Control Loop: The OT Cybersecurity Podcast 2.7.24
Ep 43 | 2.7.24

Operational Technology disruptions: An eye on the water sector.


Dave Bittner: It's February 7th, 2024, and you're listening to "Control Loop." In today's OT cybersecurity briefing, Volt Typhoon targets U.S. critical infrastructure. A ransomware attack against Johnson Controls cost $27 million. A bill would add ISC security to the President's Cup Cybersecurity Competition. Today, we have a special segment for our interview. Yesterday, Dragos CEO and founder Robert M. Lee testified at the hearing before the US Congressional Subcommittee on Cybersecurity and Infrastructure Protection. We share Rob's opening remarks. The "Learning Lab" features the conclusion of the discussion between Mark Urban and Strategic Accounts Director, Sam Van Ryder, about building community in OT. We'd love to know what you think of this podcast, and what you'd like to hear more about. Please take a few minutes to submit a survey in the show notes. Your feedback ensures we delver the information that keeps you a step ahead in the rapidly changing operational technology industry. [ Music ] Reuters reports that the US Justice Department and FBI disabled portions of a network of compromised devices that was being used by the China-linked threat actor Volt Typhoon to target US critical infrastructure. Volt Typhoon had been forming a botnet by compromising vulnerable devices including routers, modems, and IOT devices in order to hide later intrusions into sensitive targets. FBI director Christopher Wray told Congress last week that Volt Typhoon's activity is part of a wider strategy by the Chinese government to target US critical infrastructure, including the power grid, water treatment facilities, and pipelines in order to stage future destructive attacks. Wray stated, China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities. If and when China decides the time has come to strike, they're not focused just on political and military targets. We can see from where they position themselves across civilian infrastructure that low blows are just a possibility in the event of a conflict. Low blows against civilians are part of China's plan. Dragos CEO Robert M. Lee said in a media briefing last Tuesday that Volt Typhoon is also targeting US satellite and telecommunication networks. Lee said the threat actor consistently chooses industrial targets, goes after those targets, and plays this low and slow game. Lee also predicts that if criminals are able to obtain off-the-shelf malware that targets industrial environments, physically destructive cyberattacks will become much more common. Dragos has published a report on ransomware in the industrial sector during the fourth quarter of 2023, finding that the LockBit 3.0 Gang was responsible for 25% of attacks against industrial organizations last quarter. Manufacturing was the most targeted sector, accounting for 66% of ransomware attacks with 135 reported incidents. But researchers note that business-impacting ransomware attacks in the fourth quarter of 2023 exhibited more severe impacts when compared to earlier quarters. A separate report from TX1 Networks on OT and ICS security warns that the recent accessibility of OT testbeds and protocols has aided malicious actors in the development of ready-made malware, opening the floodgates for cybercriminals who no longer need specialized training to conduct deadly attacks. The researchers found that 47% of organizations in the OT sector reported suffering ransomware attacks last year. While most of these incidents were against IT systems, 97% of the victims said OT environments were indirectly affected by downtime. The researchers note the inherent focus of the OT sector on automation compared to IT makes it more vulnerable to significant operational and financial losses, even from brief downtimes. This vulnerability has made OT industries particularly attractive to cybercriminals as the high cost of operational disruption increases the likelihood of ransom payment. Johnson Controls International disclosed in an SEC filing that a ransomware attack the company sustained in September 2023 has cost the company $27 million in expenses so far, Bleeping Computer reports. Johnson Controls stated, the cybersecurity incident consisted of unauthorized access, data exfiltration, and deployment of ransomware by a third party to a portion of the company's internal IT infrastructure. The company adds that it expects to incur additional expenses associated with the response to and remediation of the incident throughout fiscal 2024, most of which the company expects to incur in the first half of the year. These expenses include third-party expenditures including IT recovery and forensic experts, and others performing professional services to investigate and remediate the incident as well as incremental operating expenses incurred from the resulting disruption to the company's business operations. Schneider Electric has confirmed that its sustainability business division was disrupted by a ransomware attack, Silicon Republic reports. The company stated, from an impact assessment standpoint, the ongoing investigation shows that data have been accessed. As more information becomes available, the sustainability business division of Schneider Electric will continue the dialogue directly with its impacted customers and will continue to provide information and assistance as relevant. Bleeping Computer says the attack occurred on January 17th and involved the Cactus strain of ransomware. The US Treasury Department's Office of Foreign Assets Control has sanctioned six officials in the Iranian Islamic Revolutionary Guard Corps for their alleged involvement in targeting programmable logic controllers used by US critical infrastructure facilities. The Treasury stated, the United States is taking action against these individuals in response to IRGC-affiliated cyber actors' recent cyber operations, in which they hacked and posted images on the screens of programmable logic controllers manufactured by Unitronics, an Israeli company. Industrial control devices such as programmable logic controllers used in water and other critical infrastructure systems are sensitive targets. Although this particular operation did not disrupt any critical services, unauthorized access to critical infrastructure systems can enable actions that harm the public and cause devastating humanitarian consequences. The US House Energy and Commerce Environment Manufacturing and Critical Materials Subcommittee held a hearing last week on cyber attacks on water treatment facilities, Industrial Cyber reports. Subcommittee chair Buddy Carter, Republican from Georgia stated, rather than responding to these cybersecurity threats with one-size-fits-all regulatory standards that are costly and require and assume a level of technological sophistication to operate and maintain, we must focus on ways to increase cybersecurity collaboration within the water sector and opportunities for the Environmental Protection Agency and Department of Homeland Security to work jointly with these systems to achieve higher levels of cybersecurity. Cyber threats are not disappearing and no amount of regulation, resources, or technical expertise can fully remove the threat. The US Senate Homeland Security and Governmental Affairs Committee has approved the Industrial Control Systems Cybersecurity Competition Act, a bill that would expand the President's Cup Cybersecurity Competition to include OT and ICS security. The bill will now be voted on in the full Senate. The annual President's Cup Cybersecurity Competition, held by CISA, aims to identify, recognize, and reward the best cybersecurity talent in the federal executive workforce. [ Music ] Dragos CEO and founder Robert M. Lee testified at the hearing before the US Congressional Subcommittee on Cybersecurity and Infrastructure Protection on February 6th, 2024. Here's Rob's opening statement before the committee.

