How Dragos Uses AWS to Empower Collective Defense for Industrial Control Systems (ICS) and Operational Technology (OT)
Industrial companies are increasingly focused on high-profile cybersecurity incidents caused by ransomware and targeted attacks. Government policymakers and regulators around the world are taking an interest. Corporate boards are asking executives about the strategy to maintain reliable, secure operations, including for their operational technology (OT) and industrial control systems (ICS). This blog discusses the importance of visibility into the threats and risks to ICS/OT and the need for actionable intelligence to disrupt the tactics, techniques, and procedures (TTPs) employed by adversaries. It will challenge your assumptions about cloud technology and illustrate its essential role in the collective defense of critical infrastructure systems and in improving security outcomes. This case study on Dragos’s Neighborhood Keeper reveals that shared threat intelligence on the AWS Cloud without requiring the identity of participants who share their information improves cybersecurity for ICS/OT system operators.
What is OT?
Operational technology (OT) are the assets, systems, and networks vital to the mission-critical infrastructure of a country or organization. Industrial control systems (ICS) are the subset of OT systems used to monitor and control industrial processes. Technical teams often group assets into informational technology (IT) and operational technology. However, in actuality, OT consists of a varied set of devices, networks, solutions, operating systems, platforms, and functions, with differing operational considerations and security mitigations. OT security is too often overlooked or misunderstood even though Gartner finds, “OT systems are the crown jewels for the organization…core systems for value and revenue creation. If they go down, they cripple operations…”
Air-gapping is a Myth
You’ve likely heard about technology trends like IT/OT convergence, digital transformation, and Industry 4.0 being the wave of the future, but you might be surprised to learn how intentionally interconnected modern OT networks already are today. Traditionally, highly segmenting or “air gapping” was the strategy for industrial control systems. However, the strategy has become obsolete, if it was ever fully in place, with the gradual introduction of human-machine interfaces (HMI), vendor access for maintenance, and introduction of IT devices into OT systems, among other changes. Many still think air gaps are in place and are generally effective, but real-world data suggests they are not. Security assessments performed by Dragos in 2020 showed that 100% of the external routable network connections to ICS environments Dragos discovered were believed by the client to be air-gapped.
Increasing Visibility to Improve Resilience
Valuable information lives within OT systems that can empower organizations to protect, detect, and respond when shared. However, data collection is often limited within power and utility operators due to incompatibilities between ICS/OT systems and cybersecurity technologies or misunderstandings between the people in the organizations operating them. OT data can also be tricky to collect. Many OT systems and devices, by the nature of what they do and where they do it, are dispersed across the enterprise architecture. They reside in the field, at the plant, in control rooms, data centers, or other points along the operations path. Responsibility for these systems is often dispersed across various business units, physical/geographic locations, and operators. Once a utility operator collects the data, it is difficult to share and analyze that information between internal teams, nevermind external parties, due to information security policies or other business and legal concerns about disclosing cyber event details. These challenges present an opportunity to improve dissemination of data on how to detect, prevent, and respond to cyberattacks in a timely fashion.
Solving the visibility challenge is foundational to improving the resilience of operations, a key goal across the utility industry. Without visibility into OT network traffic, it is impossible to truly understand the security posture of the system and devices running your operation. Concurrently, critical infrastructure information must be protected from potential adversary reconnaissance. It’s not just about detecting attacks; it’s about keeping your defenses strong. Preventative controls often atrophy over time, and they must be monitored on an ongoing basis and backed up with responsive strategies. At a recent Edison Electric Institute event, utility CEOs discussed how government and industry can work together to achieve better collective outcomes with information sharing partnerships across utilities and the US federal government using Neighborhood Keeper.
Security as a Team Sport: Solving the Collective Defense Challenge in the Electric Sector
Combatting ICS/OT cybersecurity threats requires not only visibility of OT environments across the community but also a method to share actionable cyber threat intelligence more quickly across and within the private sector. Dragos recognized these necessities and built Neighborhood Keeper in collaboration with the US Department of Energy (DOE), Idaho National Laboratory (INL), and the Electric Information Sharing and Analysis Center (E-ISAC).
