Intelligence services within the convergence of OT and IT.
Dave Bittner: It's September 6, 2023, and you're listening to "Control Loop." In today's OT Cybersecurity Briefing, a crude cyberattack on rail control systems stops Polish trains. Energy One discloses a cyberattack against its corporate systems. NIAC calls for a National Water Strategy. Researchers aim to secure the U.S. military's power grids. The Department of Energy holds a contest to provide cybersecurity funding for rural utilities. And a technical issue grounds the UK's air traffic control system's automated features. Today's guest is Mark Ryland, director of the Office of the CISO at Amazon Web Services. The "Learning Lab" wraps up the conversation between Dragos' Mark Urban and Kimberly Graham about the convergence of OT and IT. [ Music ] Polish authorities have arrested two men, both polish citizens, SecurityWeek reports, in connection with an attack that halted 20 trains in the vicinity of Szczecin. They used an acoustic tone transmitted over a radio system to issue stop signals. The incident began Friday, August 25 and continued with minimal effect the following Saturday and Sunday in other parts of the country. Cybernews says the two men arrested were taken into custody and were found in possession of radio equipment. The suspect's ages are given as 24 and 29, but they're not further identified. Polish intelligence services continue to investigate the incident for signs of Russian sabotage. The Polish Press Agency reported, "The signals were interspersed with recordings of Russia's national anthem and a speech by President Vladimir Putin." Reuters reports that a senior polish security official said, "For the moment, we are ruling nothing out. We know that for some months there have been attempts to destabilize the Polish state. Such attempts have been undertaken by the Russian Federation in conjunction with Belarus. Polish railroads would be an attractive sabotage target. According to the Washington Post, "Some 80 percent of Western supplies delivered to Ukraine transit Poland. And much of that is carried by rail." So, motive and probably opportunity point to Russian involvement. But, so far, no other evidence has been reported. According to Wired, "The emergency stop signal was transmitted over a legacy radio frequency system that lacks either authentication or encryption. Anyone with the right equipment can trigger an emergency stop by sending a series of three acoustic tones at a specific radio frequency. The biggest difficulty a hacker might face is getting physically close enough for their signal to be within range." It's a throwback hack of a throwback system. Some of the original hackers of course were phone freaks. In the late 1960s, they discovered that sending the right tone into a telephone let them make free long-distance phone calls which back then were pricey. You needed a 2600 hertz tone to engage the old Bell system's long-distance service and you could use a cheap musical toy to do that. The whistle offered as a prize in boxes of Captain Crunch cereal did it if you covered up the right hole before blowing. "Energy One, an Australian company that develops software for energy firms, disclosed that its IT systems in Australia and the UK sustained a cyberattack on Friday, August 18," SecurityWeek reports. The company said in a statement, "Analysis is underway to identify which if any additional systems may have been affected by the cyberattack." As part of its work to ensure customer security, Energy One has disabled some links between its corporate and customer-facing systems. Energy One's response to this incident and its investigation is continuing. Key lines of the ongoing inquiry and response include securing Energy One's systems, establishing whether or what personal information and or customer-facing systems have been affected and the initial point of entry. The incident affected business systems and their software supply chain, but a tax on business systems have been used before as a springboard to move into industrial systems proper. Or, as in the case of Colonial Pipeline, they can themselves induce interruptions in industrial processes. Eversource, one of the largest energy companies in the U.S. state of Massachusetts, has disclosed that a third-party vendor software bug may have exposed customer data. The vendor is CLEAResult which supplies Eversource with software used to track energy efficiency programs. In the notification to customers, Eversource stated, "Some file copies were taken from CLEAResult's systems. CLEAResult has advised us that they moved quickly to take appropriate security measures to fix this vulnerability and are completing their investigation into this incident and complying with all laws." The utility company which provides gas and electric services to communities across Massachusetts went on to say that the potentially exposed data include customer names, addresses and energy usage information. The