A look at a Whole-of-State cybersecurity strategy.
Dave Bittner: It's October 18, 2023, and you're listening to "Control Loop." In today's OT cybersecurity briefing, Microsoft on the state of OT security. Israeli and Palestinian hacktivist target ICS. Coinmining as an alleged, potential front for espionage or stage for sabotage. The EPA withdraws its water system cybersecurity memorandum. Colonial Pipeline says, "New ransomware claims are due to an unrelated third-party breach." Most organizations are struggling with IoT security. CISA views China as the top threat to US critical infrastructure, improving security for open source ICS software and CISA ICS advisories. We welcome our guest, Kuldip Mohanty, to the show. He's the CIO of North Dakota. We caught up with Kuldip at the CyberCon 2023 event in Bismarck, North Dakota recently. Kuldip shares how critical infrastructure is treated within the whole-state security strategy his team implements in North Dakota. The Learning Lab has the first part of Mark Urban's conversation about cyber threat intelligence with Paul Lukoskie, who is Dragos' Director of Intelligence Services. Microsoft's Digital Defense Report for 2023, in collaboration with researchers at aDolus looks at the state of IoT and OT security, finding that 78% of devices and industrial control networks contain vulnerabilities. Forty-six percent of these devices cannot be patched often because their firmware is no longer supported. Microsoft adds, "We found a significant lag between the availability of security fixes in firmware and their deployment on to the OT network. Although many of the PLC models showed a marked reduction in high-confidence exploitable CVEs from older versions to the newest versions, over 60% of devices were still running older versions of the firmware with eight or more exploitable CVEs. If the latest version of the firmware available for these PLC models were to be deployed, the number of devices with no known exploitable CVEs would increase from 4 to 40%." Cisco Talos has disclosed 10 zero-day vulnerabilities affecting Yifan YF325 industrial cellular routers that could lead to buffer overflows and remote code execution. According to Yifan's website, YF325 routers are widely used on M2M fields, such as self-service terminal industry, intelligent transportation, smart grid, industrial automation, telemetry, finance, POS, water supply, environmental protection, post, weather, and so on. All of the vulnerabilities were assigned a severity score of 9.8. Talos notified the vendor of the vulnerabilities in June and is disclosing the flaws in accordance with its vulnerability disclosure policy. Researchers at Cyber News are tracking targeting of industrial control systems by pro-Israeli and pro-Palestinian hacktivists. While it's not clear if any of these attempts have been successful, the researchers note, as per Cyber News's findings, some Israeli organizations are exposing their Modbus, a SCADA communications protocol. In fact, researchers found 400 such occurrences. Researchers also discovered that nearly 150 message-queuing telemetry transport ports remain open. This system is responsible for communication between manufacturing execution system and SCADA. When it comes to Palestine, its organizations are also exposing Modbus and MQTT, as well as Siemens automation and Symantec systems. Again, while hacktivist organizations have claimed to have executed attacks on ICS, those claims are, so far, at best, unconfirmed, and it's worth remembering that hacktivists are much given to exaggeration and self-promotion. For the most part, they'll tell you that, like Davy Crockett, they are half man, half horse, and half alligator, with a little bit of snapping turtle thrown in. Be alert to the risk but don't take the threats claims at face value. Coin mining is famously electrical and computational power hungry. It's now far advanced from the days when it might have been possible for some regular Joe to make money on his laptop. Coin mining operations are now effectively large, powerful, single-purpose data centers. Some of the mines are owned, sometimes via a series of cutouts by the Chinese government or Chinese corporations, and the US has begun taking note. The New York Times reports, in at least 12 states, including Arkansas, Ohio, Oklahoma, Tennessee, Texas, and Wyoming, The Times identified Chinese-owned or operated Bitcoin mines that together use as much energy as 1.5 million homes. At full capacity, the Cheyenne, Wyoming mine, alone, would require enough electricity to power 55,000 houses. The Wyoming mine is particularly interesting. It's situated between a big Microsoft data center that supports the US Department of Defense and FE Warren Air Force Base, the command center for US Intercontinental Ballistic Missiles. Microsoft warned the US Treasury Department's Committee on Foreign Investment in the United States last year of the threats such installations could pose. The mines are positioned to be able to collect intelligence on sensitive activity, and their consumption of electrical power is so high that they can stress the power grid or, by cycling that consumption, upset the balance on which a reliable grid depends. The prospect of destabilizing the grid is probably the more serious of the risks. Coin mines are largely unregulated, and US agencies are considering the possibility of prescribing how rapidly they can start and stop their active mining