Cyberthreats to critical infrastructure are on the rise, but that doesn't mean the U.S. is about to plunge into...
catastrophic blackouts, Robert Lee argued.
Lee, founder and CEO of Dragos Inc., which specializes in industrial control system (ICS) security and is based in Hanover, Md., talked at RSA Conference 2018 last month about recent attacks and intrusions on power grids and other critical infrastructure. While ICS threats and the capabilities of advanced persistent threat groups are growing, Lee explained the technical challenges of hacking industrial controls and why those systems are much different than typical IT systems.
In part one of the interview with Lee at RSA Conference, he explained why he's generally optimistic about the state of ICS security and how enterprises are making improvements. In part two, Lee assesses the latest ICS threats and how such threats can often be exaggerated or misinterpreted. He also takes issue with public cyber attribution, as well as the concept of hacking back.
Editor's note: This interview has been edited for clarity and length.
You've talked in the past about how the decentralized nature of the energy grid isn't something that lends itself to one attack spreading across a large region and causing a wide-scale blackout, for example. If it's smaller companies that are mostly vulnerable to ICS threats, does that also lessen the risk?
Robert Lee: Yes, but I wouldn't imply that attackers can only do the smaller ones. I'm saying I'm optimistic about the movement of all the other ones. But, to your point, what concerns me is not the Eastern Interconnection coming down. What concerns me is a 30-minute power outage in Washington, D.C. If a small municipality like D.C. has a 30-minute power outage, watch what happens to the political and regulatory landscape. And the knee-jerk reaction would cycle through the innovation in the industry for a decade. It's our own paranoia and fear that amplify anything that actually does occur.
But, again, there are global manufacturing companies that, before we walked in the door, were doing nothing [about ICS security]. It's not just that larger companies are doing well. It's just I'm optimistic about the traction I'm seeing in an industry that used to be very much stale.
But I'm also still significantly concerned and not super optimistic about what's happening with the smaller players. And that's where we do need to make investments and incentivize some of the movement that we're seeing pay dividends in the larger players. There's no reason we couldn't repeat that with the smaller players.
What were these companies -- big or small -- doing, if anything, on ICS security before you walked in the door?
Lee: By and large, most of them were doing nothing before. For the ones that were doing something, it was adapting IT security tools to try to fit into ICS, which largely led to a compliance-check-box kind of approach.
It was and is [really] just the basics, like network monitoring. But monitoring the industrial environment to look for threats is nowhere near wide-scale adoption. We see companies largely either doing nothing or adapting systems and technologies that weren't meant for industrial threats.
You've been a critic of how ICS threats have been exaggerated or overplayed. Not to pick on Symantec, but when you saw the Dragonfly 2.0 report detailing a new campaign against the U.S. power grid, and then the news headlines that followed the report, what was your reaction?
Lee: I very much like Symantec as a firm, but I significantly disagree with their assessment. First of all, they said Dragonfly 2.0 was the same adversary group as Dragonfly 1. That's why they named it that way. Our assessment is completely different. There are three distinct teams, not one, and that means a lot of difference in terms of how you defend against it.
And the second thing that I disagree with professionally was they had their technical people, who were then amplified by a lobbyist, sitting in front of Congress in an open hearing saying there were no technical limitations to causing significant damage to the American power grid. And that is not accurate to what the attack was. I looked at the data. We were tracking the threat before it was public, and that [statement] in no way aligned with the actual reality of the situation.
From what they were doing, could they have caused an hour power outage in D.C. or whatever specific companies they had been targeting? Yes. That sucks, and we have to take that very, very seriously. But could they have caused significant damage to the American power grid? No. It's not as easy as just flipping a switch. That's not accurate at all. That's not how that works.
But IT security companies generally view the hard problem as access, because in IT, that is the hard problem. You get access to a Windows system with all the sensitive data, and it's gone. Access is the problem in IT security. But access is just the beginning of the discussion with ICS. Once you actually have access to the equipment operating electric power, then you've got to figure out how to actually do it.
There have been times before where we've set like a pen tester down in front of electric equipment and said, 'OK, you have full access, physical access, make the lights blink,' and they weren't able to do so. I'm not saying it's not extremely doable, and there are adversaries that know exactly how to do it. But let's not conflate access as equating to damage for ICS.