Patch notes that this is Eversource's second data breach in as many years, as in 2021, a cloud server was left unsecured exposing company data that included Social Security numbers. The company was caught up in the MOVEit software supply chain incident as well. It's another ransomware incident and a good reminder that the energy sector is as vulnerable to these as any other industry. "President Biden's National Infrastructure Advisory Council has called for the creation of a Department of Water and a National Water Strategy to address cybersecurity threats to water infrastructure in the U.S.," MeriTalk reports. According to a draft report from the NIAC the proposed entity's goal would be to ensure America's economic prosperity, security and quality of life by working with state, local, tribal and territorial governments and stakeholders to deliver safe, efficient, sustainable and equitable water, wastewater and stormwater systems responsive to changing climate, hazards and threats including physical and cyber threats. "Researchers at Virginia Tech are looking at ways to secure U.S. military-based power grids against cyberattacks," Newswise reports. The researchers are building plans to implement secure communications for the microgrids the U.S. army plans to build at each of its bases. Ali Mehrizi-Sani, an associate professor in the Bradley Department of Electrical and Computer Engineering said, "The general idea is to coordinate backup power generation through a communication network that pools smaller energy resources. The concept is simple, but the implementation is difficult." The U.S. Department of Energy is holding a contest for rural utilities to receive a total of $8.9 million to improve their cyber defenses. Cyberscoop reports, "The DOE stated the ACT 1 prize program will prioritize utilities eligible to participate in the RMUC program that have limited cybersecurity resources or serve military installations." Utilities are strongly encouraged to apply if they have limited economic and staff resources, have limited access to cybersecurity training, TA and support services and have a low cybersecurity maturity level. As we previously discussed, U.S. college the University of Minnesota disclosed it suffered a data breach in late July and the hacker allegedly responsible claims to be in possession of seven million Social Security numbers linked to members of the college community. Fox 9 now reports that a former student and former employee who fear their data may have been exposed have filed a class action lawsuit against the school. The university has not yet commented on the suit, but last week confirmed it had enlisted the help of law enforcement to carry out a breach investigation, which is still underway. It's worth noting that the incident appears to be yet another casualty tied to the mass hack of the popular MOVEit app which the university used to transfer files. A technical problem last week at the UK's National Air Traffic Services forced the delay or cancellation of hundreds of flights into the United Kingdom as the loss of automated capability forced controllers to revert to manual methods. The problem was caused by a flight plan that NATS' systems were unable to process. The BBC reports that the government's preliminary investigation has effectively ruled out a cyberattack. The Telegraph reports that security sources said the fault appeared to be a genuine technical problem and was not believed to be the work of cyber hackers or a hostile foreign state. The UK's airspace wasn't closed, as a number of reports misleadingly put it, but flight disruptions were widespread. And even though the problem was identified and corrected last week, issues continued for some time. [ Music ] Mark Ryland is director of the Office of the CISO at Amazon Web Services. Mark joined us as part of a Dragos webinar in August entitled "Securing Digital Transformation: OT Cybersecurity Innovation and Resilience." Here are some highlights from my conversation with Mark Ryland from that webinar. Hey, everybody, welcome. I want to thank you all for joining us here today to our webinar. This is titled "Securing Digital Transformation: OT Cybersecurity Innovation and Resilience." I'm Dave Bittner. I am the host of the CyberWire podcast daily cybersecurity news show, and also the host of "Control Loop," which covers IT and OT security courtesy of our partners at Dragos. I want to welcome Mark Ryland who is director of the Office of the CISO at Amazon Web Services. Mark, glad to have you here. I think something we're seeing here is as we see this melding of business and innovation, this whole notion of digital transformation, this is not some sort of future thing that's over the horizon. I think it's fair to say we're in the midst of it. What industrial infrastructure industries are you seeing that are at the forefront of this secure digital transformation? How are they approaching that when it comes to cybersecurity?