Congressman Andrew R. Garbarino: Robert Lee is chief executive officer and co-founder of Dragos, a global technology leader in cybersecurity for OT. Mr. Lee also serves on the Department of Energy's electricity advisory committee, as a member of the World Economic Forum's subcommittees on cyber resilience for the oil and gas and electricity communities. He began his work in OT as a US Air Force cyber warfare operations officer to test the National Security Agency. Throughout his career, he has supported analysis of some of the most significant cyber attacks on industrial infrastructure, including the 2021 Colonial Pipeline ransomware attack. Mr. Lee, I now recognize you for five minutes to summarize your opening statement.

Robert Lee: Chairman Garbarino, Ranking Member Swalwell and members of the Subcommittee, thank you for providing me the opportunity to testify before you today. My name is Robert Lee, and I am the CEO and co-founder of Dragos, a leading OT industrial cybersecurity technology provider. Today, water utilities and other critical infrastructure organizations find themselves on the front lines, defending against both state actors and criminal groups. They face growing threats, most importantly to their OT or operational technology networks. These systems are the critical part of critical infrastructure. In 2018, I testified before Congress that Dragos tracked five state actors, specifically focused on OT networks. Today we track over 20 such groups, and my message has more urgency. My testimony focuses on three core points. First, there are fundamental differences between OT and IT networks. The biggest difference is the mission or business purpose of these systems. Generally IT supports how you manage a business, where OT is the reason the business exists. They're the specialized computers and networks that interact with the physical world around us, including things that control pumps, chemical levels, and so forth at water treatment facilities. OT security is also unique from IT security. Most of our standards and regulations and best practices simply apply IT security controls to OT without considering whether or not they should be applied. This results in wasted resources and operational disruptions. OT security instead should focus on unique OT controls and adopt from IT security only when it makes sense, such as those in the SANS Institutes' ISC 5 Critical Controls. My second point is that cyberthreat landscape for OT has shifted irreversibly. More standardized infrastructure has brought efficiencies, a homogenous infrastructure to manage. But it's also opened the door for reusable, scalable capacities that can be used across sectors. In 2022, Dragos worked with our partners, as well as closely with the United States government to identify and analyze a state actor capability on malicious software called PIPEDREAM. It was the first reusable capability to cause the ability for disruptive as well as destructive capabilities across industrial equipment. This class of capabilities will increase the frequency of high-consequence attacks we observe. There's a victory here as well. Dragos and its partners worked with federal agencies to report out to the broader infrastructure community prior to the capability being employed. It's one of the most significant public-private partnership blends of all time for OT security. My third point is that public and private sectors must work together to secure water security and water sector operational technology. For federal agencies, this means providing clear and consistent guidance to the industry that identifies specific requirements they need to support, such as realistic threat scenarios, and opportunities to exercise them. When it comes to regulation, the government must harmonize across frameworks, and use an outcome-based approach that defines why they are concerned, what the outcome is that we are driving towards, and leaves the how to the private sector. More simply stated, give us the requirements, not the answers. Government resources also should not be directed to programs that replicate technologies and services already available in the private sector. A good example is the Department of Energy's Cyber-Informed Engineering that operates in an area where there is no market and rethinks how we redesign the energy system to engineer out some of the cyber risk. The water sector resources need to be made available as well. As an example, at Dragos, we launched a program called the Community Defense Program, which gives all US-based utilities with under 100 million in resources and under 100 million in annual revenue free access forever to our tech and resources. And yet, most water sites will never be able to take advantage of this. Even something as simple as a $3,000 one-time investment at water utilities for basic hardware and networking gear is almost impossible due to budget limitations and overly difficult spending approval processes that aren't informed by appropriate cybersecurity knowledge. Taxpayer-funded government assessments or further federal investments to develop the next great technology acutely missed the need. Small municipal water and wastewater facilities need direct resourcing. In conclusion, I have so much optimism that what we all can do together will work. We know what to do. Oftentimes it's as simple as making it happen. However, a major shift must take place in order to solve the underlining economic issue that happens at our local water facilities. Together we can figure out a way to make sure that those bad actors do not impact our local communities. I would very much love for my children to grow up in a world with safe water and electricity. Again, we know how to do it. We must work together to get it done with an OT-first mindset, and all playing to our strengths. I sincerely thank the subcommittee for providing me the opportunity to testify today and welcome any questions or requests for additional information as we go on.

