Scoping Security in Industrial Control Systems

The 2015 cyber attack on the Ukraine power grid was the first of its kind. After what had to be an exhaustive reconnaissance mission, state actors gained remote control of three regional power distribution centers in Ukraine to open circuit breakers of around 60 substations to deenergize the local substations. This marked the first cyber attack to cause an electric power outage, and it denied power to more than 230,000 residents.

This cyber attack sent up warning signals around the industrialized world: Who was behind this? Could this happen here? How did the attackers gain such extensive knowledge of the industrial control systems (ICS)? In the US, cyber security professionals and power companies were particularly worried, considering that the same style of cyber attack could also impact the various US electric grids. One person who wasn’t surprised at the success of this attack was Robert M. Lee, now the Founder and CEO of Dragos, a well-known ICS and OT security provider.

At the time of the Ukraine grid attack, Lee had recently left the military where he was working as a Cyber Warfare Operations Officer for the US Air Force. Much of his time had been spent working for the National Security Agency (NSA), finding state actors focused on ICS who hadn’t been tracked previously and learning their capabilities—now known as threat hunting and cyber threat intelligence.

Prior to 2015, Lee’s technical success had propelled him into strategic conversations with government officials and prominent private sector companies. What he'd learned was that ranking officers in both types of organizations didn’t fully understand the scope of the cyber threat in the industrial space, and both believed they had a better grasp on and control of the situation than they had. They’d fallen into two traps: First, asset owners believed they could “just” take IT into industrial environments and run it “as usual,” and second, the government thought it had more data, knowledge, and provenance over ICS than it had.

Chasm of misunderstanding

In the aftermath of the Ukraine attack, Lee realized the chasm of misunderstanding. Very few people understood how cyber attacks on ICS worked, and even fewer had capabilities to build systems and strategies to counter the reality of such an attack on US-based systems. Before the attack, Lee told me and Ed during a recent conversation, he thought he’d continue his path of teaching cyber security students at the SANS Institute where he had authored the ICS Active Defense and Incident Response course. “I had no idea I’d start a company. I thought I’d ride off into the sunset and be a teacher.”

But the mismatch was too big and the consequences of an attack against the US power grid too grim, so Lee started Dragos to “centralize as much talent in the ICS space as possible to make the best technology.” Although Lee says that today most people in the security industry view Dragos as a professional services firm, they’re really a platform company with a professional services component. “Our number one goal,” he said, “is to protect civilians who depend on infrastructure every day. The best way to do that is to have first-hand knowledge of ICS and ICS threats and to build technology—using that knowledge—that allows ICS operators to deal with threats.”

The Dragos Platform is a virtual network appliance that provides visibility, detection, and response capabilities for industrial environments. It can be deployed on-premises or in the cloud (managed hosting is available, too). After deployment, the sensors “hoover up data,” analyze protocols, and provide visibility and a topology map. “We start with visibility,” said Lee, “because that’s where you always start. But when CISOs in ICS see everything they have, they’re overwhelmed. We have to go in an educate them on how to bridge the IT/OT gap.”

After initial mapping is complete, the platform runs continuous deep packet inspection on over more than 130 ICS and IT protocols, host logs, controller events, and more. Simultaneously it also runs threat analytics to identify suspicious activity and threat patterns the team has seen before to then alarm and issue playbooks with a step-by-step guide for investigation.

Chasing TTPs

The secret sauce to the Dragos Platform may be the threat information fed into the system by the company’s intelligence team to ensure the platform is always up-to-date, contextualized, and prioritized so users don’t go chasing idle threats. The way it works is: Dragos’ Industrial Hunters team tracks threats to learn attackers’ tactics, techniques, and procedures (TTPs). Those TTPs are turned into threat analytics for the Dragos Platform and provided to customers on a continuous basis. The analytics also become threat intelligence reports for customers of Dragos’ WorldView intelligence offering so that asset owners and operators can gain situational awareness of what’s happening outside their networks.

All of this is bolstered by the professional services team, for which Lee says the company is better known. For each threat analytic created, the professional services team develops playbooks to investigate detections. What’s impressive about the services team is that they max out at 50% services work so each individual has time to keep up their technical skills and transfer their knowledge into the Dragos Platform. Lee says he doesn’t want the team to become a bunch of talking heads without hands-on practical experience, so every consultant at Dragos is empowered to preach what they’ve practiced.

Saving civilization, one threat at a time

Dragos isn’t the only company in the ICS/OT security space, by any stretch. But what impressed me and Ed is Lee’s passion and commitment. It would be easy (and highly profitable) for the company to focus exclusively on government work, veering into the weapons space. But Lee says that isn’t of interest; although they do have some government clients, Dragos actively avoids defending weapons systems. Lee feels a strong social responsibility to help secure the critical systems ordinary citizens depend upon every day. He similarly feels a duty to his team, who could become a military target if they were to start protecting weapons.

When asked what he would change overnight if he could, Lee’s response was two-fold: First, he said, he’d let the industry know that Dragos is a technology firm with a services arm. He’s very proud of the platform they’ve built, and rightly so. Second, he said he’d change how people perceive operations technology (OT): “OT isn’t what operating system you’re running; it’s IT plus physics. If people understood that better, we could speed up the maturity curve and build better tools to protect ICS.”