American providers of critical infrastructure services still aren’t spending enough to protect their operational technology (OT) systems, says the head of a company that protects industrial internet-connected systems.
Some firms have acted, Robert Lee, CEO of Dragos Inc., told reporters during a webinar Tuesday. But he estimates less than five per cent of the world’s infrastructure has invested in OT visibility.
“We simply haven’t turned on the lights in the house to see what’s happening.”
One electricity provider told him it spends US$100 million a year on IT security, and just US$5 million on OT security, he said.
That’s understandable, he quickly added, because for years, boards and CEOs of firms with internet-connected industrial systems focused cybersecurity on enterprise IT networks, not realizing that didn’t include the OT side.
OT cybersecurity is unique because factory and industrial network communications and protocols can be different than on IT networks, so IT security solutions can’t merely be copied, Lee said.
What worries him is the possibility that more attack frameworks like Pipedream, which Dragos and U.S. cyber authorities discovered in 2022 and is attributed to a foreign government, may soon be within reach of threat actors with fewer resources than a nation-state.
Pipedream, which was found on a U.S. firm’s network, can manipulate a wide variety of programmable logic controllers (PLCs) and other industrial equipment, is highly scalable, reusable, and can cause damage in [almost] any OT system, Lee said.
Once deployed, there’s no way to stop it, he added. Pipedream isn’t like a vulnerability that can be patched.
“What concerns me is other countries are working on very similar capabilities,” said Lee, “and these capabilities will start proliferating to criminals.”
An example is the discovery earlier this year by Microsoft of a China-based group dubbed Volt Typhoon targeting critical infrastructure organizations — including communications providers, utilities, manufacturers, IT firms, and government departments — in Guam and the U.S. mainland.
This week, Reuters said the U.S. struck back at the IT infrastructure supporting Volt Typhoon.
Lee said Dragos has been watching Volt Typhoon for a while. “They consistently chose industrial targets and play the ‘low and slow game,’ where they get in and wait for the malware to be used when they want,” Lee said.
“We consistently see this as a pattern across the world, where adversaries want to have access to the operational technology portion of the critical infrastructure to be able to leverage it at the time and place of their choosing.”
What makes this kind of threat damaging is the fact that OT networks have moved from being customized for each environment to being automated and commoditized. That leaves them open to attacks whose damage can spread from merely one company to an entire industrial sector or geographic region, he said.
“For most companies in the United States that operate industrial infrastructure, the current reality is that growing complexity in automation means we are losing expertise in companies on the [OT] systems as a whole,” Lee said.
“We may just really understand [OT] subsystems. We may need to call in vendors and integrators and contractors and a bunch of other people to understand these systems of systems. What that means is something that can happen — the network can go down, the system can go down, physical destruction can take place, or a plant can go down — and we wouldn’t know why. That ability to do root cause analysis is only possible with a lot of preparation ahead of time.”
There has been recent progress in awareness, Lee admitted, particularly because the U.S. government is working more closely with industry, and publicizing the problem through Presidential executive orders and reports on Pipedream and Volt Typhoon.
“We are seeing win after win when governments do their part to use their unique capabilities and collaborate with the private sector, so we can use our [capabilities],” he said.
“If we can respect the fact OT is different from IT, we can elevate the discussion so executives and policy makers around the world can understand that reality, and how much we’ve under-invested” in identifying and responding to OT threats, he said.
With that understanding, “we can pull [together] a really powerful, really exciting group of asset owners and operators who give a damn about national security and local security” and, with experts in the private sector and government, “make it extremely costly and painful for adversaries to find success. That is what winning looks like, and it is absolutely doable,”
“But quite frankly,” he added, “we have a lot of ground to cover.”
The public has to understand why utilities and manufacturers are spending on OT security, Lee said. “The less [time] we’re debating on if we should do something, and the more [time spent] on executing on what we know right looks like, the better we’ll be.”
Separately, Kaspersky issued threat predictions for this year for the industrial control and OT sectors.
These include:
— ransomware will remain the No. 1 scourge of industrial enterprises in 2024;
— attacks on logistics and transport companies may become targeted not at the IT infrastructure supporting operations, but the vehicles themselves;
— politically motivated hacktivism along geopolitical fault lines will grow sharper teeth and have more destructive consequences;
— widespread use of “offensive cybersecurity” by companies and cybersecurity firms for gathering cyberthreat intelligence will have both positive and negative consequences;
— The ongoing and rapid automation and digitization of logistics and transport will lead to greater intertwining of cyber- and traditional crime, particularly in long-established criminal fields such as the theft of cars, maritime piracy and logistics fraud.