Dave Bittner: That's Drago CEO and founder Robert M. Lee, speaking before the U.S. Congressional Subcommittee on Cybersecurity and Infrastructure Protection. [ Music ] On this episode's "Learning Lab," Mark Urban is joined by Dragos strategic accounts director, Sam Van Ryder, to conclude their discussion of building community in OT. [ Music ] 7

Mark Urban: Hi, I'm Mark Urban again with the "Learning Lab." Today, we're going to talk a little bit about community building in the cyber world, specifically for critical infrastructure. I'm joined today by Sam Van Ryder, who's a strategic account advisor here at Dragos. In your day-to-day, when you're talking to CSOs and security arc attacks, is that a lot of the education that you bring to them, even though it's their company -- your perspec- -- I mean, tell us a little bit about how that conversation sometimes goes. >> Sam Van Ryder There's a lot of different aspects of that conversation, and it kind of depends on the day and what the topic of discussion is. You know, it can go for everywhere from top-level of you levering the five critical controls for OT to, you know, building a program. Like if I'm going to, you know, deploy any sort of monitoring tech, how do I bring that into my SOC and how do I make that effective? Because you're talking about opening a floodgate to something that they may -- first of all, they may not understand; and b, they don't have the resources to address. So how do you edge into that slowly but surely? But it's also engagement into those communities. That's often where you start. Right where I say, hey look, you need to bring those donuts and tacos and whatnots out to the plant and have a conversation with folks, and get to know who's at the plant, you know, and what they do. I mean, it's part of understanding your business. And we've often done that well on the cyber side in other areas, in other industries. But when it comes to oil and gas and utilities and things like that -- it's getting a lot better, by the way. I don't want to say it's horrible or anything like that. There's amazing companies doing amazing things. But there's still a lot more work to be done. So it's really, you know, a lot of the conversations I have are, hey you know, understand the impacts of this. You know, when you talk about risk, I mean it's not just the cyber risk. It's these other pieces to the business that -- as an example, I had a conversation with a company some time ago, many years ago where -- and this is hard to hear, but the CFO has a number on a life. Like, they know what that costs the company. If somebody loses a life, they lose employees, they know what that's going to cost the company. And that's a hard reality of business. Don't get me wrong, they don't want to have to, you know, deal with that. But -- so the risk is usually in the favor of spending to prevent that kind of thing. This is why safety is such a big deal in oil and gas, and you get the safety briefings in the meetings and things like that. But those conversations can be all over the map. But at the core, we do talk a lot about where they stand today and where they're going, and making sure they're developing those relationships with the plants. As you were speaking, is it like a big haunted house in their town that they want to kind of unlock the door because they don't know what they'll find, or -- It's not universal, of course. There are people doing -- their organization is doing great things and making that protection. But you find that there's a resistance or just complete lack of understanding? How often do you run into that?

Sam Van Ryder: Well, I think a lot of times, it's historical politics. And when I say "politics," I'm not saying it's some nefarious grand scheme of company takeover stuff. It's more of hey, look. I'm a plant manager. I've run this plant. I have my KPIs. I do well with them. I'm reaching the KPIs. You know, we're getting the outputs done. We have a great safety record. Why are you trying to impose something else? That's on that side, now on the cyber side, a lot of the CSOs I talk to, they're starting to get their arms around what that means. What do these plants do? How do they engage? The ones that I see most successful, again come back down to developing those relationships with those plant managers, and making sure they understand -- because there's a history of cyber doing things that they probably shouldn't have in these environments, right? We all have a story of a scan that went bad and break the PLC or something that impacted an environment's performance. You're going to have that plant manager saying no, you're not coming back in here to do this again. Because it impacts what we're trying to do as a business. So it does come down to the businesses at the end of the day, and you need to develop those relationships with those folks. So I don't want to say that they don't want to. They're eager to do it. But they're also -- you know, a lot of cases, they just need some guidance as to how to start that process. And it's super simple, actually, in my mind. It's developing the relationships. It's understanding who they are. And making sure you get what's important to them, because ending cyber at the firewall outside the plant isn't going to do it any more. We're way beyond that now.

