Cyber threat intelligence in the OT space.
Dave Bittner: It's December 14, 2022, and you're listening to "Control Loop." In today's OT cybersecurity briefing, Microsoft offers predictions for Russia's war in Ukraine. A wiper targets the diamond industry. Cyberattacks against the manufacturing industry. A look at cybersecurity for farming equipment. And CISA issues ICS advisories. Our guest is Kaleb Flem, senior cyber threat intel analyst at Southern California Edison. Kaleb will be discussing maximizing threat intelligence at a utility. On this episode, the Learning Lab is Part 2 of 2, featuring Dragos CEO Steve Applegate talking with Dragos' Mark Urban about starting an OT cybersecurity program.
Dave Bittner: Microsoft has published its predictions for cyberthreats stemming from Russia's hybrid war against Ukraine throughout the winter. Redmond expects to see a continuation of kinetic attacks against civilian infrastructure supported by disruptive cyberattacks. Microsoft states that the repeated temporal, sectoral and geographic association of these cyberattacks by Russian military intelligence with corresponding military kinetic attacks indicates a shared set of operational priorities and provides strong circumstantial evidence that the efforts are coordinated. Microsoft also warns that Russian operators on social media will likely seek to aggravate concerns about energy shortages and inflation in Europe. The company states, Russia has and will likely continue to focus these campaigns on Germany, a country critical for maintaining Europe's unity and home to a large Russian diaspora, seeking to nudge popular and elite consensus toward a path favorable to the Kremlin.
Dave Bittner: The Iran-linked threat actor Agrius used a supply chain attack to deploy a new wiper against organizations in the diamond industry in South Africa, Israel and Hong Kong, according to ESET. The threat actor compromised the update mechanism in an Israeli software suite used in the diamond industry to launch the wiper. The researchers note that unlike Agrius' previous campaigns, the threat actor in this case didn't attempt to disguise the wiper as ransomware.
Dave Bittner: Researchers at Morphisec announced last week that they've observed a new version of Babuk ransomware in the wild. An infestation was detected at a company which Morphisec describes as a multibillion-dollar manufacturing company with more than 10,000 workstations and server devices. The researchers explain in Morphisec's blog, the attackers had network access for two weeks of full reconnaissance prior to launching their attack. They have compromised the company's domain controller and used it to distribute ransomware to all devices within the organization. They think that earlier attribution of the attacks to WannaRen are mistaken. And they offer three reasons for concluding that, in fact, the malicious payload is an upgraded version of Babuk.
Dave Bittner: First, the overall execution flow and code structure correlate to that presented by Babuk ransomware. Second, it uses the same encryption algorithm. As the researchers put it, one of the most characterizing functions of any ransomware is the encryption method. We verified that the payload in our case matches the one in the Babuk source code. And finally, the configuration and usage of the original and this variant overlap. The improvements the attackers made to Babuk are, according to Morphisec, designed to evade much present scanning and detection technology. The new version of the ransomware implements sideloading, executes with legitimate applications and implements reflective loading functionality to hide the rest of the execution steps.
Dave Bittner: A joint report from BlackBerry and British manufacturers organization Make UK has found that 42% of manufacturers in the U.K. have sustained cyberattacks over the past 12 months. Twenty-six percent of these organizations lost between 50,000 and 250,000 pounds due to the attacks. The survey also found that 65% of these attacks disrupted or halted production. Manufacturers cited the maintenance of legacy IT systems as the No. 1 risk to their business, followed by limited cybersecurity skills and providing access to third parties.
Dave Bittner: Jake Moore at ESET outlines cybersecurity threats to farming equipment. Moore talked to a farmer who fell victim to a phishing attack, which resulted in the loss of access to all of his online accounts used to oversee the farm. This included the system used to track which cows needed milking and which had already been milked. The farmer also lost access to the system that mapped out his tractor's routes, which took the tractors offline. Another farmer told More that his online tractor monitoring equipment tracks every detail imaginable that can be analyzed, from which fields have been fertilized to which fields have the most weeds per 50 square centimeter area in order to know how much pesticide to use and where to spray it to reduce consumption compared to a blanket spray. The tractors can also be controlled and switched off remotely. Moore stresses that if these systems were hit with ransomware or a DDoS attack, the effects would be financially crippling, especially if it were to happen at harvesting time. CISA has released three industrial control system advisories at the beginning of December for BD Bodyguard pumps, MELSEC iQ-R Series and Horner Automation Remote Compact Controllers.
