In February 2023, industrial cybersecurity experts from around the world gathered at S4 in Miami to discuss the future of the industry. Around the same time, Dragos released their annual Year in Review report about the state of industrial cybersecurity and critical infrastructure. So what are the cybersecurity trends we should expect to see in the coming year?
Industrial Cybersecurity Pulse recently talked to Ben Miller, vice president of services at Dragos, about the report and other trends in the industry. Listen to the full podcast here. You can read part 1 of the transcript here.
The following has been edited for clarity.
ICS Pulse: Dragos’ CEO, Robert Lee, often talks about the idea of chasing CVEs. There’s a million CVEs out there. It’s pretty easy to chase your tail if you’re trying to stop every one of those, but very few have been proven to impact operational technology (OT) systems. How do you get companies not to worry about every single CVE that’s out there and actually focus on the ones that impact them?
Ben Miller: I think you have to be level-headed on identifying the CVEs that actually have an impact to the mission, and the number of CVEs that have that impact are relatively small. We’re talking about 2% of the CVEs over the last year could have a significant impact, so instead of asking the facility to do something that’s impossible — “Hey, we’re going to patch your facility on a reoccurring basis going forward” — that is the antithesis of the mission of how they produce what they produce. So it’s understanding how to back into that and coming up with something that’s reasonable and effective at the end of the day.
ICSP: You also just have to take a risk-based approach for your organization. What are your vulnerabilities? What are the things that are going to impact you specifically?
Miller: Right. If there is a machine that’s sitting in your environment and you patch it, but you can issue an unauthenticated command and it has the same sort of remote code execution capability to it, did you solve anything? At the end of the day, it’s not about measuring how many vulnerabilities we patch; it’s about what the outcomes were from that. That’s really where the security teams need to mesh in with the operations teams to understand what that is.
ICSP: We’re here at S4. What are some of the big trends and the things that you’ve heard people talking about at this show?
Miller: I think a lot of the noteworthy conversation in the hallways is certainly around just that the size of the conference has grown substantially from last year. The amount of attention and focus this has across asset owners and the community in general is encouraging and something that, hopefully, will continue to develop as we move into not only next year’s S4, but the other conferences and see the involvement of the community.
ICSP: What do you want people to take from the Dragos Year in Review report you just put out? What are the points that people should remember out of this report?
Miller: There’s definitely a chance to learn from an attack that didn’t happen, with PIPEDREAM, and the capability that represents, but there’s also a lot of blocking and tackling that still needs to happen across all of our engagements. The four consistent findings have remained the same over the last four years. It’s about perimeters and weak perimeter control, the use of shared credentials between OT and IT and how that impacts third-party connections, lack of visibility into customer environments and understanding just what’s traversing across their individual OT networks — east, west, not just along the perimeter.
ICSP: Visibility is such a huge thing. It’s said a million times: You can’t protect what you can’t see.
Miller: Yeah, it’s ironic. SCAT is there to have visibility into the process overall, but not necessarily from a security perspective. The security now is going back to the basics of, “Hey, we need to have visibility into the functions that are underneath all of these systems.”
ICSP: If you don’t mind predicting a little bit, what do you think will be some of the big cybersecurity trends or stories of this coming year? I’m not asking you to see the future, but just from the work that you guys do at Dragos, what are you seeing?
Miller: On the regulation side, there’s a lot of things brewing. You have CIRCIA (Cyber Incident Reporting of Critical Infrastructure Act) that is a law coming into effect. There’s still a lot of questions and a lot of things that need to be determined there. But you also have the national security strategy is about to be released that’s going to have an impact on a lot of industries. I see not only in the U.S., but also in Europe and some of the other areas. Just more and more regulations, discussions of regulations.
ICSP: I’m going to finish this by asking you for a reason for pessimism in the near future and a reason for optimism in the near future when it comes to industrial cybersecurity.
Miller: Pessimism — I would say there is an ever-growing trend line of more and more attacks and adversaries that are growing interested in the OT space. The advantage there is that it takes years for them to develop there. We started tracking three, I think, activity groups six years ago. Now we’re up to 20.
But on the plus side, the focus at policy level and within boardrooms is substantial. They’re not talking about IT (information technology) security. They’re not talking about cybersecurity. They’re talking about their operational technology, and they’re realizing that thing that they produce, whatever that thing is, has never had scrutiny from a cybersecurity perspective and is starting to get attention.
ICSP: There are several types of adversaries out there. There are cyber criminals, or people just looking to make a quick buck. They’re going to look at your system, and if it’s well guarded, they might jump to the next one. I assume the kind of things you’re looking at are mostly nation-state actors who are dedicated and trying to get into your specific system for a reason.
Miller: Not to discount the criminal groups out there with the ransomware. Really, the challenge there is anyone who’s potentially paying attention to your podcast and is in it, they’re probably in a good position to not have impact into their industrial environments. But those that are not paying attention, that’s where ransomware is going to have an impact, and that’s where we’re trying to get ahead of.
ICSP: Like you said in the review, if you’ve been paying attention, if you’ve been taking these basic steps, you’re probably OK, even from something like a PIPEDREAM. If you haven’t, you’re way behind now.
Miller: Yeah, absolutely. Absolutely. So it’s a question of understanding your investments, your resources, and pulling in the right people on the teams — having a discussion between your security folks and your folks that are running the operations. There’s a good story to be had there, but it’s a lot of discussions that need occur to build that up.