By
Jennifer
Pallanich
Hart Energy

While many cybersecurity vulnerabilities exist, top priority should be securing those that give adversaries the potential to weaponize operational technology.

Discussing the results from the 2022 Dragos annual Industrial Cybersecurity Year In Review during a virtual media briefing on Feb. 8, company CEO Robert M. Lee said oil and gas industry cybersecurity defenders should focus on securing critical risks.

The annual review, released on Feb. 14, indicated the new PIPEDREAM malware has the ability to affect tens of thousands of industrial devices controlling critical energy infrastructure and reported an increase of attacks on the energy sector. In total, according to Dragos, ransomware attacks in 2022 against industrial organizations increased 87% since 2021; Dragos also investigated 27% more vulnerabilities in 2022 than in 2021.

When people are concerned about legacy equipment’s vulnerability and the possibility of opening the door to an operational technology (OT) breach, Lee said he asks whether replacing everything with all new and updated equipment would improve security.

“The IT security person generally wants to be like, yes, absolutely. But then you walk them through ‘what do we actually care about? What are the actual risks? What are the actual threats we see?’” it becomes easier to identify what should be the main priority, he said.

“We want to be really precise about the vulnerabilities,” Lee continued, “because a lot of them are not useful. A lot of vulnerabilities are not things that could even be weaponized by adversaries.”

For instance, he said, vulnerabilities without the ability to impact control and/or visibility are less critical than those that do.

“The way to look at risk is [what] we should take action on and how we take action on it,” Lee said.

Not all vulnerabilities need a patch, he added. Sometimes simply disabling it or placing a firewall can mitigate the risk, he said.

Classifying adversaries

Dragos classifies attack groups as ‘stage one adversaries’ if they are overtly trying to get into industrial networks but have not yet been successful, and as stage two if they have gotten into the industrial control networks and are stealing intellectual property, developing targets or taking potentially disruptive and destructive actions.

Of the groups that have been disruptive and destructive, there was typically a two- to four-year window during which they were getting familiar with industrial environments, Lee said.

“A lot of the groups that are stage one or groups that haven't even got into the industrial networks yet, a portion of them, a significant portion of them then graduate to those stage two actors, and a portion of those graduate to the ones that are actually doing disruptive and destructive effects,” he said.

Robert M. Lee, Dragos
(Source: Dragos)

“We want to be really precise about the vulnerabilities. Because a lot of them are not useful. A lot of vulnerabilities are not things that could even be weaponized by adversaries.” – Robert M. Lee, Dragos

On the other hand, Lee noted, the group behind the PIPEDREAM malware emerged on the global stage as a stage two adversary.

Chernovite is “a group that we weren't tracking. Nobody was tracking,” he said. “When they showed up, they were already a stage two actor capable of doing disruptive and destructive effects.”

In April 2022, Dragos and a partner announced the discovery of the PIPEDREAM malware, which features a cross-industry industrial control system (ICS) attack framework intended to attack infrastructure across multiple industries. It is, Lee said, the first malware that could be disruptive and destructive in multiple industries.

“You could put it in a data center, you could put it in a wind farm, you could put it in an oil and gas refinery, you could put it on an offshore rig, you could put it [in] targeting drones and the control system, aerial packages and servo motors,” he said. “It is the first time we've seen something disruptive or destructive that is cross-industry repeatable, scalable. You can load this thing up and go.”

Prevention and detection

Historically, cybersecurity efforts focused on prevention.

“We've been telling asset owners and operators to put all their resources into patching, password management, secure mode access, identity access management, et cetera,” he said.

And those who follow the guidance “are not doing anything wrong” but are probably only spending less than 10% of their resources on detection, response and recovery, he said.

“We definitely need to be encouraging folks to do the detection response piece,” Lee said.

Dragos tracks vulnerabilities that add new functionalities into the industrial environment that previously didn’t exist, as well as vulnerabilities that are actively being exploited by adversaries, Lee said.

When it comes to addressing vulnerabilities, Dragos recommends the “Now, Next and Never” framework.

According to the report, the 2% of Now category vulnerabilities in 2022 were perimeter-facing and network-exploitable. The Next category covers limited and possible threats that might be network exploitable but require more work, access and knowledge for an adversary to exploit. Many vulnerabilities could be mitigated through updated firewall rules, according to the report.

In 2022, 95% of the vulnerabilities fell into the Next category, and Lee said these could be dealt with during maintenance periods. The 3% of vulnerabilities from 2022 in the Never category pose a possible threat but rarely require action or prioritization and should be monitored at minimum rather than be ignored, the report said.

Ransomware

Dragos reported an 87% increase in ransomware attacks in 2022 over 2021, with the manufacturing sector targeted in 72% of attacks.

“They're definitely going after manufacturing a heck of a lot more than electric and oil and gas,” Lee said.

ransomware by sector
72% of all 2022 ransomware attacks Dragos tracked targeted 437 manufacturing entities
in 104 unique manufacturing subsectors. Of those, 9% of attacks targeted food and beverage; 5% targeted the energy sector; 4% percent targeted the pharmaceuticals; 3% targeted the oil and natural gas sector. 10% of victims were in metal products manufacturing, 9% were in automotive, 6% were in electronic and semiconductor, 5.7% were in building materials, 5.5% were in industrial equipment and supplies manufacturing, and 5% were in plastics. (Source: Dragos Industrial Cybersecurity Year In Review 2022)

And with that spike in attacks, Lee is seeing more manufactures paying ransom. Whether to pay is not a clear-cut decision, he said, but he advocates not paying when possible.

Some groups, for instance, are able to return data in exchange for the ransom, but some are not.

“One of the things that's very common during ransomware cases is you'll work with the insurance companies that have brokers and those brokers will end up knowing and tracking the different groups and saying, ‘Hey, we've had experience with this group, you can pay them,’ or ‘We’ve had experience with this group, it doesn’t matter to pay them,’” Lee said.