operations. Colonial Pipeline has shut down rumors that it was hit by another ransomware attack. FOX 5 Atlanta reports the record cites a Colonial Pipeline spokesperson as saying, "Colonial Pipeline is aware of unsubstantiated claims posted to an online forum that its system has been compromised by an unknown party. After working with our security and technology teams as well as our partners at CISA, we can confirm that there has been no disruption to Pipeline operations, and our system is secure at this time. Files that were posted online initially appear to be part of a third-party data breach unrelated to Colonial Pipeline." So the criminals are evidently lying, which, as Dragos CEO Rob Lee points out, should surprise no one. The US Environmental Protection Agency has rescinded a memorandum issued in March 2023 addressing cybersecurity for public water systems. Nextgov reports the withdrawal is the result of ongoing litigation between the EPA and the states of Missouri, Arkansas, and Iowa. The US Court of Appeals for the Eighth Circuit in July ordered a halt of the memorandum's enforcement after state lawmakers argued that smaller water suppliers lacked the resources to meet the requirements. Keyfactor has released the results of a survey conducted by Vanson Bourne, finding that 97% of organizations are struggling to secure their IoT and connected products to some degree. The researchers found that 89% of respondents' organizations that operate and use IoT and connected products have been hit by cyber attacks at an average cost of $250,000. Furthermore, in the past three years, 69% of organizations have seen an increase in cyber attacks on their IoT devices. Bloomberg reports that Scattered Spider, the ALPHV- affiliated gang associated with the ransomware incidents at MGM Resorts and Caesars Entertainment, is now believed to have also been responsible for the cyber attack against Clorox. The company has been concerned about the effect of the attack on its business since production of several product lines was interrupted during the incident. The Wall Street Journal writes that Clorox warned that the incident caused sales to fall between 23 and 28% for the quarter that closed on September 30. The company will also show a loss for the quarter. It had projected roughly $150 million in profit, so the cyber attack was clearly material under any construals of the SEC's new reporting regulations. The incident highlights how ransomware attacks against IT systems can indirectly impact industrial operations by inducing an organization to shut down systems out of fear of cross-infection. The US Cybersecurity and Infrastructure Security Agency considers China to be the top nation state threat to US critical infrastructure. Utility Dive reports CISA Director Jen Easterly said, at the Secureworks Threat Intelligence Summit, that China-aligned threat actors are focused on battlespace preparation against US infrastructure in case a military conflict breaks out. Easterly said, "Even if we are aware of this threat, it may be difficult to find these actors in our infrastructure, and so we have to work to ensure that our systems and our businesses and our networks are resilient." CISA, the FBI, and the US Department of the Treasury have released guidance on improving the security of open source software for operational technology and industrial control systems. The guidance provides recommendations for supporting OSS development and maintenance, managing and patching vulnerabilities in OT and ICS environments, and using the cross-sector cybersecurity performance goals as common framework for adopting key cybersecurity best practices in relation to OSS. The guidance sensibly makes safety a priority. That's entirely reasonable given the potential for an ICS incident to have kinetic effects that could induce unsafe conditions. Should a system come under attack, graceful degradation, for example, is one realistic option as are failsafe designs. Fail safe doesn't mean safe from failure. Rather, it means that if a system fails, it fails into a safe condition, as opposed to a dangerous one. The document also notes some of the ways IT differs from OT. Common best practices that have evolved to help secure IT can't always be applied mechanically or unproblematically to OT systems. Consider patching. Keeping patches up to date is always one of the first best practices recommended. Even with IT systems, it's not always quite so straightforward, with OT systems involving, as they do, even more complex dependencies, interaction with more legacy systems and the overarching importance of availability, it's a much more difficult proposition. And as the recommendations say, there is also a convergence between OT and IT proper, especially with respect to open-source software. The document contains a number of concise, yet actionable recommendations. It's worth your attention. Read the whole thing. It's just nine pages long and worth a close reading. And finally, CISA has released an ICS advisory for a vulnerability affecting Mitsubishi Electric MELSEC-Q Series PLCs. The vulnerability can be exploited remotely to cause uncontrolled resource consumption, resulting in resource exhaustion. CISA explains, "A remote attacker can send specific packets over several ports on the affected products that will result in an Ethernet communication crash." CISA released 19 more ICS advisories last week. Check out their website for the complete list.
