The U.S. came dangerously close to suffering a major cyber attack on its energy infrastructure last year, says the head of a cybersecurity company that focuses on risks to operational technology (OT) systems such as industrial control systems (ICS).
The discovery of malware dubbed Pipedream by Dragos Inc. and U.S. cyber agencies was “the closest we’ve ever been to having U.S. infrastructure go off-line,” said company CEO Robert Lee.
“I don’t think people realized how close it was to happening.”
He made the comment to reporters in a briefing before Dragos released its annual year-in-review report on Tuesday.
The report highlighted problems in network visibility in ICS/OT networks, an increase in ransomware attacks on industrial firms, and problems with identifying the seriousness of vulnerabilities in ICS/OT devices.
Pipedream was created by a new nation-state group dubbed Chernovite. Its existence was publicized last April, but Lee said its significance was missed by news media, who focused on the malware’s ability to target programmable logic controllers [PLC’s] from Schneider Electric and Omron, and that it appeared to initially target electricity and liquid natural gas plants in the U.S..
“That was just their initial set of targets,” Lee said. “This thing can work anywhere. This is a state-level, war-time capability” to bring down infrastructure.
“One of the things that makes Pipedream truly unique is that this is the first time ever that we’ve had a set of malware that can be disruptive or destructive in industrial control environments across [any] industry.” Until now, he said, ICS/OT malware was created for particular environments — what worked against a power distributor wouldn’t work in a factory, for example.
“You could put it in a data centre, you could put it in a wind farm, you could put it in an oil and gas refinery, you could have it targeting drones … ”
While Pipedream had been installed in an unnamed system, Lee said, for some reason “they [Chernovite] weren’t ready to pull the trigger. They were getting very close.”
Related content: Canada should follow US scrutiny of electric utilities
The revelation of Pipedream gave industrial/critical infrastructure firms time to comb their systems for evidence of the malware. “There’s no fixing this,” Lee said. “No vulnerabilities that, if you patch them, you’ll be fine.”
Chernovite is still working on Pipedream, he warned, predicting the malware will eventually be deployed on some victim’s network.
Industrial firms “better have a detection and response program,” he added. “You have a zero per cent chance of being successful against this adversary and this capability if you’re just relying on prevention. You must be doing detection and response.”
The discovery of Pipedream and what the company called its “breakthrough escalation in capabilities” was one of the important events in the ICS/OT community last year, the Dragos report says.
The report also highlighted a theme throughout the report: While the industrial sector is getting better at being prepared for a cyber attack, it has a long way to go.
One of the biggest problems: Few companies have visibility into their ICS/OT networks.
Eighty per cent of Dragos’ customers have only limited network visibility, Lee said, which is “why we’re still finding some scary things.” And, he added, his company’s clients are usually firms that have a mature cybersecurity strategy.
“If you have limited or no visibility, you can’t detect anything in your OT environment,” he said.
Other problems are poor security perimeters, remote and exposed connections to the OT environment, and shared IT and OT credentials in Active Directory. “We see a ton of that” in ransomware attacks Dragos investigates, Lee said, where a hacker targets the IT network, populates ransomware out through an Active Directory domain controller, which then spreads through the OT network.
Among the report’s highlights:
— ransomware attacks on industrial infrastructure organizations nearly doubled in 2022 compared to the previous year. Of those, over 70 per cent of ransomware attacks focus on manufacturers;
— ICS/OT vulnerabilities increased 27 per cent compared to 2021. However, Lee complained that few vulnerabilities reported by vendors offer mitigation as well as a patch. Sometimes a mitigation — like disconnecting a device from the internet — is faster than installing a patch, he said.
The report also complains that 33 per cent ICS-related vulnerability advisories last year had errors that could mislead IT practitioners who use CVSS scores to triage mitigations or patching.
For that reason, Lee also maintained that only half of ICS/OT vulnerabilities are serious — ones that would result in loss of control of a system or loss of network visibility. And of those, only two per cent — ones whose devices are perimeter-facing and easily exploitable, whose vulnerabilities are actively being exploited, or add net new functionality in the industrial environment (ie you couldn’t modify the logic on a safety system) — need to be patched immediately. IT/OT should focus on these, leaving them free to do other things than vulnerability management, Lee argued.
Of the rest of the vulnerabilities, 68 per cent can be mitigated by updating firewall rules and waiting until the next scheduled maintenance period to install patches. The remaining 30 per cent may never need to be patched, depending on a risk assessment.
Dragos tracks 20 threat groups that go after industrial control systems. Of those, only eight were active during 2022. The company ranks these groups in terms of their activity: Stage One groups can infiltrate IT networks and are trying to get into OT networks, while Stage Two groups can get into OT networks and are stealing information that could be useful in disruptive or destructive attacks.
Chernovite was one of two groups Dragos discovered last year. It calls the other Bentonite. It targets the oil and natural gas sector, taking advantage of opportunities, such as poorly protected internet-facing remote connectivity, to slip into networks.
So far Bentonite hasn’t gotten into OT networks. But, Dragos warns, when it gets into IT networks it establishes long-term persistence. Its malware has data-wiping capability. “They’re smart, they’re stealing the right info,” said Lee.