Dave Bittner: And finally, the City of Lake Worth Beach in South Florida sustained a large but short-lived power outage last week after an iguana climbed on top of a transformer at a local substation, the Sun-Sentinel reports. Power was restored in about 35 minutes, and the iguana, sadly, did not survive the incident. City spokesperson Ben Kerr said the city is working to defend its power grid against wildlife but noted that iguanas are a particularly complex issue due to their large size and headstrong climbing skills. Unlike squirrels or birds, Kerr explained, iguanas are heavy enough that the system can't blast them off when they get zapped.
Dave Bittner: Kaleb Flem is a senior cyber threat intel analyst at Southern California Edison. I recently had the pleasure of speaking with him about maximizing threat intelligence at a utility.
Kaleb Flem: So overall, I'd say the utilities that I've come in contact with tend to be doing very well in the control system space as far as being more mature security programs and tend to actually have cyber threat intelligence programs, which is very good considering the how much value you get from those programs. And specifically in the electric utilities, we've been utilizing cyber threat intelligence programs for a few years, specifically on the IT side and more recently been really leveraging those same resources but tailoring them to specific issues and OT-specific threats to better protect critical infrastructure.
Dave Bittner: Can you give us some examples of the types of areas where this comes into play and how you all utilize it?
Kaleb Flem: Well, so a big thing with moving to the OT side with cyber threat intelligence is that the threats are similar. However, the consequences are very different. And also, the assets are very different. And so your normal patching cycles aren't going to be as readily available. And sometimes your recommendations are going to be very different on the OT side because you may not be able to patch. So you are having - or you may not need to because of how isolated the devices are. And so we've had to tailor those strategies from our normal IT best practices to best fit how to - what's more successful and what is actually a more secure practice for the OT side.
Dave Bittner: And from a practical point of view, how does that play out? I mean, what are some of the specific challenges that you face on the OT side?
Kaleb Flem: Well, so specifically, the big one is with patching. So you are prioritizing uptime. Whereas in IT, it's much easier to - it's still a struggle, but it's much easier to have a short patching cycle; say, hey, we need to have these - this critical fix applied within the next 24, 48 hours. But when you're talking about critical infrastructure, specifically on the grid, it's much more difficult to say, hey, we're going to bring down this entire section of the grid to update these devices. And sometimes that's not even necessary because of how the devices are isolated. There may be a vulnerability, but there's no way to access it. So when we give recommendations on the OT side, we need to have that background knowledge and understanding of our environment in order to provide proper, actionable intelligence that is realistic and can actually be applied on the - in the ICS environments.
Dave Bittner: So in terms of the IT and OT side kind of collaborating and each having their own specific sort of flavor of expertise, how does that work? How does the crossover work there? And we often hear about there being a cultural difference there between the two sides.
Kaleb Flem: Yes, there is definitely a cultural difference, and that does come into play. However, at the end of the day, communication has been key. And luckily, within the cybersecurity operation center at Southern California Edison, we have a pretty tight-knit group. And so we're able to keep those communication lines open. And that makes taking some of these best practices from what we've learned on the IT side and applied them on the OT side with modifications.
Kaleb Flem: Additionally, even outside of cybersecurity, just looking at our IT business units versus our OT business units, it's a similar thing. So being able to reach out to those organizational units and open those lines of communication to make sure that we are all on the same page, that has been a huge benefit. And a huge part of the progress that we've made is ensuring that we're bringing everybody to the table so you have less of that divide between IT and OT.
Dave Bittner: You know, we're seeing reports of vandalism with substations, things like that. I'm curious. For the scope of which - with which threat intelligence covers, you know, does it include things in the physical world in that, you know, non-cyber aspect of things?
Kaleb Flem: Absolutely. So bringing it back to keeping those lines of communication open, we work very closely with our physical security side of the house so that way we know when there are - say there's an incident at a substation like we've seen at other utilities recently. We know about that as quickly as it happens, essentially. And we're able to help triage the situation to understand, are there any cyber impacts? Was access gained to cyber systems? Are there greater implications than what may appear on the outset? And so building that relationship and working closely with them has helped us mitigate a lot of those risks.
Dave Bittner: To what degree is there communication between the different providers here, you know, the different providers of energy, the utilities themselves? Is this sort of thing happening through ISACs, or are there informal backchannel communications? How does it work?
Kaleb Flem: Luckily, in my time since moving from my intelligence experience into the OT space, I've been seeing a significant increase in intelligence sharing. Of course, there's always room for improvement. But it has expanded significantly from just the ISACs to informal sharing agreements just between analysts because, at the end of the day, it's still a relatively small community. That's a big part of it. And then also, between private industry, between other government entities, there is a really increased focus on trying to get the intelligence to where it needs to go as quickly as possible because, at the end of the day, if your intelligence is not timely, then it's not going to be effective - and so making sure that we are sharing those best practices.