Mark Urban: It's building that bridge, and making the relationships to better understand each other to then come to a reasonable approach to securing those very critical kind of environments. That's good insight, especially when you're in a day-to-day. As you look at the community, how has it changed in the Houston area over the last couple years, though, on the OT-focused side?

Sam Van Ryder: It's accelerated, and in a really good way. So we're seeing a lot more of these programs happen. We're seeing more -- and some of it's regulatory-driven. Like you have the TSA directives. You have, you know, in Houston, we actually have four major utilities that have presence here. So you have the NERC CIP regulations that have been around for a while. But those things also help drive awareness on both sides of the fence there. We've seen more -- I've seen colleges, for example, Houston Christian University, formerly known as Houston Baptist, has a great program on cyber engineering. And this is new for our community, but it's super important. It's teaching these kids a great path to get into the OT cyber world and do good things. So there's a lot more happening, and obviously at HouSecCon, we're doing our part to try to educate people and make sure that they're brought into the fold. There was a lot more awareness. The conversation I've had with CSOs that are further down the path than many others that I've talked to, that may be not be in Houston, and it's our environment. Anybody that's gone down Beltway or on Hunter Ground Parkway on the east side of town, you look out there and see that sea of pipes and tanks and things like that, which is for me, an absolute beautiful site. That's a site of productivity and energy and great things. We're actually now addressing it, and it's because people have driven the urgency. And whether that's from the board down, or just a general awareness, and the opportunity to build bigger programs and better programs, more efficient programs, I think that's a lot of a great challenge too. But if you talk about an energy company, they're going to put funding in those areas. Right? Those are core to the business, right? So it's a lot easier for somebody in oil and gas company to get that than maybe somebody that might be in retail and needs to do building automation systems.

Mark Urban: If you were then to say that somebody is in a community, not Houston, that wanted to start to develop community, where would they start? Any thoughts on how they could get started in that area?

Sam Van Ryder: For me the easiest way -- it's going to come from things that already exist. So I always tell folks, and like when I talk to college kids coming out of school, or people wanting to join the industry, go join Infoguard. It's frees. It's a way to meet local folks in your community. Find those people in those meetings that also have the same type of focus on OT and engage with them. It's usually easier to do this as a team. There are other elements like BSides that have playbooks. I mean, you could do a BSides that have a OT focus, or you could have some OT elements in it. I think if you're in a community that has a lot of cyber and doesn't have a lot of OT, you'd want to blend. But you want to bring that awareness. I think those are some of the easy ways to do it without having to spend a huge amount of effort and time, or money for that matter. There's some other smaller organizations that are out there too that are trying to help facilitate these conversations. Some of them are a little bit more pay0-to-play type thing, membership type stuff. But there are other organizations you can join like ISA or CS2AI. Things like that that are out there that you can join to also get connected with folks. In my mind, I'm hoping that this OT-CERT con turns out well. We've already had people ask across the country if they could host something similar, and we'd love to develop the playbook and hand it off, kind of like the BSides and say hey, yes, you want this in Calgary? You want this in Atlanta? Great. Well, here's what you do, right? But I also encourage, you know, connect with us on HouSecCon, and I'm always out there, so love to have folks that have questions. I'm always open, and I love to hear from folks on LinkedIn and things like that. I'm pretty active there. But there's a lot of us out there in the community that want to see more people join. We know that this needs to grow. You see somebody talking about OT out there on social media, connect and ask questions. It's a great, great way to get into it.

Mark Urban: I think I'll make sure I mention right now that if you are an asset owner or operator, if you work on that side, Dragos also has a community-building OT-CERT, which is our Dragos CERT that's focused on OT. And we just announced, if you're a small utility that's struggling to get the equipment or software, rather, to help secure your facilities, Dragos just announced the community defense Program a couple weeks ago, and you can find more about that on or Community Defense Program. Sam, Houston, security, OT, community. Thanks for your time. [ Music ]

Dave Bittner: And that's "Control Loop" brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for this show is done by Elliot Pelzman, with mixing by Tré Hester. our senior producer is Jennifer Iban. Our Dragos producers are Joann Rosh, Mark Urban, and Monserrat Thomason. our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ] [ Tone ]