Mark Ryland: Great question. And thanks for including me in the conversation. It's pretty broad. We see these big transformation efforts going on in, you know, automotive, energy sector, different kinds of manufacturing, pharmaceuticals. It's broad. And I think there's a realization that you have to learn to, you know, move much more rapidly. And, so, the transformation is a part about a new kind of business strategy and new technologies that allow for more rapid transformation. All these things are kind of coming together in a really positive way to enable these powerful, you know, use cases. Now, again, there's all kinds of options. People do everything from sort of, you know, lift and shift old systems to the cloud, they also build wrappers around old technology. You can't rip and replace everything overnight so very often a modernization project might involve creating like a smart proxy or a smart gateway between an old on-premises system with a lot of new capabilities adding some security layers and monitoring and so forth. And then, you know, streaming data to the cloud can sometimes involve adding like new sensors to an old factory environment. We have customers that literally just come into older systems and plop in, you know, temperature sensors, vibration sensors, all kinds of interesting very inexpensive wireless devices that give them deeper insight into what's going on inside their environments and then build machine-learning models so to things like do predictive analytics around the health of equipment that over time you can tell when the equipment needs repair or, you know, maintenance because it actually vibrates and makes sounds in a different way and you build the technology as a kind of overlay. But it gives you the ability to accelerate and to do new things with the new data that's, you know, streaming into sort of backend analytics platforms and backend security and monitoring platforms. So, it's a pretty broad set of examples across again all those industries. One example that I'd like to call out just because it's sort of a very fun one and it's - there's actually quite a bit of material you can find on the web if you search for AWS and Fender Guitars that Fender Guitar has made very heavy use of our platform as well as partner platforms, such as Splunk and Dragos, to enable them to build, you know, guitars that are less likely to fail, the wood is less likely to warp, you know, to maintain the temperature of their - of their manufacturing facilities that monitor the humidity, all these kinds of things in a very, you know, consumer kind of space, but it's a fun one and, you know, one that a lot of people are familiar with watching Jimi Hendrix play his Stratocaster that's all being modernized along with all these other things.
Dave Bittner: I don't think we're quite at the point where Fender Guitars are can be considered IoT devices, but I suppose it's inevitable that it heads that way. Right? Mark, I'm curious from your experience what specific types of workloads are best suited to moving to the cloud.
Mark Ryland: Practically every backend kind of workload obviously where there's you don't have a very low - super-low latency requirement can really benefit from cloud just because the, you know, cost of storage is very low that you can use function as a service to lower your compute costs. You don't need to be running, you know, virtual machines constantly. You can use something like Lambda to process data as it comes in. There does remain the challenge, which we'll always have, of, you know, the latency issue. Right? So, there are use cases where you need that sort of submillisecond or, you know, hundreds of 100 microsecond type of latency. And, so, that's where technology that is sort of backended in the cloud, that's control planes in the cloud and the long-term data storage in the cloud, and then you build these connected devices that are out there sort of doing the caching, the local proxying, the local response, local inference. So, if you build a machine-learning model and you do all the training in the cloud, but then you download the model to a potentially pretty small and pretty lightweight device to do the inference phase of machine learning, which is, you know, given this piece of data, quickly run the model, output a result. And, so, between ourselves and all our partners, we build these kind of - those kinds of connected experiences that which sort of project the power of the cloud out into the factory floor or to the smart car. We haven't talked about smart cars, that's a huge use case, right, which we're all kind of experiencing as we upgrade our cars. I have a 17-year-old car that I'm about to sell to my son. So, maybe I'll have a newer one pretty soon here. But, yeah, everything is just changing very rapidly. And we see that globally. When we launched our new cloud region recently, well, about a year ago in Dubai, we had a couple of major car manufacturers were sort of waiting for that region launch because they needed like local regionality for some car launches they were doing in Middle East. So, it's very exciting to see that. But I think that pattern will always be there, you know, backend big data processing and analytics in the cloud pushing out to the edges with smart devices, smart proxies and then being right - you know, adjacent to the systems that have to be monitored and who need to be secured. Again, security, think about security in a smart car scenario. Right? You definitely do not want people hacking into your car over the radio. And, so, you've got to build those protections in from the start and then the careful monitoring and response capability as well.
Dave Bittner: Yeah, I often joke that my favorite iPhone accessory is my car. And I know at AWS you all have a variety of tools to help people along this journey. It's not - you know, you don't just send people on their way and wish them well. They're - you've got some backup here.
