As cyberthreats continue to increase across Europe, there is a need to enhance the cyber posture of organisations across industries. Magpie Graham, Adversary Hunting Technical Director, Dragos, tells Intelligent CISO’s Jess Abell about the gaps in the OT landscape and how organisations can strengthen their defences by enhancing visibility and patching.
Can you introduce us to the European Industrial Infrastructure Cyber Threat Perspective – when was this research carried out and what did it set out to achieve?
The research is a culmination of several weeks of analysis looking back at the risks to organisations and activities in the last year, as well as outlining expected future actions by adversaries.
The report set out to address the continued lack of visibility into the networks, which is an initial step for most organisations on their journey to a healthy defensive cyber posture. It illustrates the interlinked nature of organisations and provides a forward-looking approach that determines which organisations or verticals are most at risk from the threats we’ve observed previously, especially given the current world events.
Dragos has assessed with ‘high confidence’ that adversaries pose a threat to European industrial infrastructure presently and into the next 12 months. Can you outline the reasons that contributed to this conclusion?
We have observed an increase in the desire for adversaries to be prepositioned wherein the intent isn’t concrete, but the opportunities they could have if something were to arise, is a significant motivator. Even if their end goal isn’t clear, this increases the chances of several organisations being attacked. In the OT space, there are chances of disruptive or destructive attacks down the line. In addition, there are non-targeted or opportunistic attacks which are majorly financially driven, which might have led to this increase in motivation for the adversaries.
As Europe is a central hub for numerous manufacturing and other industrial-focused organisations, the knowledge of the OT landscape is growing from the perspective of the adversary. They understand the configuration of the space and how to disrupt it. However, this is increasing in parallel with our understanding of the defensive posture against the adversary.
When we research and create such reports, we have the opportunity to stay ahead and maintain a bastion of defensive posture against the adversary. When you combine the intent alongside the sheer number of organisations that rely on OT networks in Europe across sectors, it is evident that there will be an increase in the likelihood of attacks. The investment in key sectors in Europe is growing, and the opportunity [for attackers] to profit financially is bound to increase.
How much of a threat is ransomware to Information Technology (IT) and Operational Technology (OT) environments?
Ransomware is a considerable threat to industrial processes. We’ve observed that when an IT network gets hit, there is an immediate step towards stopping the spread of ransomware into the clean areas of the network. However, there often isn’t a response plan for the OT side that caters for this type of incident.
Most operators turn off the OT business as a safeguard but this isn’t always necessary and can massively disrupt the business, potentially harming specific industries. Additionally, there isn’t visibility into the network to determine whether the ransomware has made it onto specific controllers to see whether changes have been made to the configuration.
As plans aren’t in place, we end up plunging ourselves into the darkness with no way to tell whether it is safe to turn things back on. Furthermore, this lack of proper plans and run-throughs of protocols can prolong an OT environment’s restart long after the IT network has been brought back online and the machines [computers] rebuilt.
What does Dragos identify as the biggest cybersecurity weaknesses that European asset owners currently face?
The most prominent cybersecurity weaknesses currently are visibility and Incident Response (IR) planning. We recommend specific steps to reduce these weaknesses. Firstly, having a secure and defensible architecture is a must but not always possible as many networks have been running for decades and we can’t re-engineer the way they’ve been put together. Secondly, having visibility into what you have and what’s going on in the network to look for threats and help detect suspicious or malicious activity to respond to it appropriately. Lastly, there is a skill gap wherein more skill maturity is required, especially for in-house expertise.
There is a need to adopt a more holistic approach. For example, IR planning is a weakness in parallel with the visibility problem as companies don’t know how to respond when something happens in the IT or OT environment.
Dragos highlighted targeted threats that focus on infiltrating and disrupting industrial control systems as posing the most cybersecurity risk to European Industrial Infrastructure.
Why is this and what can organisations do to protect against these types of attacks?
They are posing the most cybersecurity risk because of their motivations. There’s ample research that suggests that the specific entities hit are according to where the most money is to be made. However, in many cases, the intent can be to disrupt, which affects not just the industry but also the configuration of every individual site. It is critical to defend against such kinds of operations as we don’t want to respond to an incident where we’ve lost all control of the devices.
Disruption in the supply chain can be catastrophic to those in need; it is not just about the severity of the impact on a business but also on people living nearby and those who rely on it.
What are your recommendations to organisations in this sector on how they can obtain better visibility and defend against these threats?
Good initial steps of intrusion are very similar to defending an IP network from the perspective of patching. Even though it might not necessarily be at the forefront of people’s minds, a lot of initial access to the networks is through router devices, especially in remote working. As a result, there are numerous exploitable vulnerabilities against the initial networking infrastructure and this needs to be addressed.
In addition, vulnerability reporting and assessment will help defend against threats better. However, for roughly one-third of reported OT vulnerabilities, there is a difference between how Dragos would assess the severity compared to how other operators or vendors would, which changes the priority of the patching process.
Better visibility is the key to defending against threats. Logging is vital as it creates a historical record to regularly audit, especially when responding to an intrusion. On the network side, visibility again is critical as many things can be put in a network on both the IT and OT sides.
We are not going to have patches for legacy systems, but we can put additional safeguards in place and monitor some of the key directories where adversaries like to stage their tools or malware.
Which cybersecurity areas should organisations in this sector be prioritising looking ahead?
Organisations in this sector need to prioritise visibility as it is a step into doing something new and can take a lot of persuasion. However, there is ample evidence to show what the undesirable effects of the lack of security can do within an OT network. After visibility, patching is the next important step which includes looking at the devices and understanding the basics of the network, not just between routine IT networks but also what is directly accessible from the open Internet.
Furthermore, organisations need to invest in skills and people to up-skill their existing staff members. Finally, periodic reviews need to be in place and organisations need to get a good handle on the assets and the configuration of those assets. The playbook is very similar to that of the IT side but it tends to be forgotten on the OT side; this needs to be remedied.Click below to share this article