Dave Bittner: I recently had the privilege of being a guest and speaker at CyberCon 2023, a cybersecurity conference hosted at Bismarck State College in North Dakota. Before the trip, I had heard that North Dakota had adopted an innovative whole-of-state approach to cyber. To learn more about that, I sat down with Kuldip Mohanty, chief information officer for the State of North Dakota.
Kuldip Mohanty: Security is a role that we, in the state, believe that it has to have a whole-of-state or whole-of-government approach. And the reason for that being this is a responsibility from the state government that we need to own, discharge the duties that it takes to deliver that robust approach. Then the posture that is required to do threat hunting or remediation of vulnerabilities or preparing that detection-response approach from a whole of state allows us to be consistent across all agencies, should there be a situation that we have to deal with in future. With our centralized organization, it also allows us to have one central IT capability, and security has to be a central capability because security is everyone's job. We got to enable that education training across the board. And that's kind of the whole-of-state security approach where we're starting with education, empowerment, understanding, and the deployment in a centralized way that allows us to know the threat hunting and the threat detection and then provide the response and remediation plans as and when it shows up.
Dave Bittner: What are the practical implications of that? I mean, when we look at North Dakota as a state, you have pockets of sort of centralized population, but then there's a lot of folks dispersed over a wide area. What does that mean for you in your responsibilities to protect them?
Kuldip Mohanty: If you think about, in all, the composition of our state is very rural in nature. With rural, it comes with lot of understanding or lack thereof in terms of what internet connectivity means, how easy it is to get framed in phishing attempts or ransomware attacks or what have you from a data-loss perspective, and many of our rural communities do not have the ability to even jump in and understand what security threat is. So with that whole-of-state approach, we have been good at developing the education, developing that broadband connectivity to allow people to connect to internet, but also having our state's net infrastructure, which brings everything together. Having the threat hunting at the place where everybody connects through allows us to be more responsive. Whereas net -- let's not just leave the responsibility back to the citizens. We have a responsibility for the state, and how do we discharge it in a more meaningful way?
Dave Bittner: What is your relationship with the leadership here in the state, the governor, the folks who, your representatives, who go to Washington? What's the interplay between you and them?
Kuldip Mohanty: We do interact with the legislature more on a frequent basis. Every quarter, we have an interim technology committee meeting that we sit together. I happen to be a citizen member of the Information Technology Committee, and that's an opportunity for us to really come and talk about state's aspirational plan around strategy, deployment, execution. In addition, talk about where we can make a difference and what sort of funding that would require for us to create that next frontier. And to us, it's more about building that relationship, building that art of possible journey map and also explaining the rationale behind why that art of possible journey map is something we should be on. And that was a journey that we took years ago, which allowed us to get to this whole-of-state security approach and being one of the leading forces in the country in driving cybersecurity and driving JC SOC implementation that allows us to bring that collaborative approach, to be the leading force in cyber, and also continue to keep that leadership position. Yeah, I mean, here at the conference, the presentation that you gave, I was impressed with some of the stats that you shared about how far ahead North Dakota is when it comes to connectivity to not just connecting people, but making sure that it's meaningful, that they have the speeds that they need to participate in today's community. I'm curious, are there things that are specific to North Dakota that present specific challenges? And are there things that are specific to North Dakota that also provide certain opportunities for someone in your position? Great question, Dave. I mean, the way I would address that is because we're rural in nature, the challenges are more about it doesn't impact them, so they don't care, or they shouldn't care, right? Knowing that dynamic, how do we get in front of it? So being small and being very dispersed, it also is nimble for us too. We can move mountains pretty quickly. Because of our density in certain larger metro areas, such as Bismarck or Fargo or Grand Forks, there a lot of smaller communities. And knowing the fact that getting that outreach out there to smaller communities, starting to educate folks around what cyber can mean and the events like CyberCon, or Cyber Madness that we do for high school students to bring that early awareness in cybersecurity and its importance and how it impacts everybody's life. Because that kid that comes to Cyber Madness competition goes and talks to the community or talks to the parents, and then word spreads. So creating that, you know, angels of information sharing through these high school kids and elementary school kids, that allows us to improve that, and the nimbleness comes to the process. Other thing is our PK-20W Initiative is really geared towards driving cybersecurity and computer science education. Now, you cannot graduate out of high school unless you have cybersecurity and computer science as two required course curricula in your high school process, and that's something I don't know how many states do it today. But that's where we're trying to push it from grassroots, not just a matter of talking about what is the art of possible from whole of state? But also change that momentum all the way to the communities so it becomes a sustained effort and continues to keep us ahead of the curve.
