systems increased last year, indicating that attackers are increasingly targeting these environments. Additionally, the widespread use of CODESYS in ICS systems makes it a common target for threat actors, with 46% of attacks utilizing it in their tactics, techniques, and procedures (TTPs). Xenotime threat actor developed the first malware specifically designed to target safety systems and protect human life. Their recent focus on Ukraine suggests potential ties to Russia and that these attacks may have broader geopolitical motivations beyond just financial gain. Taken together, these trends underscore the critical importance of implementing robust security measures to protect OT environments and safeguard critical infrastructure.

During his presentation, Mr. Lee offered several recommendations to help organizations better secure their OT environments. These include:

Keeping OT AD separate from IT AD
Letting executives make risk-acceptance decisions
Improving OT network visibility
Implementing network segmentation
Implementing controlled remote connections
Implementing stricter credential controls
Implementing SANS five critical controls for ICS/OT, including:
- Developing an ICS Incident Response Plan
- Establishing a Defensible Architecture
- Implementing ICS Network Monitoring and Visibility
- Ensuring Secure Remote Access
- Conducting Risk-based Vulnerability Management

By following these recommendations, organizations can take a proactive approach to OT security, reducing the risk of cyber-attacks and protecting critical infrastructure.