While many cybersecurity vulnerabilities exist, top priority should be securing those that give adversaries the potential to weaponize operational technology.
Discussing the results from the 2022 Dragos annual Industrial Cybersecurity Year In Review during a virtual media briefing on Feb. 8, company CEO Robert M. Lee said oil and gas industry cybersecurity defenders should focus on securing critical risks.
The annual review, released on Feb. 14, indicated the new PIPEDREAM malware has the ability to affect tens of thousands of industrial devices controlling critical energy infrastructure and reported an increase of attacks on the energy sector. In total, according to Dragos, ransomware attacks in 2022 against industrial organizations increased 87% since 2021; Dragos also investigated 27% more vulnerabilities in 2022 than in 2021.
When people are concerned about legacy equipment’s vulnerability and the possibility of opening the door to an operational technology (OT) breach, Lee said he asks whether replacing everything with all new and updated equipment would improve security.
“The IT security person generally wants to be like, yes, absolutely. But then you walk them through ‘what do we actually care about? What are the actual risks? What are the actual threats we see?’” it becomes easier to identify what should be the main priority, he said.
“We want to be really precise about the vulnerabilities,” Lee continued, “because a lot of them are not useful. A lot of vulnerabilities are not things that could even be weaponized by adversaries.”
For instance, he said, vulnerabilities without the ability to impact control and/or visibility are less critical than those that do.
“The way to look at risk is [what] we should take action on and how we take action on it,” Lee said.
Not all vulnerabilities need a patch, he added. Sometimes simply disabling it or placing a firewall can mitigate the risk, he said.
Classifying adversaries
Dragos classifies attack groups as ‘stage one adversaries’ if they are overtly trying to get into industrial networks but have not yet been successful, and as stage two if they have gotten into the industrial control networks and are stealing intellectual property, developing targets or taking potentially disruptive and destructive actions.
Of the groups that have been disruptive and destructive, there was typically a two- to four-year window during which they were getting familiar with industrial environments, Lee said.
“A lot of the groups that are stage one or groups that haven't even got into the industrial networks yet, a portion of them, a significant portion of them then graduate to those stage two actors, and a portion of those graduate to the ones that are actually doing disruptive and destructive effects,” he said.
“We want to be really precise about the vulnerabilities. Because a lot of them are not useful. A lot of vulnerabilities are not things that could even be weaponized by adversaries.” – Robert M. Lee, Dragos
On the other hand, Lee noted, the group behind the PIPEDREAM malware emerged on the global stage as a stage two adversary.
Chernovite is “a group that we weren't tracking. Nobody was tracking,” he said. “When they showed up, they were already a stage two actor capable of doing disruptive and destructive effects.”
In April 2022, Dragos and a partner announced the discovery of the PIPEDREAM malware, which features a cross-industry industrial control system (ICS) attack framework intended to attack infrastructure across multiple industries. It is, Lee said, the first malware that could be disruptive and destructive in multiple industries.
“You could put it in a data center, you could put it in a wind farm, you could put it in an oil and gas refinery, you could put it on an offshore rig, you could put it [in] targeting drones and the control system, aerial packages and servo motors,” he said. “It is the first time we've seen something disruptive or destructive that is cross-industry repeatable, scalable. You can load this thing up and go.”
Prevention and detection
Historically, cybersecurity efforts focused on prevention.
“We've been telling asset owners and operators to put all their resources into patching, password management, secure mode access, identity access management, et cetera,” he said.
And those who follow the guidance “are not doing anything wrong” but are probably only spending less than 10% of their resources on detection, response and recovery, he said.
“We definitely need to be encouraging folks to do the detection response piece,” Lee said.
Dragos tracks vulnerabilities that add new functionalities into the industrial environment that previously didn’t exist, as well as vulnerabilities that are actively being exploited by adversaries, Lee said.
When it comes to addressing vulnerabilities, Dragos recommends the “Now, Next and Never” framework.
According to the report, the 2% of Now category vulnerabilities in 2022 were perimeter-facing and network-exploitable. The Next category covers limited and possible threats that might be network exploitable but require more work, access and knowledge for an adversary to exploit. Many vulnerabilities could be mitigated through updated firewall rules, according to the report.
In 2022, 95% of the vulnerabilities fell into the Next category, and Lee said these could be dealt with during maintenance periods. The 3% of vulnerabilities from 2022 in the Never category pose a possible threat but rarely require action or prioritization and should be monitored at minimum rather than be ignored, the report said.
Ransomware
Dragos reported an 87% increase in ransomware attacks in 2022 over 2021, with the manufacturing sector targeted in 72% of attacks.
“They're definitely going after manufacturing a heck of a lot more than electric and oil and gas,” Lee said.
And with that spike in attacks, Lee is seeing more manufactures paying ransom. Whether to pay is not a clear-cut decision, he said, but he advocates not paying when possible.
Some groups, for instance, are able to return data in exchange for the ransom, but some are not.
“One of the things that's very common during ransomware cases is you'll work with the insurance companies that have brokers and those brokers will end up knowing and tracking the different groups and saying, ‘Hey, we've had experience with this group, you can pay them,’ or ‘We’ve had experience with this group, it doesn’t matter to pay them,’” Lee said.
Recommended Reading
Exclusive: Halliburton’s Frac Automation Roadmap
2024-03-06 - In this Hart Energy Exclusive, Halliburton’s William Ruhle describes the challenges and future of automating frac jobs.
Axis Energy Deploys Fully Electric Well Service Rig
2024-03-13 - Axis Energy Services’ EPIC RIG has the ability to run on grid power for reduced emissions and increased fuel flexibility.
Tech Trends: AI Increasing Data Center Demand for Energy
2024-04-16 - In this month’s Tech Trends, new technologies equipped with artificial intelligence take the forefront, as they assist with safety and seismic fault detection. Also, independent contractor Stena Drilling begins upgrades for their Evolution drillship.
GEODynamic’s EPIC Perforating Technologies for Wireline Solutions
2024-03-12 - The EPIC Precision and EPIC Flex top-loading gun systems are engineered to be used across a broad range of unconventional well designs for extremely reliable plug-and-perf completions.
Exclusive: Silixa’s Distributed Fiber Optics Solutions for E&Ps
2024-03-19 - Todd Chuckry, business development manager for Silixa, highlights the company's DScover and Carina platforms to help oil and gas operators fully understand their fiber optics treatments from start to finish in this Hart Energy Exclusive.