Dave Bittner: I really think that's worth highlighting in that whole of state means that you are reaching kids through their whole educational journey. And that has to really yield good payoffs for the -- for this next generation of citizens who are coming up.
Kuldip Mohanty: Absolutely, and if you think about the projection of jobs. Today, as I mentioned earlier today, there are 71, 73 million jobs are going to displaced, but there are 120 million jobs getting created. So how are you preparing the next generation of talent to be prepared to face the marketplace that they're walking into? Will the job is same as to what we are doing today? Likely not. There's a lot of automation, a lot of artificial intelligence, generative AI, which is going to take the mundane work out, which means you're more available to do more higher-value add work, and how are we training them to prepare for the next generation? And that's the call to action for many of the leaders to really think about what else can we be doing at a state IT level to enable that education, allow people to see the art of possible, and also, in the same vein, elevate and educate people to come on the journey and not show a hand up saying, okay, I'm not willing to go there because I don't know what to expect out of AI. The unknown is more scary than making it known, and our job is to make that unknown more of a known entity, whereby there's a lot more willingness than a lot of refuse.
Dave Bittner: When you're out and about speaking with the folks who have your job in other states, in the US, what are those conversations like? I mean, are there -- is there recognition out there that North Dakota is one of the states leading the way?
Kuldip Mohanty: We would like to think so. I mean, certainly I cannot answer what others are thinking about us, but we would like to think that we are one of the leading champions of this journey. And I'm very fortunate to have a governor and lieutenant governor who are very forward thinking as well. Our governor coming from technology sector allows us to be more thoughtful and more evolutionary in technology. And what's the value of tech in our business, which is our agencies where citizens come and consume services? And that's been the difference for us in really partnering and creating the collaboration with our agencies, understanding what business they are in, which is about citizen services, and how do we enable them to realize their citizens services in a frictionless manner by deploying technology in a meaningful way with a secure approach that keeps information secure at the core?
Dave Bittner: You know, when my producer, Jen, and I were getting off the plane here in Bismarck, one of the first things we saw was a poster on the wall that said coal and that it is a major energy asset of North Dakota. Can we talk a little bit about critical infrastructure, about what you all have to do to protect that aspect of the state's resources?
Kuldip Mohanty: Absolutely. I mean, if you think about our energy resources, whether it's coal or oil, you talk about critical infrastructure, meaning water infrastructure, we are extremely thoughtful about understanding what it takes to run that critical infrastructure. We partnered with the Department of Emergency Services to ensure that we have a whole-of-state approach to understanding the different threats that come into play. Also, mining data across multiple agencies, as well as multiple other providers of their security intel that comes into an aggregated process, whereby we'll look at the signals and threats and then have a response plan prepared. Those are monitored on a regular basis. In addition, we're putting AI-driven approach to threat hunting. So for example, if we see certain exposures, there is a team that quickly vets in and does incident analysis. Sometimes it is incident analysis that we can react or we should react to. Sometimes it could be just a threat that we can deter them right at the firewall itself. So there are things that we're doing from a critical infrastructure that is coal, oil. We are a energy-producing state. We got to protect that energy production, and we also want to continue to drive our carbon neutral footprint as we continue to drive that energy production. How do we get to that point? And our governor has a goal of 2030. We want to be net carbon neutral, which is amazing, and we're supporting that from technology as well.
Dave Bittner: Yeah. In your presentation, you highlighted that you have cameras all over your highways. And I think for folks like me who are from out of the state, it is hard for me to imagine the amount of weather that you have to deal with here with things like snow and the cold and the temperatures. I mean, that's part of critical infrastructure as well, managing that, and keeping your citizens safe.