Mark Ryland: Yes, we have lots of tools to help people. But I think there's a kind of systemic shift going on in the industry that is very helpful with regard to these kinds of risks. And that is to go from a product model to a service model. So, if you think about something like SolarWinds, essentially, what I do in my traditional on-premises world is I'm running this Windows server and I'm downloading and installing and operating a bunch of software that I really don't know. I don't understand it's internals, I don't really understand it's normal behavior. I'm the operator, but someone else is the developer. When you move to a service model, the engineering teams that build the things and operate them have a much better chance of noticing anomalies, like why is that DNS name being looked up from this box, like that absolutely makes no sense for the normal operation of this box. Whereas an on-premises operator, you can't blame them for like locking down DNS because they don't really know like what lookups are appropriate for this binary that I just installed on my server. That's never going to go away completely, but I think when you move to a model where either I give you a device and I manage it remotely and I make sure it's patched and updated and I monitor it because I really understand what its normal operation is, or I'm using a cloud service where I'm just calling APis, I'm calling, you know, databases, but the operator of that system is a very good understanding of like what's normal, what's abnormal about the behavior sort of internal to that thing, it really increases the chance of detection and decreases the chance that something that kind of in a way obvious, but just sort of sneaks in. And I think that's - there's a systemic improvement going on as we shift to these more - a better integration of engineering development and operation, so DevOps kinds of concepts which apply both in cloud, in device, on-prem. I think all those things are helpful. There's still risk. We still have to be careful. And, you know, we have to institute things like, you know, zero-trust technologies, very simple. Like imagine there was MFA required for the login to, you know, the code pipeline, you know, that hack wouldn't have happened. Just simple things like that where, as an industry, I think we're getting better. Lots of risk, lots of challenges still remain, but I think that, you know, if we stay on top of these technology trends and we move indi - our companies forward with things like technology improvements, security training, just it's painful to think how many hack stories are the result of phishing, you know, emails where someone clicks on a link and gets owned. I mean, that's so sad. And we - we're getting better at that, but it's - you know, that's such often a weak spot. But, again, we can make pro - and are making progress on those things. And I think this kind of service model cloud technology, the kinds of kind of SAS capabilities that Splunk and Dragos and others provide where the same company that builds the thing and operates it for you and you're just a user of that thing rather than an operator or something you don't really understand, those are all ways in which we're going to really decrease third-party risk.
Dave Bittner: Let's shift gears a little bit and address some of the questions that we've got coming in from folks who are in the audience. I'm going to start off - this is a question from Mike. He writes in and asks, "How will quantum computing affect IoT security, especially with PKI not being available?"
Mark Ryland: AWS has been doing a lot of work in the area of post-quantum cryptography, which I think is really what is at the heart of this question. On the assumption, which is probably reasonable, that there will be sufficiently powerful quantum computers that come online in the next decade or so that they could break the existing PKI or asymmetric cryptography, we need to get ahead of that problem and we need to develop cryptographic algorithms that are not trivially broken by such powerful future quantum computers. I mean, there's still some debate about how long that will be and probably on the long tail of some bell curve, there's skeptics that say we'll never get enough qubits to do these things. But, you know, I would tend not to bet against engineers. This has become - it's not really a theoretical problem so much as an engineering problem. So, we can kind of assume that's going to happen. So, we've actually done a lot of work. There's been a really good kind of international collaboration run by NIST for developing and standardizing post-quantum algorithms. And we actually have been very actively participating in that. We've actually implemented an open source. Go to GitHub and download our free open source implementations of the two current sort of standardized post-quantum algorithms. Now, let's back up a minute. Even traditional TLS and traditional crypto can often be hard for small devices. They don't have a lot of memory, they don't have a lot of processing power. So, if you kind of look back in the kind of history of OT or IoT, you know, there were many years where we had a lot of just in the clear conv - you know, conversations where there was no TLS, no encryption, very, you know, weak security on the network side of some of these very small devices. We've made a lot of progress on that front. So, AWS, for example, some years ago, we hired the team behind the FreeRTOS open source operating system which is used very broadly in small devices. So, even though it's still a full, you know, GPL open source technology, there's a professional engineering team at AWS that has been constantly working on that and improving it. And we added things like TLS which it didn't have, you know, very carefully optimized C code to make it so we could - you know, a very small device still have, you know, reasonable encryption, reasonable PKI, added things like over-the-air updates, which it didn't have before, which you really need in order to patch vulnerabilities. So, we've made a lot of progress. And even on the very small devices and making - and kind of bringing it into the modern era for secure network communication, post-quantum will be another challenge because, you know, the computing requirements are often higher. So, there might be, you know, a kind of lag time or a legacy situation where if post-quant - you know, quantum breaking of, you know, network flows becomes a thing, then maybe there'll be some, you know, old devices out there that are hard to upgrade into this kind of modern world. But it is very much on the roadmap. And we have a line of sight to - you know, we're making a lot of progress on that. But it will - there are some - definitely some challenges there, especially in the case where you can't upgrade the hardware.
