Control Loop: The OT Cybersecurity Podcast 3.22.23
Ep 21 | 3.22.23

The CISO evolution to incorporate OT.


Dave Bittner: It's March 22, 2023, and you're listening to "Control Loop." In today's OT Cybersecurity Briefing, cyberattacks against Canada's agriculture industry. African industrial sector's been targeted with malware. TSA issues new cybersecurity requirements for the aviation industry. CISA issues a guide for resilience in the maritime industry. Ransomware Vulnerability Warning Pilot supports critical infrastructure operators. Today's guest is Jason D. Christopher, Dragos' director of cyber risk, talking about the CISO evolution. In the Learning Lab, Dragos VP of Product and Industry Market Strategy Mark Urban kicks off his two-part discussion about industrial cyberthreat intel and collective intelligence with Seth Lacy, who is a principal threat hunter at Dragos.

Dave Bittner: The Financial Post reports that the Canadian agriculture industry is increasingly being targeted by ransomware gangs and espionage-focused nation-state actors. The Post cites Dr. Ali Dehghantanha, head of the University of Guelph's Cyber Science Lab, as saying that these attacks have been escalating over the past four years. Dehghantanha said, every week, I would say, we are getting contacted by farmers or food companies. It's one of the soft bellies of our critical infrastructure. Many of these cases are typical ransomware attacks, but Dehghantanha says he's seen two instances in which attackers managed to access farm control systems and threatened to modify settings in order to kill livestock. Evan Fraser, director of the Arrell Food Institute at the University of Guelph, told the Financial Post, these are all systems that we explicitly depend on every single day, and they've become extremely vulnerable to manipulation of all sorts. They're vulnerable because we haven't thought carefully about the security of how we set these systems up. 

Dave Bittner: Hitachi Energy, a subsidiary of the Japanese technology giant Hitachi, has confirmed that it sustained a data breach after falling victim to a clop ransomware attack, Bleeping Computer reports. The threat actor carried out the attack via a vulnerability CVE-2023-0669 in Fortra's GoAnywhere MFT. Hitachi Energy said in a press release that the threat actor accessed employee data in some countries, but there's no evidence that any customer data was breached, nor that any control systems were compromised. But ransomware remains a threat to industrial systems, and a pivot from business to control networks is always a possibility. 

Dave Bittner: Kaspersky has seen an increase in cyberattacks targeting industrial organizations in Africa. The majority of these attacks targeted the energy, engineering and oil and gas industries. The security firm stated in different regions of the world, the percentage of ICS computers on which malicious activity was prevented ranged from 40.1% in Africa and Central Asia, which led the ranking, to 14.2% and 14.3% respectively in Western and Northern Europe, which were the most secure regions. In an unrelated report, Sophos is tracking the new version of the PlugX USB Trojan that's currently spreading in African countries, with infections observed in Ghana, Zimbabwe and Nigeria. It's not clear which types of organizations have been targeted or infected, however. Sophos says the novel aspects of this variant are a new payload and callbacks to a C2 server previously thought to be only tenuously related to this worm. PlugX is a known malware variant that can spread via USB sticks, which can sometimes allow it to access air-gapped systems. Sophos believes this campaign is linked to the Chinese APT Mustang Panda, which has been known to use the malware in the past. Gabor Szappanos, threat research director at Sophos, noted, we don't typically think of removable media as being particularly mobile, especially when compared to internet-based attacks. But this method of dispersion has proved to be highly effective in this part of the world. 

Dave Bittner: The U.S. Transportation Security Administration on March 7 issued an emergency cybersecurity amendment for the security programs of airport and aircraft operators. The TSA says the measures are urgent due to persistent cybersecurity threats against U.S. critical infrastructure, including the aviation sector. The amendment requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures they're taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure. This includes developing network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised and vice versa. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency and the U.S. Army Corps of Engineers Engineer Research and Development Center last week released the Marine Transportation System Resilience Assessment Guide. The guide focuses on physical, cyber, geographic and logistical resilience. CISA's Dr. David Mussington, executive assistant director for Infrastructure Security, stated that the guide is integral to the development of a unified approach to address resilience indicators for port infrastructure systems and functions that assess the key dimensions of critical infrastructure in the maritime domain. 