Kuldip Mohanty: Absolutely. And in fact, we have an app that is deployed on the App Store. It is called North Dakota Department of Transportation app, NDDOT app. That gives you real-time traffic information across all the major interstates and the state highways. Every camera that is out there on our state infrastructure or infrastructure that feeds into that NDDOT app, which warns users of where construction zone is, where weather patterns are happening, or highways are getting closed within certain distances. That's a -- that's a very widely-used app in winter, as you can imagine, the number of hits. Because anyone who comes on the road, whether it's a truck that is driving through the state to go from one place to another, or there are citizens driving from Fargo to -- Fargo to Bismarck, it's a commonly used app that everybody uses. And that's what we're proud of because how do we take these different data points and give meaningful information to our citizens to react and respond to, whereby then are stranded? Because if they're stranded on a highway when it snows, there is no way out. You're stuck.
Dave Bittner: Right.
Kuldip Mohanty: And that's what we're trying to prevent from happening, and that is one thing we're very proud of.
Dave Bittner: What are your aspirations? I mean, as you look towards the future, you've accomplished a lot. But I'm sure, just in knowing you the brief amount of time I've known you, I think you want to accomplish more before your time here is done. What are some of the things that are on your list?
Kuldip Mohanty: The way I would start with answer, Dave, is it's about citizens. It's about businesses that transact in the state. How do we provide government services and bring that consumerization philosophy back into public sector? We all, as consumers, in our personal lives are used to certain kind of experiences, certain kind of behaviors that we see around us. Why can't we expect that from government? Why does government has to be so complex? Why do we have to go and live on a paper-based enrollment? And those are the things I think those are areas that we all can aspire to. It's not going to be a sprint. It's going to be a marathon. But if we have the right focus, right mindset, and the right talent, which happens to be the key to unlocking a lot of the future success, and an ecosystem of partners who are willing to come together to make that journey happen, nothing is impossible.
Dave Bittner: How do you describe your own leadership style with the folks that you work with here?
Kuldip Mohanty: It's about creating a vision and rallying the troops and getting to win the hearts and minds. It's not about because I said so. It's about the belief is the right thing to do and be a coach, be a mentor, be a teacher. And sometimes just listen because people come from different mindsets, different perspectives. You got to understand, acknowledge, and allow them to be who they can be and give them the platform to succeed. But provide them a North Star that they can match to, which may seem very daunting at times, but be there to support through the journey and provide that mentorship along the journey.
Dave Bittner: We're here at Bismarck State College, which is where the CyberCon is held each year. What's your advice to those upcoming students who are looking to find their place in cybersecurity?
Kuldip Mohanty: World is an oyster, and it's better to always start the journey with an open mind. Always be learning. Always be a student of life and student of what's happening around you. And learning never stops. I am still learning. For me, I took a leap of faith to come to government after 30 years, close to 30 years, in private sector. And every day is a new beginning. What happened yesterday will change tomorrow and then continue to learn and continue to grow, and keep that open mind and learning. You can learn from anyone and everyone that you walk into on the street. Just focus on that and continue to build that momentum. You will be successful. When you are down. Don't ever rule yourself out. Get up and walk again.
Dave Bittner: That's Kuldip Mohanty, chief information officer for the state of North Dakota. Our thanks to him and all of the organizers of CyberCon, especially Conference Chair Troy Walker for inviting us and being so welcoming.
Dave Bittner: It’s time for this week's Learning Lab with Mark Urban's conversation about cyber threat intelligence with Paul Lukoskie, Dragos' Director of Intelligence Services.
Mark Urban: Hi, this is Mark Urban with another edition of the Learning Lab, and today we're going to talk about threat intelligence for operational technology, and I'm joined today by Paul Lukoskie here at Dragos. Paul, welcome.
Paul Lukoskie: Thanks, Mark, I really appreciate the opportunity to talk about this.
Mark Urban: Cool. Can you -- can you start out with what do you do at Dragos? What's your title? What's your focus day to day, just to provide a little context?