Dave Bittner: Hm. Mark, you know, what you say about the long tail of quantum, I can't help thinking about that old joke about fusion energy, you know, where fusion energy is always 20 years away no matter when you ask. And I don't feel as though we're on quite the same trajectory with quantum. But who knows? Right? And, as you say, we should be prepared for it. Let me move on to our next question here. This is from a listener named Bob who writes in and says, "What about having access control on the cloud versus hardwired? Our group has concerns about putting our access controls to plants in the cloud."
Mark Ryland: I mean, I can jump in on that. Amazon and AWS are, you know, a very large company with a massive amount of physical infrastructure all the way from AWS Data Centers to Amazon Fulfillment Centers and so forth. And we run all of the backend security systems as far as access control monitoring and management, you know, on a cloud platform. So, it works. Obviously, you - you know, there's lots of things you've got to be careful about. You might have a facility with, you know, maybe limited connectivity or you're concerned that what if my network link goes down. So, you have local caching and you have local capability. And you can run for a while with - you know, in a disconnected fashion. That's a good insurance policy that you really ought to have in your architecture. But, certainly, you know, it works well and you can get, you know, very, very good up times and very, very high availability using that approach.
Dave Bittner: Quickly, I'd like to go around the horn here and ask each of you just for some final thoughts, perhaps some take homes that you hope our audience brings with them. Mark, why don't I start with you?
Mark Ryland: These - this last round of questions was to me a good reminder. And I think I mentioned this early on, but one way we can all make I think rap - pretty rapid progress is to recognize that it's possible to leave some of the older technologies in place and kind of put a secure wrapper around that. So, for example, in the networking case, it would be, "Yeah, my on-prem or my OT devices, I don't give them direct access to a cloud environment. But I do have a smart gateway there that they communicate with and send their data to, et cetera." And that becomes the point of inspection, the point of logging, the point of monitoring. And I can have that kind of secure tunnel that doesn't require that I upgrade everything, but it allows me to gain a lot of benefits from a analytic or alerting or monitoring backend without that giant upgrade. So, I think that's an important thing. And I think some of the other things that we've talked about, you know, in terms of this integration that's going on, IT/OT obviously, but also on the security side, building security data lakes which allow our - my analysts and my machine-learning models to see a broader set of telemetry that gives me indications that I wouldn't see if they were siloed as they typically have been over the years, over the decades, I think these are really important themes and an indication of where the industry is going.
Dave Bittner: That's Mark Ryland, director of the Office of the CISO at Amazon Web Services. Again, Mark joined us as part of a Dragos webinar in August titled "Securing Digital Transformation: OT Cybersecurity Innovation and Resilience." You can find a link to the full webinar in our show notes. [ Music ] Time for our "Learning Lab" where Dragos' Mark Urban and Kimberly Graham wrap up their conversation about the convergence of OT and IT. [ Music ]
Mark Urban: I am Mark Urban with another episode of the "Learning Lab" on "Control Loop." And, today, we're going to continue the discussion on convergence between OT and IT. When we had Rob Lee a couple episodes ago talk a little bit about convergence, he brought it into the SOC processes. And we'll revisit that, click down on that a little bit, but then also get an understanding about how OT can integrate with other infrastructure pieces that are traditionally fine on the IT side. And, for that, I'm joined by Kimberly Graham, Dragos' head of Product. Kim, welcome.
Kimberly Graham: Thank you.
Mark Urban: So, we went through firewall endpoint. One of the areas that - you know, I'm just kind of going through some of the cybersecurity stacks, intelligence is one of those, you know, typically with more mature enterprises they have, you know, an intelligence analyst team, right, that draws on information from third-party vendors to - you know, to assist, you know - find out what's happening in the world and bring that to inform the operations within. Can you talk a little bit about, you know, OT-specific intelligence and how that fits into, you know, that broader kind of intelligence analyst role?