Dave Bittner: CISA has announced the launch of the Ransomware Vulnerability Warning Pilot, a support program designed to help critical infrastructure operators protect themselves against ransomware attacks. Authorized by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the RVWP will help CISA detect vulnerabilities susceptible to exploitation by ransomware and alert critical infrastructure operators so that the flaws can be mitigated before attack occurs. As Bleeping Computer notes, the RVWP is part of the U.S.'s wider initiative to defend against the rising threat of ransomware that began after a wave of cyberattacks on critical infrastructure operators and government agencies. Interested organizations can email CISA to enroll. 

Dave Bittner: I recently had the pleasure of speaking with Jason D. Christopher, director of cyber risk at Dragos. Our conversation centers on the CISO evolution. Here's my conversation with Jason D. Christopher. 

Jason D Christopher: It's interesting when you think about that evolution of the CISO, even to get to today. When we talk about the chief information security officer and what that role has historically been, it started off as somebody who is maybe buried further in the guts of the organization and then over, I would say, the past, let's say, three or so decades, really started to get into more prominence within the organization - but really only maybe the past decade-ish of having, I would say, a seat at the table and being treated like an executive. 

Jason D Christopher: And even in some of those cases where - I work with a lot of CISOs, and in some organizations, they'll have that C in front of their title - right? - for the chief part. But they may not feel like they're a true executive in the sense that we see the same level of maybe deference or ability to craft their own program as you would with the CFO, the chief financial officer, or even with some of the other areas within industrial organizations like the chief operations officer, where they are sort of viewed as the default. If the CEO were to step down or if there WAS supposed to be an interim CEO, those roles would roll - would probably raise to more prominence than the chief information security officer. 

Jason D Christopher: That said, we've seen now this relevance of all these new threats - talking about ransomware, talking about the things that now executives have seen cybersecurity in this light of, oh, this could actually bring down the business. This could bring down production in our plants. Now that chief information security officer is starting to get a little bit more of - how are we protecting the business? And that new evolution, I think, is going to lead towards a better grasp of what's happening inside of OT rather than just the perimeter in the traditional information technology sense. 

Dave Bittner: Do you suspect that it's just a matter of time for our CISOs to - for their status to be elevated among the other members of the C-suite, the historical members of the C-suite? 

Jason D Christopher: I do. I think it's very similar to how the chief financial officer has been evolving over time. If you rewind ourselves maybe 40 or 50 years ago, there really wasn't a chief financial officer in most organizations. You go to now, as I said before, they are one of the defaults. Like, if the CEO doesn't do something or if they're removed from the board, that CFO becomes the interim. They're sort of the default new person who would take over. I do think that that evolution will also shift with the CISO in mind because the CISO, by their definition, has to put this protective wrapper around the business, which should mean - it doesn't mean that they do - but it should mean that they are business-oriented, that they have the comprehension of what the impacts on the business will be during a cybersecurity incident. And therefore, they should be able to really elevate themselves to that new requirement, I would say. 

Dave Bittner: You know, it's practically a cliche to talk about the divide between IT and OT. I think we've made some strides there. But is there something to be said for the historical role of the CISO and how that relates to the OT environment? 

Jason D Christopher: For sure. And I think it's because of the way that industrial organizations started hiring and sort of cultivating what the CISO would become. When the executives think about cybersecurity, it was never really, 20 years ago, a thought of what was happening in the production environments - you know, in the plants, in the field assets that we care so much about. And they sort of just - if you talk to a CEO about all the investments they've put into cybersecurity over the past 10 or 20 years, there was just a presumption that OT was part of the equation because a lot of the other executives - the chief operations officer, the chief executive officer - would have come from that OT environment. They understand, in many cases, that production piece. 