Paul Lukoskie: Sure, I'm the director of our intelligence services, so more specifically our concierge intelligence team. Whenever you have a threat intelligence program, and you are providing threat intelligence to a number of different customers, you really want to try to operate on -- with the idea around the customer's different intelligence requirements. And when you have the deliverable, like our WorldView threat intelligence portal, and you have numerous customers that access the WorldView intelligence portal, it's hard to really get down to the nitty-gritty and really tailor the threat intelligence that we're producing to specific customers. So what my team does is we work directly with specific customers that have acquired our service, and we take the content that the -- is in the WorldView intelligence portal, and then we also work with the customer to develop unique intelligence requirements that are truly bespoke to their operational technology environment. And my team will go out and do threat hunting, research, and analysis, and in some cases, we provide a kind of like a trusted adviser capability for some different customers around certain things like we don't have any processes in place right now around role-based access control, or we don't have any policies right now around role-based access control for our OT environment. What does that look like? What should that look like? So my team kind of spans a lot of different skills and capabilities and deliverables to those different customers. And it's been going really great, and I can't wait to continue going and growing this.
Mark Urban: Well, let's start with is sort of the basic, and could you explain what is cyber threat intelligence kind of in the abstract?
Paul Lukoskie: Sure. There are a lot of misunderstandings about cyber threat intelligence. One example is that it's complicated, and it's only mature intelligence programs that are going to get the most out of cyber threat intelligence. I think some of that largely stems from the historically accepted concept that intelligence or threat intelligence is reserved for government entities operating in a classified environment with -- quote, unquote -- "secret" squirrel knowledge and visibility into adversary behavior. There's certainly truth to some of those sentiments. But the reality is that anyone can get started on cyber threat intelligence and get started on that journey because it is most simply defined as information that someone uses to make a decision around their cybersecurity posture. That could mean a lot of different things like internal training initiatives, budget considerations for technology solutions, strategic decisions around access control policies, or tactical initiatives, like which indicators of compromise to include in an organization's deny list.
Mark Urban: So cyber threat intelligence can be a very big tent, and it's often experienced in the world with, you know, lists of IOCs or indicators of compromise or bulletins around APTs or information around new vulnerabilities that have been discovered or, you know, campaigned. It can be very wide and specifically around, you know, kind of cyber threats, as well. If we look at so a threat intelligence is, you know, we've prepped some of these discussion, and this kind of just came up. So organizations, do they have like -- how do they consume threat intelligence from the outside world? Can you talk a little bit about how you've worked with customers, like kind of what they're doing with kind of information or intelligence that's coming from Dragos or another kind of threat intelligence kind of group?
Paul Lukoskie: Sure, there are a few kind of tried and true methods for consuming threat intelligence from external sources. Obviously, there's a very tactical method for using APIs and pulling indicators of compromise like, you know, malware file hashes, IP addresses, domains, URLs, things like that into an environment like a TIP. So like anomalies, ThreatStream is a really good example, or a SIEM, like Splunk, and pulling those things in and doing a lot of the -- what I consider to be block-and-tackle tasks. These are things that you just have to do if you are in a cybersecurity environment. So pulling those things in, deploying them across your environment, using detections to hunt for those things within your environment, and implementing those kind of network-based indicators like malicious IP addresses and domains into your firewall so that any inbound or outbound traffic to those malicious networks are blocked at that point. And then obviously, there are a lot of, you know, tasks that security engineers and security practitioners within those organizations will take to identify and mitigate against those specific threats. So that's kind of one area, and then there's the other that's requires a little bit more thought and a little bit more, you know, nuanced to how organizations think about and consume threat intelligence. And that's really where having an organization like the Dragos intelligence team can really be a benefit to companies because it can kind of help them put things into perspective. The cyber threat intelligence ecosystem is so large and noisy now, and I've been doing -- I've been in the threat intelligence and in the intelligence community for almost 16 years now, at this point, and it has gotten substantially larger and substantially more complex over the last probably five to six years, as more and more people want that cyber threat intelligence because of how available it is. You know, kind of to my point earlier, where I talked about how there's kind of this misunderstanding that threat -- or there used to be this misunderstanding that threat intelligence was really only reserved for, you know, highly classified three-letter agency environments within government organizations. You can build a really fantastic threat intelligence capability just by leveraging open source information, which anybody has access to. It's just in a matter of how you use it and the perspective that you apply when you are using it. When you have a threat intelligence vendor like Dragos, or any other vendor, really, those vendors have an obligation to make sure that their customers are, number one, understanding that there's a lot of noise out there and how they can cut through the noise to make sure that the most relevant information is being consumed by them. But then also, in a lot of circumstances, what it actually means for that particular organization. Because in many cases, consumers of cyber threat intelligence are not necessarily the immediate victims or have been immediately impacted by a particular threat. But maybe there's some element of relevance either based on industry footprint or regional footprint. And that requires that kind of like analytical tradecraft and historical understanding of those different threats, what those objectives are, and what organizations can use as kind of like standard mitigation and remediation tactics.