Kimberly Graham: Sure. Yeah. So, when it comes to intelligence services and, you know, when you think of intelligence feeds and intelligence reporting, it's often very different, almost always very different between IT and OT. No matter what topic you're thinking about, the threat actors are different, the way that you even think about vulnerabilities in IT versus OT is different. Something may have a high CDSS score, but, in an OT environment, it's not something that an attacker would really take in the real world. IoCs are going to be different because the threat actors are often different. So, when it comes to tailoring feeds down to say, "Okay, this is specific to OT," it goes well beyond just even filtering an IT feed. You usually can't take an IT feed and say, "Well, filter it down to just something that's OT." It's usually not in there at all. So, you really have to start from the ground up when you're building these types of intelligent services with OT-specific information, leveraging OT experts that can contextualize that information because some of the raw data will overlap. You know, a CVE is a CVE, but the interpretation of what that means in terms of impact is going to be different. It's going to be different than what the CDSS score says. The same with the interpretations of different types of attacks and behaviors and things that you see. So, when you think about a OT-specific feed, like WorldView, it is very tailored in all the reporting by OT experts in a very OT-centric way. And that is key to these types of intelligence services. You know, there will often be situations where someone will say, "Well, you have an intelligence service, that's great, that's IT. That's not going to help you on OT."
Mark Urban: Gotcha. So, I was just looking at - I think we tracked something like 20 to - 20 to 22, I lose track, specific threat activity groups who focus on industrial systems. And, so, those different kind of, you know - so, that's a whole world that's focused on OT and all the IoCs and all the tactics and - you know, and distinct world. Right? And you talked about vulnerabilities, you talked about threat behaviors earlier on and that's - that all kind of - well, the vulnerabilities are just the nature of the equipment. And, of course, the tactics and the approaches are specific to those threat groups, but also specific to the equipment sets that are in there. So -
Kimberly Graham: Absolutely.
Mark Urban: Gotcha0. And, so, we see - I think we see being able to take those feeds and is that where - I forget the - some of the names of their - but you can integrate - you know, there are integrators of intelligence feeds. Right?
Kimberly Graham: Yeah. So, there's different ways that you can leverage intelligence feeds. You can have a TIP, you can have intelligence feeds integrated into a SIM and, you know, those are things that we definitely support through our WorldView offering. But even then, you really don't just want to have an OT threat feed and something like a SIM or a TIP. It's great for little things like IoCs, but you're not going to get those behaviors, the ability to look into those. That's where you need a monitoring platform that's really looking more at the behaviors and less around, you know, what we consider raw signatures, IoCs and so on. But that's normally where you see those integration points is there. You tend to see deeper integration at the process level in things like IT service management where you're thinking about things like ServiceNow to do synchronization of assets and consolidation. So, an OT monitoring platform can insert assets and vulnerabilities into something like a ServiceNow and so can the IT system. So, a lot of time, that's where you'll see folks stepping forward toward doing some sort of convergence is really centralization again of the process to say, "Okay, let's get a centralized view of all of our vulnerabilities from the OT system, from the IT systems, all of our assets from both sides and so on." And even tying that into a TIP or additional threat intelligence so it can be really all in one place and consolidated. I think that is a good path forward. Now, I know, you know, ServiceNow being cloud does pose issues, but there's also on-prem options that do a very, very similar type thing. So, it's not often - you know, while products like the Dragos platform provide direct integrations with different types of tools, sometimes it's a third-party tool that the OT system and the IT system integrate with in order to have that sort of information sharing as a go-between instead of a direct integration. And that's often where we see folks going, especially if they're okay with using cloud, like ServiceNow.
Mark Urban: So, that - okay, that - that's - I think that kind of pulls it together because you're saying there is - these infrastructure tools like service management, intelligence platforms, endpoint platforms, firewall platforms that, you know, typically SOC processes that are in place on the IT, yet they don't have all of the unique context of OT. So, you find something that specializes that OT context and you integrate the processes, you integrate the tooling and, thus, a good measure of convergence with a good level of expertise on the OT side or the industrial control systems. Excellent. Kim, thank you so much for your insights. And to everybody at "Control Loop," thanks again for listening. [ Music ]
Dave Bittner: And that's "Control Loop" brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at the cyberwire.com. Sound design for this show is done by Elliot Peltzman with mixing by Tré Hester. Our senior producer is Jennifer Eiben. Our Dragos' producers are Joanne Rasch and Mark Urban. Our executive editor is Peter Kilpe. And I am Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]