Jason D Christopher: But when they brought in, you know, sort of the new blood that was cybersecurity, they were bringing in people who were from traditional environments that were corporate IT because they, quote-unquote, "knew the cyber." And that was where the disconnect probably first originated because you took somebody whose strength was looking at enterprise IT. So they're obviously going to focus on enterprise IT. And then as things sort of shifted, now we start seeing this - more news headlines, more conversations about OT and the business impacts. Now that CISO is shifting to be able to say, oh, no - yeah, no, we can do that, too. But that cultural divide, as you said, is very cliche. And they're finding themselves now in a sort of quagmire of different frictions and cultures that maybe they weren't originally in tune for. 

Dave Bittner: Can you give us some insights of the spectrum of realities that are out there? You know, for organizations that are highly functional when it comes to this and bridging that divide and then organizations that are still struggling - are we still experiencing that spectrum? 

Jason D Christopher: For sure we are. I would say that where organizations started to really get it was when we saw large events like WannaCry and NotPetya. NotPetya in particular was really interesting for a lot of public companies that had to start falling in and saying, oh - to the Security Exchange Commissions - here's what we believe our production damages were or a loss of revenues as a result. 

Jason D Christopher: And when you start seeing hundreds of millions of dollars come across the ledger, that really started to take, you know, these Fortune 500 organizations and start putting them into a more mature aspect of how they were doing daily business with OT. Where I still see that cultural divide is where there are ownership gaps, where, when you talk about who has got visibility over the cybersecurity program, it'll be point - fingers pointing across the aisle because you'll have sort of the VP of operations or the COO point to the CISO. And the CISO, if they have the know - the knowledge and the wherewithal to be able to say, oh, I don't have any visibility in OT, they'll point back to that VP of operations and say, no, no, no, that's your program. And then we start talking about - where are we spending those dollars? And that's where I think we'll still find those cultural rifts in those less mature organizations that maybe haven't had an incident or haven't had ransomware and that fear of what's happening to OT versus those who may be a little bit more on the, you know, crawl, walk, run - more on the crawling side of their program development. 

Dave Bittner: What do you suppose the future holds here? It's - the future organization, you know, in an idealized sort of way, how will all this play out? 

Jason D Christopher: It's interesting because I think that of all things, regulation is already starting to push us in this new evolution. When I think about the different standards that we saw got developed in the past year - and I know that in the last month, we were all able to talk through more of the White House initiatives on cybersecurity - is I see the other part of that, where there are mandatory regulations - and not just here when we talk about the United States or North America but globally - there is more conversation about boards needing to be informed and trained and understand what impacts will look like for cybersecurity events. 

Jason D Christopher: And if you're thinking about impacts and you're still thinking about dollar value or I'm going to lose credit card records or billing information, then you're stuck in the old IT way of thinking things as an industrial organization, and you're missing the big part on OT. So when I see the recent guidelines that are - should be upcoming with SEC and when I see conversations about what may take place with the NIS2 directive in the EU, I see a lot of push towards boards and, further, other executives - look at cyber impacts beyond the normal scope of IT. So I do think that this evolution is being forced from outside forces as well as from within. And I think that will be the evolution we'll see over the next 10 years or so. 

Dave Bittner: What's your advice for those CISOs who are out there to not be, you know, swamped by this wave of change that's coming? 

Jason D Christopher: Training, for sure. This is one of the things where I look at it from a - where would I spend my next dollar if I was running a cybersecurity program in an industrial organization? - is I would invest it in our people to be able to understand where they need to have those gaps shored up. And executive training is obviously going to be very different than when you think about the technical training, the boots on the ground. We need to understand the overall perspective of how does operations work from a management perspective, what is their culture, and start figuring out how we can shift those cultures to blend together. So it's not IT versus OT, but we're really sort of looking at it from a one programmatic perspective, and both sides understand the value of each other. 