Neighborhood Keeper introduces a novel approach to the challenge of information sharing. In traditional information sharing programs, participants are required to share their data with central groups such as ISACs or government agencies. This traditional approach poses data sharing sensitivity issues due to information potentially in-scope for NERC Critical Information Protection (CIP), security risk (if the entity collecting all of the data is compromised the data is available to adversaries), and because the reporting participant’s identity is tied to the data meaning that discoveries cannot be done anonymously.
In Neighborhood Keeper, the model is reversed. Instead of centralizing the data and then asking questions about it, the data stays at the participants’ sites, and the questions are federated out. All the data is stored on-premises in the participants’ networks. Dragos and the E-ISAC can ask questions of the data that participants have sent to Neighborhood Keeper to receive “Yes” or “No” answers back. No sensitive data such as IP addresses, raw logs, packet captures, and file names are ever shared to Neighborhood Keeper or leave the customer’s site. Further, the participant’s identity is cryptographically irreversible from the insights, thus always ensuring anonymity for the participants.
Neighborhood Keeper addresses the challenges of defending in isolation like shortages of security professionals, security team isolation, and intelligence sharing latency. Though they are all interconnected to the same power grid, not all US electric sector entities have the same resources to combat cyber threats. Many smaller power and utility companies have limited in-house staff, skills, or capacity to deploy and manage detection and analysis infrastructure on their own. As a result, potential security threats and vulnerabilities that impact the entire electric sector can go undiscovered. As well, government (DOE) and commercial entities (E-ISAC) are empowered to help, but they lack an unassailable method to engage. Neighborhood Keeper allows trusted advisors such as E-ISAC and Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC) to provide intelligence to anonymous participants, and small players can leverage community insights from trusted advisors and larger companies. Neighborhood Keeper provides infrastructure beyond an individual organization’s current capabilities or ability to acquire intelligence independently.
By joining Dragos Neighborhood Keeper, each participant’s defensive capability is made stronger than what they can achieve on their own, whether a large investor-owned utility or small co-op.
How it Works: Dragos Neighborhood Keeper on the AWS Cloud
Visibility into your own environment. Asset owners deploy the Dragos Platform technology in their ICS/OT environment to gain visibility into their assets, cybersecurity threats, and response guidance. By opting into Dragos Neighborhood Keeper, participating utilities can anonymously share insights with the community. When threat detections arise, all customer-identifiable or potentially sensitive data stays with the customer, and only non-attributable metadata is shared. The participant’s identity is not known to other participants and is cryptographically irreversible, removing sensitivities around regulatory data protection, information access, or information sharing.
Community-level Insights. Dragos Neighborhood Keeper receives the anonymous metadata and shares detections and insights across the community to inform on what is occurring elsewhere. Participants gain an understanding of the prevalence of adversary methods, vulnerabilities, and risks which can then be used to amplify and inform their own security efforts.
Enabling Collaboration. In additional to having community-level insights, trusted advisors of Neighborhood Keeper, such as E-ISAC, can message participants whose identity is unknown to them. Trusted advisors do this to provide insights into trending threats and observations based on metadata within Neighborhood Keeper. Trusted advisors can also propose new analytic content to be distributed to all Neighborhood Keeper participants. This permits query-in-place functionality as the metadata, “yes” and “no” information, is returned from the Dragos Platform deployments. Participants may also anonymously make an encrypted request for assistance from other members and trusted advisors if and when they require specialized and dedicated support for suspicious activity in their environment.
Dragos Neighborhood Keeper leveraged the agility and scalability of AWS to create a collective industrial cyber defense and community-wide visibility solution that that rapidly shares threat intelligence across industries and geographic regions. AWS Cloud technology is essential for Dragos Neighborhood Keeper to ingest volumes of data from various OT devices and sources from across geographies into a single centralized data lake.
AWS tools support the Dragos Platform’s ability to identify threat behaviors (rather than just simple signatures) and signals present in the noise. These are unique events that could signify a targeted attack, or related events that could signify an attack on a country or sector. More importantly, AWS offers agility and elasticity so data can be analyzed at scale across a global cohort of participants. Security of the data on AWS is encrypted both in transit and at rest, and participant data never leaves the AWS Region they selected. Specifically, AWS Managed Services, such as AWS IoT Core, Amazon S3, and Amazon OpenSearch Service (September 8, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service), provide unparalleled scalability, security, and reliability to Neighborhood Keeper.
You’ve learned how the AWS Cloud empowers a community-led approach to protecting the OT systems powering our day-to-day life from adversaries that want to cause disruption and harm.