When you look at the threat landscape and you see things like CrashOverride and BlackEnergy malware implicated in recent attacks on Ukraine's power grid, do those things concern you?
Lee: Absolutely. I think one of the unfortunate things is that a lot of American power companies put an amazing amount of effort on [ICS security] post-Ukraine, but for some of them, the idea is, 'Well, that's Ukraine. That's on the other side of the internet.' And that's not how this works.
To your question, I did a 'Little Bobby' comic specific to this issue. This is how much I think it's a joke at this point. The actors behind Trisis and the actors behind CrashOverride and the actors behind the 2015 [Ukraine] attack are different groups, and they have already targeted and gained access to infrastructure of the United States. They have not shown the intent to move past that and to commit disruptive attacks. But we can't say, 'Oh, yeah, we saw literally the same threats in another country taking down power,' and then say, 'Yeah, but that's over there.' You can't have that approach.
If it was a different threat actor and everything else, then maybe we could just be concerned and think about hypothetical scenarios. But when it's literally the same threat group, we should probably take that fairly seriously.
There's been a lot of talk about hacking back at RSA Conference. You've spoken out about this before.
Lee: It's stupid. It is absolutely asinine.
Were you surprised that there are people here and outside of the event advocating for hacking back?
Lee: I can appreciate why. The loud voices in the infosec community have made very inaccurate statements over the years. You have probably heard at some point, 'Well, attackers only have to get one thing right. Defenders have to protect against everything.' That's not true at all. That's not even close to true.
Technically, attackers have to do everything without being detected, and defenders only have to reliably detect one thing in the whole process. So, there's these clichés that have largely been done by the security industry to sell things that do not line up with reality. And so if you are an executive or a politician and you've been told time and time again, 'Defense fails, defense fails, defense fails,' well, you're going to say, 'Let's try something different,' which is hack back on offense. They're not doing it because they're malicious. They're doing it because they've been told for years that defense fails.
In reality, we've seen the exact opposite. Defense is winning and succeeding. Adversary dwell time, according the latest Mandiant [M-Trends] report, is way down from what it was 10 years ago. When you look at the ability to get an exploit on a system, you don't really get an exploit on the system anymore. You need a chain of exploits to get there. You have an NSA [National Security Agency] director [Mike Rogers] all but crying in front of Congress to get a backdoor in security products because of how hard it's become after they lost [surveillance] capabilities. Defense is doing extremely well.
It's not that I think those people who are recommending hacking back are stupid -- I think they've been misled. But the idea of hack back is extremely asinine. The idea that that is going to contribute to security at all is extremely silly. Forget the legal ramifications. Forget the fact that you may look like a foreign hacker to some other group while you're hacking back. Forget the potential collateral damage. It's just a poor security investment. When people are having trouble tuning firewalls or doing network monitoring, maybe investing in offensive capabilities is not the best return on investment for a company.
With escalating ICS threats and more groups with these capabilities, are we entering an arms race of sorts with critical infrastructure attacks?
Robert LeeCEO, Dragos
Lee: It's going to keep going back and forth. You're going have the industrial espionage take place and the trade secrets loss take place. All that stuff is going to happen, but the military aspect of it is concerning. And one of the other things that concerns me is intelligence teams preparing for potential military action that could be perceived as actually military action, or an intelligence team potentially making a mistake in sensitive infrastructure and causing what appears to be an attack. This is a very concerning area that we must address.
And also, if you look at the Trisis malware in Saudi Arabia, there's no polite or easy way to say it: Whoever designed that capability was intending to kill people. That should upset everybody around the world.
You've talked in the past about cyber attribution and how it can create problems. Is attribution harder for ICS?
Lee: If anything, it's probably easier because of the level of capability required to do certain things. It rules out some players. But attribution is not useful. Attribution is in no way useful for security. It's a political topic, but it distracts [from] the discussion on how to actually defend those systems. And it also causes issues to the private sector.
When the Department of Homeland Security announced that it was Russians breaking into routers, what they effectively did was have every single executive around the country spun up about Russian nation-state hackers instead of allowing the security people to actually address the security of what was mentioned in the advisory itself.
I would say not only is attribution not useful, it can also be very harmful. Now, if the government wants to take action off it, that's different. For example, if the government wants to impose sanctions against a country because they can move public attribution of cyberattacks, that's different. But if it's just to throw a name out, it's not helpful -- it's harmful.