Organizations often make the mistake of worrying about the one thing they can’t control: whether hackers would want to target them. The short answer is yes, all organizations are a good target and should think of themselves as such. This is especially true of organizations that run operational technology (OT) and industrial control systems (ICS). As threats evolve incorporating powerful new capabilities, like the newly discovered PIPEDREAM malware developed by the CHERNOVITE threat group, organizations must realize that the time to be ready is now. But what exactly does that mean?
Vice President for Europe and Africa, at Dragos.
The threat landscape is evolving
The threat landscape is changing, rapidly, especially when it comes to OT environments. According to the annual Dragos Year in Review 2022, ransomware attacks against industrial organizations increased 87% over the previous year. The current geopolitical landscape (and subsequent increase in attacks against OT environments) has made many industrial organizations sit up and take notice of the idea of an attack. Perhaps ironically, it's more crucial than ever that organizations don’t panic. Panic only leads to mistakes and confusion.
Previously, industrial environments were largely heterogeneous. Every system was unique, contained completely different technology stacks and was only known inside out by a handful of people who worked at a plant more or less their entire careers. For adversaries, this meant that everything they built to attack industrial organizations had to be custom. Each attack was costly and high risk, with little scalability.
As technology has evolved, we’re moving towards more homogeneous and connected systems, cutting costs for businesses and gaining efficiencies by making it easier to maintain technology across multiple locations. Not to oversimply it, but there’s a trend towards ‘cookie cutter’ tech stacks across factories. OT environments have become largely standardized and easier for anyone to research and understand. For a threat actor with basic understanding of this technology, it means that attacks are now repeatable and scalable, with potentially huge economic impact.
One of the most significant discoveries we’ve made regarding the evolution of threats to industrial environments is the threat group CHERNOVITE and its malware PIPEDREAM. CHERNOVITE has the capability to operate across both IT and OT networks, but its malware has been developed specifically for use against OT technology. What makes PIPEDREAM truly unique is the fact that it is reusable, scalable, and can be used across industries. It must be noted that we have not yet seen it successfully deployed—and that’s significant, because it means the industrial community is in the rare position of being able to prepare for a threat before an attack.
Given the length of time that industrial systems last, we also need to prepare for future evolutions. In four to five years, we expect to cross a line where malware can (and will) be used across industries at any and all times. There will be less time to recover and learn from attacks and state actors will become more persistently engaged. Fortunately, we, as security leaders and defenders of OT environments, have an advantage: community.
Approaching OT security with a community focus
In the case of OT security, it really does take a village. The community is constantly winning against adversaries, with attacks being stopped every day, but we just don’t hear about it a lot. The ability to stop attacks effectively comes from an accumulation of knowledge and building strong defenses. What we often lose sight of is the fact that the adversary is fallible.
With environments becoming increasingly more similar, there’s an opportunity to share knowledge and learn from one another, as we discover threats and especially after an attack. Sharing across industries and the wider community is important because it pressures adversaries to have to constantly keep up. In this way, the defence side has an opportunity to stay one step ahead. However, when something does go wrong, it’s crucial we know why it happened. Root cause analysis can be incredibly insightful to stop something from happening again.
Forecasting the future of the industry
It is unwise to ‘predict’ when it comes to OT security. Instead, it is better to forecast, as this is a time-based prediction. There is often a lot of confusion around what might happen in the future and we’re often focusing on and overanalyzing the wrong things. For instance, zero-trust is problematic and unrealistic in OT environments. Likewise, vulnerabilities in legacy systems have long come under scrutiny, but they are not being successfully exploited in ICS attacks. Similarly, it is plainly untrue to say that environments are “insecure by design.”. We must shift our focus towards what we can know and control: the present.
To protect any environment, it’s important to know your environment. The Dragos annual Year in Review 2022 report found that 80% of organizations had extremely limited/no visibility into their OT environment. This is, however, an improvement on findings in 2021 (86%) and 2020 (90%). By understanding what you have in your environment, you can understand and prioritize the best approach to fixing any vulnerabilities. If you fix the things you find, you will eventually find unknowns – and people are always worried about the unknowns. Only if you know your environment can you forecast. Defense is doable, without panic. It is imperative to understand your environment to build operational resilience.
Defensible architecture must add value and understanding to an environment, which is why it’s pointless to act without knowing what you need to secure. By focusing on these ‘knowns’ you can prepare to adapt with ease to the unknowns. A strong approach to operational resilience consists of visibility, detection, and response. Sharing any vulnerabilities found with the wider community can make this process smoother for everyone. This approach is good not only for state actors, but also for the far more frequent and likely threats: accidents.
The time is now
It cannot be stated enough that in order to build strong operational resilience we cannot fall victim to the hype that surrounds “the future.” Yes, the thought of a threat group like CHERNOVITE is concerning; however, if you’ve followed OT cybersecurity best-practices and built strong operational resilience, you have prepared for PIPEDREAM. By making sure systems are kept up to date, scanned often, and patched when necessary; ensuring that you have good visibility to detect threats and a solid incident response plan; all while also learning from the wider community, you are doing what you can to stay ahead of these advanced adversaries.
