While many cybersecurity vulnerabilities exist, top priority should be securing those that give adversaries the potential to weaponize operational technology.
Discussing the results from the 2022 Dragos annual Industrial Cybersecurity Year In Review during a virtual media briefing on Feb. 8, company CEO Robert M. Lee said oil and gas industry cybersecurity defenders should focus on securing critical risks.
The annual review, released on Feb. 14, indicated the new PIPEDREAM malware has the ability to affect tens of thousands of industrial devices controlling critical energy infrastructure and reported an increase of attacks on the energy sector. In total, according to Dragos, ransomware attacks in 2022 against industrial organizations increased 87% since 2021; Dragos also investigated 27% more vulnerabilities in 2022 than in 2021.
When people are concerned about legacy equipment’s vulnerability and the possibility of opening the door to an operational technology (OT) breach, Lee said he asks whether replacing everything with all new and updated equipment would improve security.
“The IT security person generally wants to be like, yes, absolutely. But then you walk them through ‘what do we actually care about? What are the actual risks? What are the actual threats we see?’” it becomes easier to identify what should be the main priority, he said.
“We want to be really precise about the vulnerabilities,” Lee continued, “because a lot of them are not useful. A lot of vulnerabilities are not things that could even be weaponized by adversaries.”
For instance, he said, vulnerabilities without the ability to impact control and/or visibility are less critical than those that do.
“The way to look at risk is [what] we should take action on and how we take action on it,” Lee said.
Not all vulnerabilities need a patch, he added. Sometimes simply disabling it or placing a firewall can mitigate the risk, he said.
Classifying adversaries
Dragos classifies attack groups as ‘stage one adversaries’ if they are overtly trying to get into industrial networks but have not yet been successful, and as stage two if they have gotten into the industrial control networks and are stealing intellectual property, developing targets or taking potentially disruptive and destructive actions.
Of the groups that have been disruptive and destructive, there was typically a two- to four-year window during which they were getting familiar with industrial environments, Lee said.
“A lot of the groups that are stage one or groups that haven't even got into the industrial networks yet, a portion of them, a significant portion of them then graduate to those stage two actors, and a portion of those graduate to the ones that are actually doing disruptive and destructive effects,” he said.
“We want to be really precise about the vulnerabilities. Because a lot of them are not useful. A lot of vulnerabilities are not things that could even be weaponized by adversaries.” – Robert M. Lee, Dragos
On the other hand, Lee noted, the group behind the PIPEDREAM malware emerged on the global stage as a stage two adversary.
Chernovite is “a group that we weren't tracking. Nobody was tracking,” he said. “When they showed up, they were already a stage two actor capable of doing disruptive and destructive effects.”
In April 2022, Dragos and a partner announced the discovery of the PIPEDREAM malware, which features a cross-industry industrial control system (ICS) attack framework intended to attack infrastructure across multiple industries. It is, Lee said, the first malware that could be disruptive and destructive in multiple industries.
“You could put it in a data center, you could put it in a wind farm, you could put it in an oil and gas refinery, you could put it on an offshore rig, you could put it [in] targeting drones and the control system, aerial packages and servo motors,” he said. “It is the first time we've seen something disruptive or destructive that is cross-industry repeatable, scalable. You can load this thing up and go.”
Prevention and detection
Historically, cybersecurity efforts focused on prevention.
“We've been telling asset owners and operators to put all their resources into patching, password management, secure mode access, identity access management, et cetera,” he said.
And those who follow the guidance “are not doing anything wrong” but are probably only spending less than 10% of their resources on detection, response and recovery, he said.
“We definitely need to be encouraging folks to do the detection response piece,” Lee said.
Dragos tracks vulnerabilities that add new functionalities into the industrial environment that previously didn’t exist, as well as vulnerabilities that are actively being exploited by adversaries, Lee said.
When it comes to addressing vulnerabilities, Dragos recommends the “Now, Next and Never” framework.
According to the report, the 2% of Now category vulnerabilities in 2022 were perimeter-facing and network-exploitable. The Next category covers limited and possible threats that might be network exploitable but require more work, access and knowledge for an adversary to exploit. Many vulnerabilities could be mitigated through updated firewall rules, according to the report.
In 2022, 95% of the vulnerabilities fell into the Next category, and Lee said these could be dealt with during maintenance periods. The 3% of vulnerabilities from 2022 in the Never category pose a possible threat but rarely require action or prioritization and should be monitored at minimum rather than be ignored, the report said.
Ransomware
Dragos reported an 87% increase in ransomware attacks in 2022 over 2021, with the manufacturing sector targeted in 72% of attacks.
“They're definitely going after manufacturing a heck of a lot more than electric and oil and gas,” Lee said.
And with that spike in attacks, Lee is seeing more manufactures paying ransom. Whether to pay is not a clear-cut decision, he said, but he advocates not paying when possible.
Some groups, for instance, are able to return data in exchange for the ransom, but some are not.
“One of the things that's very common during ransomware cases is you'll work with the insurance companies that have brokers and those brokers will end up knowing and tracking the different groups and saying, ‘Hey, we've had experience with this group, you can pay them,’ or ‘We’ve had experience with this group, it doesn’t matter to pay them,’” Lee said.
Recommended Reading
Freshly Public New Era Touts Net-Zero NatGas Permian Data Centers
2024-12-11 - New Era Helium and Sharon AI have signed a letter of intent for a joint venture to develop and operate a 250-megawatt data center in the Permian Basin.
Classic Rock, New Wells: Permian Conventional Zones Gain Momentum
2024-12-02 - Spurned or simply ignored by the big publics, the Permian Basin’s conventional zones—the Central Basin Platform, Northwest Shelf and Eastern Shelf—remain playgrounds for independent producers.
Nabors, ProPetro Plan to Deliver High Voltage to Drillers
2024-12-10 - Nabors Industries, in partnership with e2Companies, and, separately, ProPetro Holding Corp., both launched oilfield electrification solutions on Dec. 10.
APA Corp., TotalEnergies Announce $10.5B FID on ‘Goliath’ Sized Deal Offshore Suriname
2024-10-01 - APA and TotalEnergies’ offshore Suriname GranMorgu development is estimated to hold recoverable reserves of more than 750 million barrels.
Utica’s Encino Boasts Four Pillars to Claim Top Appalachian Oil Producer
2024-11-08 - Encino’s aggressive expansion in the Utica shale has not only reshaped its business, but also set new benchmarks for operational excellence in the sector.
Comments
Add new comment
This conversation is moderated according to Hart Energy community rules. Please read the rules before joining the discussion. If you’re experiencing any technical problems, please contact our customer care team.