While many cybersecurity vulnerabilities exist, top priority should be securing those that give adversaries the potential to weaponize operational technology.
Discussing the results from the 2022 Dragos annual Industrial Cybersecurity Year In Review during a virtual media briefing on Feb. 8, company CEO Robert M. Lee said oil and gas industry cybersecurity defenders should focus on securing critical risks.
The annual review, released on Feb. 14, indicated the new PIPEDREAM malware has the ability to affect tens of thousands of industrial devices controlling critical energy infrastructure and reported an increase of attacks on the energy sector. In total, according to Dragos, ransomware attacks in 2022 against industrial organizations increased 87% since 2021; Dragos also investigated 27% more vulnerabilities in 2022 than in 2021.
When people are concerned about legacy equipment’s vulnerability and the possibility of opening the door to an operational technology (OT) breach, Lee said he asks whether replacing everything with all new and updated equipment would improve security.
“The IT security person generally wants to be like, yes, absolutely. But then you walk them through ‘what do we actually care about? What are the actual risks? What are the actual threats we see?’” it becomes easier to identify what should be the main priority, he said.
“We want to be really precise about the vulnerabilities,” Lee continued, “because a lot of them are not useful. A lot of vulnerabilities are not things that could even be weaponized by adversaries.”
For instance, he said, vulnerabilities without the ability to impact control and/or visibility are less critical than those that do.
“The way to look at risk is [what] we should take action on and how we take action on it,” Lee said.
Not all vulnerabilities need a patch, he added. Sometimes simply disabling it or placing a firewall can mitigate the risk, he said.
Classifying adversaries
Dragos classifies attack groups as ‘stage one adversaries’ if they are overtly trying to get into industrial networks but have not yet been successful, and as stage two if they have gotten into the industrial control networks and are stealing intellectual property, developing targets or taking potentially disruptive and destructive actions.
Of the groups that have been disruptive and destructive, there was typically a two- to four-year window during which they were getting familiar with industrial environments, Lee said.
“A lot of the groups that are stage one or groups that haven't even got into the industrial networks yet, a portion of them, a significant portion of them then graduate to those stage two actors, and a portion of those graduate to the ones that are actually doing disruptive and destructive effects,” he said.
“We want to be really precise about the vulnerabilities. Because a lot of them are not useful. A lot of vulnerabilities are not things that could even be weaponized by adversaries.” – Robert M. Lee, Dragos
On the other hand, Lee noted, the group behind the PIPEDREAM malware emerged on the global stage as a stage two adversary.
Chernovite is “a group that we weren't tracking. Nobody was tracking,” he said. “When they showed up, they were already a stage two actor capable of doing disruptive and destructive effects.”
In April 2022, Dragos and a partner announced the discovery of the PIPEDREAM malware, which features a cross-industry industrial control system (ICS) attack framework intended to attack infrastructure across multiple industries. It is, Lee said, the first malware that could be disruptive and destructive in multiple industries.
“You could put it in a data center, you could put it in a wind farm, you could put it in an oil and gas refinery, you could put it on an offshore rig, you could put it [in] targeting drones and the control system, aerial packages and servo motors,” he said. “It is the first time we've seen something disruptive or destructive that is cross-industry repeatable, scalable. You can load this thing up and go.”
Prevention and detection
Historically, cybersecurity efforts focused on prevention.
“We've been telling asset owners and operators to put all their resources into patching, password management, secure mode access, identity access management, et cetera,” he said.
And those who follow the guidance “are not doing anything wrong” but are probably only spending less than 10% of their resources on detection, response and recovery, he said.
“We definitely need to be encouraging folks to do the detection response piece,” Lee said.
Dragos tracks vulnerabilities that add new functionalities into the industrial environment that previously didn’t exist, as well as vulnerabilities that are actively being exploited by adversaries, Lee said.
When it comes to addressing vulnerabilities, Dragos recommends the “Now, Next and Never” framework.
According to the report, the 2% of Now category vulnerabilities in 2022 were perimeter-facing and network-exploitable. The Next category covers limited and possible threats that might be network exploitable but require more work, access and knowledge for an adversary to exploit. Many vulnerabilities could be mitigated through updated firewall rules, according to the report.
In 2022, 95% of the vulnerabilities fell into the Next category, and Lee said these could be dealt with during maintenance periods. The 3% of vulnerabilities from 2022 in the Never category pose a possible threat but rarely require action or prioritization and should be monitored at minimum rather than be ignored, the report said.
Ransomware
Dragos reported an 87% increase in ransomware attacks in 2022 over 2021, with the manufacturing sector targeted in 72% of attacks.
“They're definitely going after manufacturing a heck of a lot more than electric and oil and gas,” Lee said.
And with that spike in attacks, Lee is seeing more manufactures paying ransom. Whether to pay is not a clear-cut decision, he said, but he advocates not paying when possible.
Some groups, for instance, are able to return data in exchange for the ransom, but some are not.
“One of the things that's very common during ransomware cases is you'll work with the insurance companies that have brokers and those brokers will end up knowing and tracking the different groups and saying, ‘Hey, we've had experience with this group, you can pay them,’ or ‘We’ve had experience with this group, it doesn’t matter to pay them,’” Lee said.
Recommended Reading
Beth McDonald Appointed SM Energy COO
2024-09-09 - Beth McDonald joins SM Energy as its new executive vice president and COO, bringing with her about 20 years of experience as an executive at Pioneer Natural Resources.
Five Point Closes Infrastructure Fund with $1.4B in Commitments
2024-09-09 - Five Point Energy, which created newly public Permian Basin company LandBridge, said its Five Point Energy Fund IV was oversubscribed from a target of $1.25 billion.
Post Oak-backed Quantent Closes Haynesville Deal in North Louisiana
2024-09-09 - Quantent Energy Partners’ initial Haynesville Shale acquisition comes as Post Oak Energy Capital closes an equity commitment for the E&P.
Souki’s Saga: How Tellurian Escaped Ruin with ‘The Pause,’ $1.2B Exit
2024-09-09 - President Biden’s LNG pause in January suddenly made Tellurian Inc.’s LNG export permit more valuable. The company’s July sale marked the end of an eight-year saga—particularly the last 16 months, starting with when its co-founder lost his stock, ranch and yacht in a foreclosure.
Dividends Declared in the Week of Sept. 2
2024-09-06 - Here is a compilation of dividends declared by select E&Ps for third-quarter 2024.