Dave Bittner: It seems to me that it's in a CISO's best interest also to kind of hone their skills when it comes to the business practices. You know, that might not be a side that they considered so much in the past, but as you point out, as they're being elevated in the boardroom, they need to speak that language. 

Jason D Christopher: Absolutely. If you're going into a sort of quarterly board review and you're talking about your overall risks, and you're using metrics that are designed to get a reaction but maybe don't tell the health of your program, then you may be missing the mark. If you're talking about, well, we have 50,000 attacks per day, and we all know in the background that that's really like, you know, things that are hitting your firewall, not really "attacks," quote-unquote, then you need to start educating yourself as to what are the business impacts you really care about because most executives will look at that and say, who cares? You're still - business is running, so obviously you're doing a great job. 

Jason D Christopher: However, if there's going to be an incident on that OT side and you're not aware of the impacts, you're not aware of what protections you have, or you don't even know how it is you're going to respond to an incident where the IT folks come into a plant and the plant people try to kick them out because they don't want something bad to happen, then we're going to have those cultural rifts really get exposed. So you're absolutely right. It's about the business impacts, about understanding what it is that your business does and then crafting those metrics, those measurements that you really care about that others will care about, too, so you can get your message across and get that funding that you need to be able to bridge those gaps as you see them. 

Dave Bittner: Our thanks to Jason D. Christopher from Dragos for joining us. 

Dave Bittner: In today's Learning Lab, Dragos' VP for Product and Industry Market Strategy Mark Urban kicks off his two-part discussion about industrial cyberthreat intel and collective intelligence with Seth Lacy, principal threat hunter at Dragos. 

Mark Urban: Hi. This is Mark Urban with another episode of the Learning Lab on "Control Loop." And today we're going to talk a little bit about threat intelligence, a little bit about threat intelligence in the industrial space in general but then talking about the collective intelligence, meaning when different organizations are able to pool anonymized information between themselves to increase the effectiveness. And I'm joined for this topic by Seth Lacy. Seth, could you introduce yourself, what you do at Dragos, please? 

Seth Lacy: Yeah. So at Dragos, I'm a principal threat hunter, which means I kind of track the adversarial groups that are focused on industrial networks and trying to both penetrate and, in some cases, disrupt those networks. 

Mark Urban: Got you. And what brought you here? Give us a little bit of background about where - you know, what led you to Dragos and kind of this role. 

Seth Lacy: Yeah. So, you know, I grew up in kind of, like, a rural part of Virginia. And, you know, in my high school, I guess, as kind of an effort at bringing technology to a rural environment, they had a course for the Cisco Certified Networking Associate kind of certification. And so I got enrolled in that course when I was in high school, and that kind of sparked a wider interest in networks and computers and kind of sent me down a path of being interested in those topics. And so, you know, I often joke that I ended up where I am, you know, mostly based on a misspent youth in front of a computer screen. 

Seth Lacy: But, you know, I had kind of carried that interest forward and have always maintained a particular interest in kind of more, you know, offensive security methods, right? And so I think when I was younger, a lot of that was an interest in, you know, pen testing, red teaming techniques. And over time, I realized that I could apply a lot of that knowledge to not just learning those techniques and understanding how to implement them but rather trying to understand, hey; how can I take this knowledge and start to apply it in a more defensive manner, right? How can I take my understanding of adversaries and the way they think and the limitations they face when moving through a network and use that for more defensive purposes and to actually hunt those adversaries both in customer networks and then kind of across the internet more broadly? 

Mark Urban: Yeah. I guess when you have that interest and develop that skill set, there's a couple ways you could go. And I'm grateful that you chose, you know, this path where you're helping industrial companies kind of find the bad guys rather than being one of those yourself. Thanks for that choice however many years ago that was. But, you know, so when you talk about threat hunting, just, you know, for those - sometimes we kind of want to step back in a little bit of a one-on-one. Just what is a threat hunt and especially in kind of the industrial context? 