Kaleb Flem: Another side of that, outside of just sharing intelligence, is we've been able to meet with other teams and share what has worked for us and learn what has worked for them. And that includes intelligence teams that are working at some of the highest levels of national security for overall critical infrastructure to intel teams at other utilities. Because that intelligence is handled quite differently at those different levels. And so we're able to gain those best practices and share our best practices all around.
Dave Bittner: You know, when it comes to best practices, do you have any advice or words of wisdom for some of the organizations who may still be getting up to speed when it comes to these things?
Kaleb Flem: Absolutely. So one - some of the wins that we've found - and this is not just at Southern California Edison but across intelligence career - is that always being open and always asking those questions because that first line of communication is key. Developing the relationships, developing the trust with those units is how you're going to better understand what their intelligence needs are. So it doesn't matter if you have the best intelligence in the world. If you're not providing it to the right customer who needs it, to the right business unit that it's going to be protecting and to be mitigating those risks, then it's not worthwhile. So first finding - figuring out what those intelligence requirements are.
Kaleb Flem: Secondly, finding what your sources are and being able to vet those sources. And at the end of the day, nothing in threat intelligence is brand-new. There are plenty of teams that have been working through these struggles at varying levels, maybe not just on the OT side. So reach out. Figure out, hey; what are you using for collection? What are you using to develop requirements? Because I have yet to find a single entity, no matter the level, that turned me away when asking, hey; how can we improve ourselves? We want to do our job better. So having that humble mindset of wanting to reach out, always improve your program, it goes a long way because you're not alone.
Kaleb Flem: And the other side of it is going down to making sure that your dissemination channel is of that intelligence. So when you've done all this hard work to find out requirements, to do the processing, to do the tough analytical work to create this amazing report but, on the OT side specifically, you've got geographical limitations. So making sure that you have those channels established to get that intelligence out to the business units in a timely manner.
Dave Bittner: Are you finding that management, the powers that be, are seeing the value in threat intelligence; that, you know, it's been effectively communicated, and they're finding this an investment well worth making?
Kaleb Flem: Absolutely. So a big thing that I've seen is that threat intelligence gives you the ability to jump back in the quarterback spot a little bit. Your - we have some amazing technical experts that are in the weeds all day long, whereas threat intelligence gives you the ability to step back and see the entire threat landscape much more clearly. And so you're able to see what threat actors are doing as well as see the trends that we're seeing in our own environment and put those pieces of the puzzle together. And we've seen that executives really appreciate that.
Kaleb Flem: And so we're able to tailor presentations depending on what their needs are and depending as the world situation changes drastically. And we're able to provide them products that give them better situational awareness of the overall threat landscape as well as what we are doing to mitigate those risks. And I think that's also being seen in the increased collaboration between utilities and intelligence teams that we are getting together at higher and higher levels to make sure that we're all working together to improve each other's programs. So it's been really encouraging to see how much progress has been made and how much support we've gotten from management.
Dave Bittner: That's Kaleb Flem from Southern California Edison.
Dave Bittner: In today's Learning Lab, Dragos CISO Steve Applegate speaks with Dragos' Mark Urban about starting an OT cybersecurity program.
Mark Urban: Mark Urban with the Learning Lab. Today we're going to get a CISO perspective on building an OT security program. And I'm fortunate to be joined by Steve Applegate, the CISO here at Dragos. Steve, welcome.
Mark Urban: You know, a lot of times people are trying to catch up to get to a level of two things. There's compliance with regulations. And we see, you know, new regulations coming out, whether it's, you know, TSA in oil and gas and in pipelines and recently in transportation. We see cyber performance goals from CISA recently - not necessarily regulations but, you know, guidelines. We see binding operational directives to the federal government. So there is more of an impetus on, you know, some specific compliance and controls. And oftentimes, you know, organizations are trying to figure out how to get from A to compliance. And even better than compliance is actual security. And they can go hand-in-hand and should. But what tips would you give to, you know, sort of kind of accelerate that in a meaningful yet practical way?
Steve Applegate: Well, there's definitely no one-size-fits-all approach to that problem, I feel like. But there are some basic things that every program is going to need. I mean, if you just say - the governance thing - let's just say it's taken care of. You know, this program that we're talking about, this hypothetical program that we're going to accelerate, has legit governance. There's, you know, executive delegation, like, you know, a mandate from the CISO or whatever. There's a role - something like a CISO role, you know, that people understand is where the buck stops when it comes to security matters. There's policies in place, standards, procedures, you know, committees.
