In February 2023, cybersecurity company Dragos released their annual Year in Review report about the state of industrial cybersecurity and critical infrastructure. According to the report, 2022 saw a breakthrough in attacks on industrial control systems and the introduction of a new malware, PIPEDREAM, that’s both scalable and cross industry.
Industrial Cybersecurity Pulse recently talked to Ben Miller, vice president of services of Dragos, about the report and other trends in the industry. Listen to the full podcast here.
The following has been edited for clarity.
ICS Pulse: Dragos released your Year in Review on Feb. 14 — nice little Valentine’s Day drop for everybody. What made you guys start the report? Why did you feel like there was a need for it?
Ben Miller: We’ve been running for six years now, and six years ago, it was a little bit of a different time. There are a lot of discussions on attacks around industrial security, a lot of anecdotes. Certainly, you had the S word, like Stuxnet. You had Havex. You had Ukraine 2015. But there wasn’t any data behind it. There wasn’t anything that you could really realistically measure and try and understand. So that was the very beginning of the Year in Review is just, “What data does Dragos have that we could provide back to the community?” In six years running, we’ve identified some trends and continuations of stories, and that’s really what the Year in Review is based off of.
ICSP: I can imagine it can be dangerous if this kind of information isn’t being shared. People are forced to go off of anecdotal evidence.
Miller: Yeah, it turns into ebbs and flows, like the sky is falling, or, no, the sky’s not falling. Everything’s fine. The realistic truth is somewhere in the middle there, and that’s what we’re trying to be able to illustrate with the data that we have, or tease out maybe if it’s one way or the other and let the data speak for itself.
ICSP: Your Year in Review report talks about how incidents of people targeting industrial manufacturing, industrial operations have gone up significantly. What is behind that trend right now?
Miller: Certainly, there are some sophisticated actors out there that we track and threat groups. We have 20 of them that we track that are focused around industrial environments and doing targeting around there. Then, the big uptick is, quite frankly, ransomware and the rise of ransomware that is focused on industrial customers, but not necessarily industrial environments. But the security posture of them allows the industrial impacts to still occur, move into the OT environments, and that’s the big concern there.
ICSP: In the Year in Review, you spend a lot of time on PIPEDREAM, so let’s talk PIPEDREAM for a second. Tell me what you found about this and how it was different from the kind of malware you have tracked before.
Miller: PIPEDREAM is unique in that it’s tailored toward industrial control systems. By that very nature, it is the tip of the pyramid as far as capability is concerned. But, over time, you’ll see the development of some of the malware. Crash Override is focused on substation automation and some of the protocols in there. You have TRISIS that’s really focused on safety systems with the Triconex systems.
What makes PIPEDREAM unique is that it’s going after software CodeAssist, which is deployed not only on one PLC (programmable logic controller). It’s something that’s saturated in the market. There are hundreds of vendors with thousands of product lines that are affected by PIPEDREAM, that PIPEDREAM could be reasonably used in those environments. So you’re impacting not one vertical, but many verticals, many different environments.
ICSP: One of the things Robert Lee, the CEO of Dragos, talked about was the fact that this is scalable. It could turn around quickly. Previous malware, if there was an attack on energy, it was probably tailored toward energy. It wasn’t going to be turned around to an automotive manufacturer the next day. How is PIPEDREAM different in that regard?
Miller: PIPEDREAM allows for the ability to deploy this sort of Swiss Army Knife tool across multiple verticals as you receive your targets, rather than coming from the other direction of, “I have a target. Let’s develop a capability there.” So it’s giving a lot of flexibility to the attackers, and, quite frankly, the attackers learn from each other, as well, so PIPEDREAM is the first. It won’t, unfortunately, be the last.
ICSP: Sad, but probably very true. People are going to a more homogenous infrastructure these days. Technologies stacks are similar. How much has that impacted the development of PIPEDREAM?
Miller: [It impacts] some of the protocols and technologies like CodeAssist that I mentioned earlier, but you also have technologies like OPC UA that’s being utilized there. OPC is used everywhere, so that homogenous nature is really what’s being targeted in PIPEDREAM.
ICSP: While PIPEDREAM has gotten some press and people have talked about it, it seems like it has been a little bit undercovered given the scale and scope of what this thing could have been.
Miller: Yeah, absolutely. The community has always been focused on lessons learned from attacks and always wanting to get ahead of the attack. “Let’s do something before the attack happens,” and PIPEDREAM represents a great use case of we found this capability before it was actually employed out there in the community, and that kind of hit a flat note. “Well, it didn’t have an impact, so why should we worry about it?” That’s unfortunate because it’s a chance for us to actually learn and an opportunity where the defense got ahead of the offense, which is an amazing story.
ICSP: I know that’s everybody’s goal, to be ahead of the attackers. How did you and your partners actually manage to do it?
Miller: We have a variety of partners that we work with. They identified that something was off with PIPEDREAM, but they didn’t have the expertise to truly dive deep into it. They brought it to us. We were able to work with them with our research team, picked up a lot of gear, did a lot of analysis over months to prove out just what their finding was.
ICSP: What was PIPEDREAM going after? In other words, what could the results have been if people hadn’t gotten ahead of it?
Miller: The results are fairly straightforward in that it would really be able to deploy and have control of the industrial process, have an impact to the industrial process. From an impact perspective, it’s about turning a valve off that shouldn’t be turned off or creating pressure where pressure shouldn’t be, affecting the process at the end of the day. So talking about safety, you’re talking about environmental concerns, that’s the realm that PIPEDREAM’s playing in.