Last week Dragos CEO Robert M. Lee testified during the Senate Committee on Energy and Natural Resources’ Hearing to Examine Cybersecurity Vulnerabilities to the United States' Energy Infrastructure. He detailed the steps needed to address cybersecurity vulnerabilities with our nation’s critical energy infrastructure. (You can view the archive of the testimony here.)
We wanted more perspective, so we connected with Ben Miller, Dragos vice president of services. Take a look…
Smart Industry: What is the state of cybersecurity with domestic energy infrastructure? Is this getting better or worse as digital transformations mature and widen in application?
Ben: Within energy, there's been much done and there has been improvement. The challenge is that the infrastructure is changing too quickly and the adversaries are growing in some of their capabilities. The industry must continue to prioritize their critical OT environments and the government can and should help provide their perspective of the worst-case scenarios to better inform asset owners.
Smart Industry: What is the gist of Rob's testimony?
Ben: He testified about how the industrial cyber-threat landscape has shifted irreversibly this past year and the actions we must take to protect our national security and local communities. Rob discussed how both the private sector and government must step up to be more effective in countering strategic national threats by prioritizing what is working and stopping what's not. The industrial cyber-threat landscape has irreversibly shifted this past year with the emergence of PIPEDREAM, the first reusable cross-industry capability that can achieve disruptive or destructive effects on domestic ICS/OT equipment. Dragos identified PIPEDREAM in 2022, and at Thursday’s hearing, Rob's message was clear: it is necessary to prioritize OT/ICS networks with a focus on security controls that have demonstrated success against adversaries.
Smart Industry: Why is Dragos uniquely suited to add perspective here?
Ben: Dragos works with customers from across the globe, and their first question is almost always "Am I the only one who is behind the curve?" The reality is that energy and other industries are on a very long journey—energy is ahead of most—but there's constant change in technology and our understanding of the threats is continuing to improve. We must keep pushing forward. Dragos is the leading industrial cybersecurity-technology and services provider, focusing on operational technology (OT) and industrial control systems (ICS)—the specialized computers and networks that interact with the physical world, such as a control system that opens a circuit breaker on an electric substation or a gas turbine control system that generates electricity. They are what makes critical infrastructure critical.
Smart Industry: What are steps needed to shore up cybersecurity vulnerabilities with our energy networks?
Ben: The SANS Institute identified five critical controls for ICS/OT cybersecurity, and Dragos offer the following additional insight on how to implement these controls in your OT environments.
1. ICS incident-response plan
OT’s incident-and-response plan should be distinct from IT’s. OT involves different device types, communication protocols, different types of tactics, techniques, and procedures (TTPs) specific to the industrial threat groups. Investigation requires a different set of tools and languages. Managing the potential impact of an incident is different for pipelines, electrical grids, and manufacturing plants. Create a dedicated plan that includes the right points of contact, such as which employees have which skills inside which plant, and well thought-out next steps for specific scenarios at specific locations. Consider tabletop simulation exercises to test and improve response plans.
2. A defensible architecture
OT-security strategies often start with hardening the environment—removing extraneous OT network access points, maintaining strong policy control at IT/OT interface points, and mitigating high-risk vulnerabilities. Perhaps even more important than a secure architecture are the people and processes to maintain it. The resources and technical skills required to adapt to new vulnerabilities and threats should not be underestimated.
3. Visibility and monitoring
You can’t protect what you can’t see. A successful OT-security posture maintains an inventory of assets, maps vulnerabilities against those assets (and mitigation plans), and actively monitors traffic for potential threats. Visibility gained from monitoring your industrial assets validates the security controls implemented in a defensible architecture. Threat detection from monitoring allows for scaling and automation for large and complex networks. Additionally, monitoring can also easily identify vulnerabilities for action.
4. Secure remote access
Secure remote access is critical to OT environments. A key method, multi- factor authentication (MFA) is a rare case of a classic IT control that can be appropriately applied to OT. Implement MFA across your systems-of-systems to add an extra layer of security for a relatively small investment. Where MFA is not possible, consider alternate controls such as jumphosts with focused monitoring. The focus should be placed on connections in and out of the OT network and not on connections inside the network.
5. Risk-based vulnerability management
Knowing your vulnerabilities—and having a plan to manage them—is a critical component to a defensible architecture. More than 1,200 OT-specific vulnerabilities were released last year, the majority of them with incomplete or erroneous information. While patching an IT system like a worker’s laptop is relatively easy, shutting down a plant has huge costs. An effective OT-vulnerability-management program requires timely awareness of key vulnerabilities that apply to the environment, with correct information and risk ratings, as well as alternative mitigation strategies to minimize exposure while continuing to operate.
Smart Industry: What is encouraging about the fight on this front?
Ben: What's encouraging is that we have the attention of policy-makers and they are asking what we are and aren't doing well. We're asking questions and creating dialog rather than reacting. We're still in the early days and need to understand what is occurring within our critical OT/ICS environments and begin incorporating lessons learned from successful OT/ICS attacks.