Mark Urban: Got you. Okay. So you talked about there are a lot of companies out there creating a lot of intelligence, and that's changed a lot over the last, you know, several years, last three, five years. One of the discussions we have leading up to this is that a lot of those companies are focused on IT threat intelligence. A lot of investment goes into protecting laptops and data, and, you know, the typical IT part. We focus on operational technology, or OT. Can you talk a little bit about the difference on -- about OT-focused threat intelligence, as compared to IT-focused threat intelligence?
Paul Lukoskie: So this is really relevant to me, in particular, in my career, because even though I have about 16 years in the intelligence community, a majority of that has been spent on the IT side, mostly focusing on cybercrime. Having the opportunity to come over to Dragos and dig into the OT side has just been really, really fantastic. So this topic is very near and dear to my heart when it comes to talking about threat intelligence and how we approach it differently. And what are some of the similarities between threat intelligence for OT and IT? First and foremost, the biggest difference is impact to safety and loss of life. Generally speaking, a cyber attack against an IT environment is not going to have those types of catastrophic downstream impacts. Successful cyber attacks against an organization's IT environment will absolutely have a negative -- will absolutely have negative ramifications on the -- on the organization in question like service disruption, loss of revenue, and reputation. But that's why OT cyber threat intelligence is so critical. And it's probably the first thing that anyone getting into OT cyber threat intelligence should learn and always have in the top of mind while researching OT threats is that this could have legitimate catastrophic downstream impacts.
Mark Urban: Just a refresher for the audience, operational technology are those, you know, those physical systems that run oil refineries or help to run a power production or electrical grids or oil and gas pipelines or, you know, production facilities and or production lines and manufacturing. So I think what you're saying, Paul, is that, you know, realize if there's an incident that impacts those types of things, right, there's, you know, potentially severe downstream consequences to environment, to safety of employees or the public, and especially to the revenue production of many industrial companies around that. So you're saying that the impacts of, you know, an incident in that world are one of the big differences. Like that's OT. And you know, versus the impacts in IT, which might be loss of data, some very important things, but just a difference in kind of impact complexity. Is that -- is that right?
Paul Lukoskie: Yeah, absolutely. And I would actually argue that OT-asset owners and operators have to deal with the same types of impacts that IT-assets donors -- IT asset owners do in the sense that a successful cyber attack against OT environments is also likely going to result in revenue loss and compromised accounts or sensitive information being stolen. Services could be disrupted. And all of those things absolutely can have negative reputational impacts like at a market base social level. So, you know, it's just that added layer on top of that, that, you know, a successful attack on OT environments can have physical impacts that could very quickly escalate into safety issues. And that's why like we always look at cyber attacks that have direct impact or target OT environments, and it really raises those stakes pretty significantly.
Mark Urban: So that's on the impact side. What about the actual sort of intelligence in OT? What's different in an OT kind of intelligence environment versus the IT?
Paul Lukoskie: Sure. So I think one of the biggest differences is that the IT environment requires constant patching and updating of operating systems and tools because so many different users access and leverage those systems every day to complete their respective daily business objectives. On the flip side, it's not uncommon to come across organizations with OT assets that are running on very old and very vulnerable Windows operating systems. OT security engineers and operators, they created those custom tools and processes based on those old systems. And if they were to update those operating systems, they'd have to completely redo those custom tools and processes. So a lot of times, organizations simply don't have resources or time to complete those updates. And it becomes even more critical to ensure that those environments are, you know, are segregated properly and have strong access roles in place. And all of that really plays into how we approach threat intelligence. For example, there are a lot of unique ICS protocols like Modbus and DNP3, and those don't exist in the IT environment. And generally, if we see an adversary that's specifically targeting an OT environment, it's often they have existing knowledge of how OT environments work. So, you know, for example, DNP3 or distributed network protocol could be used by adversaries to establish command and control capabilities because of its primary function is communication between control centers and downstream process automation systems. Another recent example of that would be adversaries leveraging Modbus. CHERNOVITE is a really great example of that. So CHERNOVITE is an adversary group that Dragos is linked with the PIPEDREAM attack tool suite. And we were able to investigate and analyze several PIPEDREAM components, including the EVILSCHOLAR malware, which could allow attackers to run queries against the OT environment and identify and access programmable logic controllers or PLCs and then use that with follow-on scanning activity, looking for vulnerable Modbus devices. And all of that to say that each one of those layers of that particular attack can be used for follow-on attacks, follow-on badness from those particular adversaries. So it's a very -- it's a very specific way of approaching cyber threat intelligence hunting, and we're looking for anomaly or anomalous activity involving very unique and very specific technologies, protocols, and processes.
