Fears of cyberattacks on industrial control systems and critical infrastructure continue to rise, but Dragos' Robert...
Lee recommends pumping the brakes.
Dragos, headquartered in Hanover, Md., has recently emerged as one of the foremost authorities in industrial control system (ICS) security during a time when attacks and intrusions on critical infrastructure targets are becoming increasingly common. Lee, founder and CEO of Dragos, said that as ICS threats have increased, so too has overreaction and exaggeration of those threats from both the media and the security industry itself.
Speaking at RSA Conference 2018 in a session titled "Industrial Cyberattacks: A Quest for Nuance with Lessons from the Field," Lee urged restraint in discussing and responding to ICS threats. "The big-time challenge is, how do we highlight the risk and how do we highlight what's important to our community -- especially as it relates to cyber threats -- and how do we not scare everybody at the same time?" he said. "And that is a very thin line to walk."
In this interview, Lee explains why he's more optimistic about ICS security despite the increasing threats, escalating nation-state activity targeting ICS systems, the prospect of regulation for industrial controls and what enterprises are doing to address these threats. Here is part one of the interview with Lee.
In your conversations with different companies this year, do you feel like there's been a change in how they view ICS security and recognition that their systems are both insecure and major targets?
Robert Lee: Yes, there's a lot of traction and there's a lot of movement in that space. But one of the problems I see is a lot of the guidance they're getting is from IT security and best practices copied and pasted over to ICS. For example, there were people complaining to Schneider Electric about the need for them to make a more secure Triconex safety system after the Trisis attack. And while I agree that that would be nice, there was no aspect of Triconex that was insecure and would help that attack to take place. And a lot of the industrial attacks we're seeing can't be handled by an IT approach. And so expecting IT product security to be done the same ways for ICS is a little bit misleading. Should companies do more? Yes. Can they do more things that are reasonable? Yes.
But some things just don't matter as much. For example, in our 2017 research report, we highlighted that 64% of all vulnerabilities don't actually matter. It's not that they're not vulnerabilities -- it's that they're just non-operational to an adversary in that environment, which means that we'd need to be more careful in how we invest resources. It's one of the reasons I think we've taken a different approach than literally everyone on the market who says things like, 'Hey, let's do a machine learning model over network data and identify anomalies.' That's nice, but that doesn't actually work with ICS security. The reason we're unique is because we've taken a different, intelligence-driven approach. We say, 'OK, what are we actually doing? What are the threats actually doing? Let's learn from that and make sure we encounter the real threats and not just what we think they might be based off IT security.'
I imagine you're going to find a lot of vulnerabilities in older legacy ICS, but your point is that they don't increase an organization's risk profile.
Lee: Most of them don't. And so your ability to find vulnerabilities in industrial control is directly related to your amount of time to look. You can find as many as you like. But a significant portion of them in no way matter. Again, it's not to let the vendors off the hook. It's not to say that we shouldn't have secure life cycle development, and it's not to say that we don't need better product security. But it's not the glaring issue in the community. Largely the glaring issue is the ability to monitor and look in those environments for threats and to be able to respond to them after you find them. It's not an aspect of traditional product security. It's an aspect of understanding these are human adversaries and you want human defenders in a well-prepared environment to deal with them.
Have you noticed changes in the behavior of the threat actors since ICS security has become more of a public issue?
Lee: One of my concerns -- and I'm very careful not to hype things up -- is that I'm seeing a number of threat teams develop not only interest but capability to target industrial controls. And that number's already up to seven. Every year there's maybe one or two. If you look back to 2007, now we hear about one or two a year. We highlighted five in our 2017 threat report; now there are already two new groups this year [Editor's note: Dragos this week reported that one of the two, dubbed Xenotime, is behind the Trisis malware.] so we're up to seven already. I think what we're seeing is twofold.
As we look more -- and not to sound completely arrogant, but we're literally the only company in our space that has a dedicated ICS intelligence team -- we are undoubtedly going to find more threats, and it's going seem scarier. But at the same time we're actually seeing far more threats than we would expect, including new ones. And what I assess in that situation is that states are trying to get parity with each other. As one state develops the capability to target industrial controls and it gets advertised, another state says, 'Well, I want that capability too.' And so we're starting to see that parity escalation.
I was about to ask if there's been escalation with these attack capabilities. We've seen hackers copycat other successful techniques and attacks like cryptojacking, so is the same thing happening here?
Lee: Yes. And we're seeing these capabilities be a valuable tool on multiple levels. One, from an industrial espionage perspective, if you're going to steal the trade secrets of a company, it's not in their corporate networks. It's in their industrial networks, where it's going to be loaded onto those systems, and that's where you're going to want to steal data from. Two, from a policy perspective, one of the beautiful things about cyber-anything these days is its ability to be an organically covert capability that can influence policy. When you see sitting U.S. senators and congressmen publicly concerned about cyberattacks and infrastructure and they publicly say, 'We're super concerned about this,' and then a foreign state finds that they can just send a phishing email and influence policy changes [with those congressmen], that's an incredible amount of power. There's no way they're not going to take advantage of that.
On the policy point, some people have speculated or argued in favor of new regulations for ICS security. What do you think of that prospect?
Lee: I've heard a lot of people talking about ICS these days because it's the new cool thing, but they never walked in a power plant before. And so it's not to be dismissive, I'm just saying don't clump ICS security in with IT security. How many things like Gartner's Magic Quadrants do we see with ICS bundled in underneath IoT? ICS is completely different and needs to be treated as such.
To your question, regulations exist already for electric power. There are discussions for regulations in other industries, but I'm not so sure we'll actually see that. Bruce Schneier's point that we need to be part of the conversation [for government policy] and can't just sort of sit back is still very salient, but that also assumes that we are actually sitting back. There are a ton of people in industrial controls that are part of that conversation. The Edison Electric Institute is an entire trade organization dedicated to making sure that there's the right fit for policy and the electric grid.
Are you feeling optimistic about ICS security then? Do you feel like things are being addressed in a way that at least gives you some hope?
Lee: Yes. I'm an extremely optimistic person. I think we can actually do this. My general message to people is the threats are far worse than you realize, but they're not as bad as you want to imagine. There's a nuance between the 'Oh my god, we're all going to die' and 'Everything's OK, don't worry."' We're in the middle. Specifically, I'm seeing a lot of the major players in this space be able to make significant investments that would make it extremely hard for adversaries to do anything.
Rob Leefounder and CEO, Dragos
I'm really more concerned about the small to medium-sized companies. Your local co-op municipality and your mom-and-pop factory don't stand a chance of being able to invest at that level. The IT guy probably also mows the lawn on Friday at a small co-op. They're not going to be able to handle these threats. And I think this is where we need to see improvement. We had a meeting today with a variety of senior level government officials, and my position to them was they need to invest and offer incentives. Take half the resources they're dedicating to talking about the problem and just incentivize the sector to make security investments. You'd be surprised at the level of moving forward we can get.
For example, there was a grant-like program that the Department of Homeland Security ran. DHS went to infrastructure companies and said, 'Look, if you pick a technology and a security approach that works for you, as sort of this pilot, we will do cost sharing to help you scale out that choice.' So we had a customer, a global manufacturing firm, that was going to add new security tech in about 10 out of their 50 sites because they could only deploy to 10 with their budget. But with that grant, they were able to deploy to all 50 sites. They were able to make massive headway on security because the government offered incentives for them to be able to protect themselves, which I think is completely fair. The government should not be paying for Cisco network training for a company that wants to take advantage of networking. But when the Russian government is breaking into infrastructure companies, I think it's completely reasonable to provide incentives for the sector to deal with those threats.