Steve Applegate: You know, this whole - one of the very early things - whenever we were first trying to tackle this problem of how to apply cybersecurity to OT, there was a lot of talk of a cross-functional working group, that type of thing, you know? And that's super important. So that's - all this idea is still part of the governance bit. If all that's in place and then you say, OK, now the governance is solved, at least in some way, how do we accelerate it? I think, you know, there's still the whole - the workforce itself. You know, you think about it. You know, at that point, you have to still build a skilled workforce.
Steve Applegate: Now you've got maybe the right strategic leadership and stuff like that in place, but you still have to have the skills, the people that can type on the keyboard and actually accomplish the work. And that's super important. You can't just go and grab people out of an IT role and say, here; now you're OT, or vice versa. You can't take an engineer and say, hey; you did some programming when you were in college, right? You know, now you do cyber. You know, there's a really highly developed or highly specialized skill set over the years that's developed in OT cyber. And you got to get - you got to find a way to, you know, not just hire a bunch of people and get them started but get the right people and get a pipeline so that this is - whatever you're building can be sustained for years to come.
Steve Applegate: And a lot of times, they also let - you know, I've never once seen a program that was successful that didn't leverage trusted partners. And there's partners that specialize in OT that you need to tap into as opposed to, you know, going to the big box store and hoping to get the right thing, I feel like. I really like this approach of maturity programming. I've always looked for a framework like the NIST Cybersecurity Framework or something that you say, OK, here. This is what we're going to try to base our program on to make sure that we're - you know, to gauge our maturity.
Steve Applegate: And I feel like, you know, developing a maturity program and being honest, you know, you may - when you first gauge your maturity, you know, using, like, a CMMI model or something like that for scoring and you score it very honestly - you know, possibly get a third party to do it that doesn't have a stake in it and benchmark yourself against other companies and - if you come out at a 0.5 or something really bad, then that's OK because this is really for you as a leader to, you know, build upon. And then you can use that to track your - all your remediation efforts over time and prove, you know, to the stakeholders that the money that you're spending, you know, on building this program is - or the money's actually providing the returns that they're expected for it.
Steve Applegate: I always talk about prioritizing remediation efforts. You know, you're going to find - as soon as you start assessing your maturity or even just assessing anything in your program as you're building it, you're going to find a ton of gaps. And how do you compare those gaps against each other and decide which one is the most important? And that's where risk - you know, true risk management comes in. Trying to quantify risks - it's always difficult, you know, when you get into likelihood, especially. Like, how likely is it that this thing is going to happen? But if you take realistic attack scenarios and say OK, you know, what have we seen in the past? Has anybody ever leveraged this particular thing I'm talking about and actually gotten into some place and done - and had a successful exploit and then taken that, you know, like, realistic attack scenario-based quantified risks - that's a lot of words - and used that to help prioritize all the controls that you put into place?
Steve Applegate: Another area that I talk about sometimes that people kind of look at me like I'm crazy - I don't know why. To me, it just totally makes sense, but - I've gone in the past - whenever - I was ready to say, we have to do - you put in control one, two and three right now. And then somebody on - some stakeholder on the OT side came back and said, you know what? That's all, you know, good and dandy, but I have a real problem with control, you know, five or whatever. There's another thing there that keeps them up at night. And I've said, you know what? I could fight them. And I could probably get them to back off and let me - I'm the expert here. You know, I kind of maybe had a big head about it. I said, I could - I know more than they do. This is my job. But I stopped and said, let's go work on the thing that gives them a pain point now or that gives them pain. Let's address the risk that worries them even if it's not, in my mind, the highest risk. And that gives you some credibility with the OT stakeholders.
Steve Applegate: I always try to look for stuff like that. And, you know, if you get some quick wins and you prioritize pain points that they have, then when it comes to further, you know, down the road and you're getting into those really difficult things to put in, like identity and access management type of stuff that - you know, these people are - a lot of times if they go back long enough in their career, they're used to, like, a single account. They didn't even log off, right? It used to be one account got logged in, and maybe it was logged in for 15 years. And now to try to convince them of the importance of having individual accounts - you know, if you fought them, you know, tooth and nail on everything up to that point and then you get to that really hard, you know, type of project that you really need their support on, then you're going to be able to cash in on that credibility as opposed to them, you know, being against you in it.