Mark Urban: So there are specific like threat groups that focus on industrial? There are specific tools that are meant to take advantage of specific protocols? And you just named like DNP, Modbus, and there are hundreds of these industrial protocols with, you know, different networks, syntax, and kind of command structures that, you know, hey, if you are a specialized threat group, you look at those types of things. So it's a very different world than looking at a bunch of HTTP traffic in or DNS traffic or the things that are on the IT side. But you also talked about how, you know, vulnerabilities are different, that you can't patch everything in OT because, A, you don't have the time to really customize those systems and; B, you know, just applying a simple patch might cause shutting down of a particular -- a particular system that would basically be very disruptive to that plant or whatever. So interesting, a lot of differences from vulnerabilities to kind of network syntax to kind of tools associated that make OT a pretty specific environment. Is that a fair summary?
Paul Lukoskie: Oh, absolutely, germane to discussions around, you know, vulnerabilities. On IT side, organizations often have proactive patch management systems that can easily update and patch vulnerable software without too many impacts to an organization's day-to-day, right? On OT side, patching and updating software is much more arduous and requires more thoughtful planning because, in many cases, it means pulling those assets offline for a period of time and shutting down those ICS processes. And all of that can very easily be mapped to revenue and can also be easily mapped to many other things, safety and continuity of operations. This is one of the biggest reasons why it's common to find OT environments with several outdated and highly vulnerable software and operating systems. An example that I can quickly point to would be, earlier this summer, Dragos collaborated with the US government and Rockwell Automation on analysis of a vulnerability impacting Rockwell Automation's control logic communication devices. This is a widely-used OT technology, and the vulnerability impacted numerous organizations in manufacturing, electric, water, oil, and gas. But what made this situation all the more critical was that we were aware that known adversaries have the capability to exploit these vulnerable Rockwell devices. And we hadn't seen it in the wild yet, but the capability certainly exists. And if exploited, it could allow an adversary to remotely execute malicious code on those devices, establish persistence, and just, in general, cause a lot of badness in those environments. So what we're really seeing from a threat intelligence perspective in terms of the OT environment and vulnerabilities, really, if you think about the Rockwell vulnerability that I just mentioned and then also kind of think about PIPEDREAM just at large, pretty much all of 2022, we really doubled down and then covered PIPEDREAM substantially. But those are all really strong indications that adversaries are growing their capabilities and developing new techniques to specifically target an organization's OT environment.
Mark Urban: Got you. That's, yeah, a couple of good specific examples about the highly specific kind of focus and tool sets and threat groups and control logics in PIPEDREAM, and I'll actually put in the show notes a link to -- I think we probably have blogs and or on-demand webinars for each of those. So I'll have those added to the show notes if people have some interest in understanding, hey, here's the application of what we're talking about that could be impactful to your specific environment. You mentioned those too, control logics in PIPEDREAM, which impacted, I mean, control logics was just about Rockwell. PIPEDREAM was about multiple technologies and multiple kind of protocols that had reach into millions of different devices. So two great examples to, you know, the application of threat intelligence in the real world. Excellent. Ladies and gentlemen, Paul Lukoskie, part of Dragos threat intelligence team here focused on the OT side of threat intelligence, and that'll be a wrap for today's Learning Lab on threat and intel, all thanks very much.
Dave Bittner: And that's "Control Loop" brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at the cyberwire.com. Sound design for the show is done by Elliott Peltzman with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rush and Mark Urban. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.
