The U.S. came dangerously close to suffering a major cyber attack on its energy infrastructure last year, says the head of a cybersecurity company that focuses on risks to operational technology (OT) systems such as industrial control systems (ICS).<\/p>\n
The discovery of malware dubbed Pipedream by Dragos Inc. and U.S. cyber agencies was \u201cthe closest we\u2019ve ever been to having U.S. infrastructure go off-line,\u201d said company CEO Robert Lee.<\/p>\n
\u201cI don\u2019t think people realized how close it was to happening.\u201d<\/p>\n
He made the comment to reporters in a briefing before Dragos released its annual year-in-review report on Tuesday<\/a>.<\/p>\n The report highlighted problems in network visibility in ICS\/OT networks, an increase in ransomware attacks on industrial firms, and problems with identifying the seriousness of\u00a0 vulnerabilities in ICS\/OT devices.<\/p>\n Pipedream was created by a new nation-state group dubbed Chernovite. Its existence was publicized last April<\/a>, but Lee said its significance was missed by news media, who focused on the malware\u2019s ability to target programmable logic controllers [PLC\u2019s] from Schneider Electric and Omron, and that it appeared to initially target electricity and liquid natural gas plants in the U.S..<\/p>\n \u201cThat was just their initial set of targets,\u201d Lee said. \u201cThis thing can work anywhere. This is a state-level, war-time capability\u201d to bring down infrastructure.<\/p>\n \u201cOne of the things that makes Pipedream truly unique is that this is the first time ever that we\u2019ve had a set of malware that can be disruptive or destructive in industrial control environments across [any] industry.\u201d Until now, he said, ICS\/OT malware was created for particular environments \u2014 what worked against a power distributor wouldn\u2019t work in a factory, for example.<\/p>\n \u201cYou could put it in a data centre, you could put it in a wind farm, you could put it in an oil and gas refinery, you could have it targeting drones \u2026 \u201d<\/p>\n While Pipedream had been installed in an unnamed system, Lee said, for some reason \u201cthey [Chernovite] weren\u2019t ready to pull the trigger. They were getting very close.\u201d<\/p>\n The revelation of Pipedream gave industrial\/critical infrastructure firms time to comb their systems for evidence of the malware. \u201cThere\u2019s no fixing this,\u201d Lee said. \u201cNo vulnerabilities that, if you patch them, you\u2019ll be fine.\u201d<\/p>\n Chernovite is still working on Pipedream, he warned, predicting the malware will eventually be deployed on some victim\u2019s network.<\/p>\n Industrial firms \u201cbetter have a detection and response program,\u201d he added. \u201cYou have a zero per cent chance of being successful against this adversary and this capability if you\u2019re just relying on prevention. You must be doing detection and response.\u201d<\/p>\n The discovery of Pipedream and what the company called its \u201cbreakthrough escalation in capabilities\u201d was one of the important events in the ICS\/OT community last year, the Dragos report says.<\/p>\n The report also highlighted a theme throughout the report: While the industrial sector is getting better at being prepared for a cyber attack, it has a long way to go.<\/p>\n One of the biggest problems: Few companies have visibility into their ICS\/OT networks.<\/p>\n Eighty per cent of Dragos\u2019 customers have only limited network visibility, Lee said, which is \u201cwhy we\u2019re still finding some scary things.\u201d And, he added, his company\u2019s clients are usually firms that have a mature cybersecurity strategy.<\/p>\n \u201cIf you have limited or no visibility, you can\u2019t detect anything in your OT environment,\u201d he said.<\/p>\n Other problems are poor security perimeters, remote and exposed connections to the OT environment, and shared IT and OT credentials in Active Directory. \u201cWe see a ton of that\u201d in ransomware attacks Dragos investigates, Lee said, where a hacker targets the IT network, populates ransomware out through an Active Directory domain controller, which then spreads through the OT network.<\/p>\n Among the report\u2019s highlights:<\/p>\n \u2014 ransomware attacks on industrial infrastructure organizations nearly doubled in 2022 compared to the previous year. Of those, over 70 per cent of ransomware attacks focus on manufacturers;<\/p>\n \u2014 ICS\/OT vulnerabilities increased 27 per cent compared to 2021. However, Lee complained that few vulnerabilities reported by vendors offer mitigation as well as a patch. Sometimes a mitigation \u2014 like disconnecting a device from the internet \u2014 is faster than installing a patch, he said.<\/p>\n The report also complains that 33 per cent ICS-related vulnerability advisories last year had errors that could mislead IT practitioners who use CVSS scores to triage mitigations or patching.<\/p>\n For that reason, Lee also maintained that only half of ICS\/OT vulnerabilities are serious \u2014 ones that would result in loss of control of a system or loss of network visibility. And of those, only two per cent \u2014 ones whose devices are perimeter-facing and easily exploitable, whose vulnerabilities are actively being exploited, or add net new functionality in the industrial environment (ie you couldn\u2019t modify the logic on a safety system) \u2014 need to be patched immediately. IT\/OT should focus on these, leaving them free to do other things than vulnerability management, Lee argued.<\/p>\n Of the rest of the vulnerabilities, 68 per cent can be mitigated by updating firewall rules and waiting until the next scheduled maintenance period to install patches. The remaining 30 per cent may never need to be patched, depending on a risk assessment.<\/p>\n Dragos tracks 20 threat groups that go after industrial control systems. Of those, only eight were active during 2022. The company ranks these groups in terms of their activity: Stage One groups can infiltrate IT networks and are trying to get into OT networks, while Stage Two groups can get into OT networks and are stealing information that could be useful in disruptive or destructive attacks.<\/p>\n Chernovite was one of two groups Dragos discovered last year. It calls the other Bentonite. It targets the oil and natural gas sector, taking advantage of opportunities, such as poorly protected internet-facing remote connectivity, to slip into networks.<\/p>\n So far Bentonite hasn\u2019t gotten into OT networks. But, Dragos warns, when it gets into IT networks it establishes long-term persistence. Its malware has data-wiping capability. \u201cThey\u2019re smart, they\u2019re stealing the right info,\u201d said Lee.<\/p>\n The post Few companies have visibility into their ICS\/OT networks: Report<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" In its annual report Dragos says US came dangerously close last year to an energy-sector cy<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[21,381,16],"tags":[837,477,393,275],"class_list":["post-35556","post","type-post","status-publish","format-standard","hentry","category-emerging-tech","category-operations","category-security","tag-dragos","tag-industrial-control-systems","tag-security-strategies","tag-top-story"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/35556","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=35556"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/35556\/revisions"}],"predecessor-version":[{"id":35670,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/35556\/revisions\/35670"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=35556"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=35556"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=35556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Related content: Canada should follow US scrutiny of electric utilities<\/a><\/h4>\n