Steve Applegate: Lastly, I guess I could say, you know, I live in the strategic world being a CISO, but it's so critical that you have an orderly operations plan, you know, that's tied to tactical measures and launches the right projects that actually can accomplish your program or accomplish your program objectives that are tied to your strategy. And one of the things I really like, you know, is prioritizing based on the five critical controls. You know, I like that the first critical control is ICS-specific incident response plan. You know, if you look at the NIST cybersecurity framework, really three out of the five major functions is all - they're all assuming that you're going to get breached or you're going to have an attack. And that's why I like this being the first one because you know when there's a rainy day, if you've already done the planning and you've done exercises and you've tied it to ICS-specific threats, then you're ready to withstand. You know, you're not going to be trying to figure it out in the middle of a breach and stuff, with all the emotions flying.
Steve Applegate: A defensible architecture - you can't say too much about that, right? If you have - if you put things in securely, you know, and have all the other steps like I mentioned before, the governance and everything, then the architecture that you put in is super-important, especially in ICS. Network visibility and monitoring - you know, you don't - how do you protect something if you don't know about it, right? It's so foundational. It's - again, it's the first - some of the first steps of the NIST cybersecurity framework - also, with asset management, making sure that your assets are identified early and you build your program around those assets and make sure that they're all covered. And then the monitoring piece of it, of course, your only - you know, if that's a weak link and you don't ever look at it - like, every so often you go look at your assets and see how they're doing, then, you know, you won't know about some sort of a problem until way too late to do anything about it.
Steve Applegate: Secure remote access - you know, of course, within a plant environment, the days of insecure remote access, you know, largely are behind us, but they're still in the middle of a crisis or in the middle of a plant outage or something, especially a remote, like a PIB, a process instrumentation building. And places like this that are way out in the country or something or on a weird part of a plant that nobody goes to. If you don't have a secure way to access the assets in that facility, then all the other controls that you have could be moot because somebody - you know, an adversary could get in and do whatever.
Steve Applegate: And then lastly, the vulnerability management based on risk - so again, if everything - I think you almost could say risk-based in front of every single sentence I said on this whole talk. You know, everything has to be based on risk. And if you know about your vulnerabilities because you've got a strong program to manage your assets, then you can do something about the vulnerabilities before it's too late. I said a whole lot of stuff there. Anything jump out to you, Mark?
Mark Urban: Yeah, no. It's - you know, I just wanted to let you run because - and I think I'll just kind of provide a quick summary and have you call out any gaps because you talk first about - you need the people with the right skills. You know, OT is, you know - there's specific needs. There's specific impacts. It's a different world than IT. And you need that skilled workforce, whether you hire them, develop them or work with partners to acquire that. You said that was a critical piece of the puzzle.
Mark Urban: Second, create maturity programs that you can benchmark. Third, look at - or next, look at scenarios, you know, threat scenarios. And then order the remediation according to the risk and being able to then, you know, benchmark that year to year to see how your progress has - you know, how you've been progressing and maturing in that plan. Prioritizing pain points from the business because just - you have a security plan, but there are potentially some unique needs, you know, from the plant operators, from the engineering side in order to solve for some of their issues. And that's a partnership that you need to develop over time in order to, you know, establish that trust and, you know, give them what they need as well while, you know, helping with the security side of things.
Mark Urban: And then an operations plan - and you brought up the five critical controls. And you went through the five critical controls. And if you look back in the episode log that was - I think that might have been Episode 1 of "Control Loop" - was Rob Lee doing the five critical controls for operational technology. So I think that's - you know, you felt like you were saying a lot, and you were. But it's based on experience, and it's kind of thought through. So it made sense to me. And, Steve, I sure appreciate the time. Any last words for the CISO trying to make the jump?
Steve Applegate: You know, I guess one of the things that - if I had to pick one thing out of all that I told you and talked about today, you know, that relationship - I didn't really use that word, the R word, I don't think, so much. But the relationship with IT to OT is so critical to getting all this other stuff done - you know, being able to have that open line of communication and being transparent with them, you know, because the more that you can build that relationship and have the open door and share information back and forth and, you know - they'll be the primary source of the vulnerabilities for you and of the different, again, pain points that they struggle with that may not even be on your radar. And having that early visibility into that is critical, I think, for the program.
Mark Urban: Steve Applegate, CISO at Dragos. And I'm Mark Urban for this week's Learning Lab. Thanks very much, Steve.
Dave Bittner: And that's "Control Loop," brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at thecyberwire.com.
Dave Bittner: Sound design for this show is by Elliott Peltzman, with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch and Mark Urban. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