Seth Lacy: Yeah. So, you know, threat hunting is a concept that has definitely developed a lot more over, I'd say, you know, probably the past five to seven years. But, you know, a lot of it is taking a more proactive approach to network defense, right? It's not just, you know, sitting around and, you know, waiting for something to happen and then reacting to that. 

Seth Lacy: You know, a lot of it is, again, trying to put yourself in the adversary's shoes and say, you know, where can I go look for this adversary? You know, how can I form a well-thought-out hypothesis about - you know, with what I know about my network, what I know about historical adversary activity, how can I put together a well-formed hypothesis to go look for that adversary? And, you know, it's, I think, rife with frustration because a lot of times the result of that is, well, you know, I didn't find anything. But what I can say is that if I've carefully scoped that hypothesis and it's well-thought-out, you know, it doesn't mean that the adversary isn't there, but it means that I've at least disproven that particular hypothesis, right? 

Seth Lacy: And so by implementing kind of a threat hunt program, I'm moving from just waiting for the adversary to appear on my network and having gained a foothold or otherwise disrupting, particularly in the industrial context operations. I'm kind of trying to get ahead of that power curve, right? I want to preempt that adversary and disrupt them before they have the opportunity to impact operations or otherwise disrupt the network. 

Mark Urban: And how does threat hunting relate to, you know, CTI, cyber threat intelligence? Is it - does it provide information to cyber threat intelligence? Does it draw on cyber threat intelligence? Tell us a little bit about how threat hunting relates to CTI. 

Seth Lacy: Yeah. I mean, you know, I think it ends up being a virtuous cycle, right? I would put threat hunting in as a bit of a subdiscipline of cyber threat intelligence, or CTI, as a whole. When you're forming those hypotheses, you're really leaning on a lot of that CTI data and analysis, right? I'm trying to understand how has this adversary behaved in the past, how does that relate to what I know about the network in question or the adversary in question, and coming up with those hypotheses about where I would expect to find that adversary or see that adversary active. 

Seth Lacy: And so then let's say that I have what would be termed, I guess, a successful threat hunt. And I manage to identify the adversary, preempt them at an early stage of a campaign or when they're just gaining a foothold on a network. I am likely, in that process, going to learn something new about that adversary, right? And so a lot of, you know, the postmortem on a threat hunt, especially a successful threat hunt, is going back and documenting what I've learned about that adversary and sharing it out. You know, in the Dragos context, that would be to our customers. You know, if I were, you know, defending a single network, then, you know, it would be disseminating it out to the rest of the security team. 

Seth Lacy: And so, you know, that ends up being this virtuous cycle of, you know, I am drawing on this CTI information to form my hypothesis. I'm drawing on my understanding of the network to form the hypothesis. But then I'm taking that result of a successful or even an unsuccessful threat hunt and then taking that data and feeding it back in to where it is available and is part of the process in informing future hunts and scoping future hunts. 

Mark Urban: OK. So that's interesting. So you're actually - you're drawing on, you know, past information intelligence that's out there. You're forming a hypothesis. You're doing more research, and then you're going and looking. You're discovering things, maybe - hopefully - or maybe not. I guess hopefully not at the same time. And then you're feeding that back in. So you draw intelligence and you return to intelligence and expand the knowledge set. That's interesting. OK, so threat hunting, a component of CTI, but let's now turn to - you know, the topic that you wanted to talk about today was the concept of collective intelligence. So drawing out - what is collective intelligence in your context? 

Seth Lacy: Yeah. So, you know, one thing we talk a lot about within the threat-hunting discipline is, you know, you can't hunt in data that you don't have, right? So, you know, talking about collective intelligence, the concept of collective defense, you know, a lot of it is trying to widen that aperture of the data that's available. You know, particularly when you're talking about threat hunting in a single-company environment - right? - or within a single organization, a lot of times you're going to be somewhat limited in your visibility outside of your specific organization, right? You might have a vendor who's providing you with CTI data that gives you some insight into kind of, like, broader adversary activity. And, you know, that's a lot of our output as threat hunters at Dragos is trying to disseminate our understanding of your adversary tactics, techniques and procedures. But in terms of kind of, like, actual data on what's happening within the community in real-time, you know, that becomes a challenge, right? 

Seth Lacy: And so coming back to this concept of, you know, you're not able to hunt in data that you don't have, the idea of kind of collective defense and kind of collective information-sharing is trying to widen that availability and kind of aperture of data that you have at your fingertips to provide context to maybe what you're seeing in your own environment or, you know, what's happening across the broader community. 

Mark Urban: And at Dragos we built as part of the Dragos platform for ICS and OT security the capability that we term Neighborhood Keeper. That's what we're talking about in the Dragos context. Is that correct? 

Seth Lacy: Right. Absolutely. So yeah, in our context, you know, Neighborhood Keeper is kind of a no-trust interconnected sensor network that allows sharing of threat information on OT networks at machine speeds and kind of, like, across a communal defense network. 

Mark Urban: What do you mean by no trust? 

Seth Lacy: Yeah. So that's kind of, like, one of the key points for Neighborhood Keeper is that the identities of participants are technologically irreversible from the data - right? - which enables anonymous and secure sharing. You know, this is kind of one of the interesting things when you get into collective defense and this kind of, like, broader information-sharing is that you have these inherent privacy and regulatory concerns that sharing this type of data can introduce. Especially if, you know, you want to have as large a community as possible, you're hoping to share information as broadly as you can, right? And so that no-trust aspect ends up being key, right? So while we share the data and the trends, anything identifiable is stripped out locally before being shared with the wider program, right? So this kind of level of anonymization allows for maximum participation and visibility across a really diverse range of industries and regions. 

Mark Urban: And that participation is opt-in, right? That's the - kind of the end... 

Seth Lacy: Yeah, absolutely. 

Mark Urban: ...Company's decision to opt into that Neighborhood Keeper environment. 

Seth Lacy: Yeah. So it's an opt-in network specifically for organizations with the Dragos platform. There's also some additional contributions and participation from a select group of what we call trusted advisers. So this would be ISACs, CERTs, including our own OT CERT and then some government partners as well. 

Mark Urban: Gotcha. And so you talked about no-trust networks, you talked about so it's opt-in, no-trust, which means you can't reverse the information out. I guess the name - so I'm a year into Dragos. The name Neighborhood Keeper is kind of like neighborhood watch, right? Is that where it derives from roughly? 

Seth Lacy: Yeah, yeah - in some respects, absolutely. It's just this idea of being able to form a community and kind of watch each other's backs and aggregate this data in a way that - you know, Neighborhood Keeper is by no means, you know, the first information-sharing program out there. You know, it kind of set out to solve this really interesting issue, which is you have this trade-off between, you know, having a - as broad of a neighborhood, if you will, as possible and then kind of the detail of information that's shared, right? You know, there are legal, privacy, regulatory concerns with, you know, sharing a large amount of data with a really large community. And so what we'd really hope to address with Neighborhood Keeper is being able to make that neighborhood where you have this kind of neighborhood watch approach as large as possible. So that's kind of why Neighborhood Keeper was built with this kind of no-trust approach in mind is to make that community that is sharing this data as wide and large as possible. 

Mark Urban: Seth Lacy, ladies and gentlemen. Seth, a threat hunter focused on industrial here at Dragos and talking about not only threat hunting and threat intelligence but collective defense with Neighborhood Keeper. Seth, thanks very much for enlightening us about this today. 

Dave Bittner: And that's "Control Loop" brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for this show is done by Elliott Peltzman with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch and Mark Urban. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time.