A great deal can be learned through industry trends and shared challenges. As such, ICS cyber forensics firm Dragos published a series of year-in-review reports examining their customer engagements throughout 2018. The reports evaluate changes in the industry and discuss actions organizations can take to increase their networks’ defensibility. Dragos’ customer demographic for these reports was primarily focused on energy (56%). The remaining 44% was equally split between engineering and production of chemical, biomedical, and pharmaceutical products; manufacturing; transportation and shipping; water utilities and wastewater treatment.
The most encouraging observations:
- There is a high level of information sharing and leveraging trusted relationships, including continued growth in collaboration between OT and IT teams to increase network defensibility.
- Boards are becoming more engaged and asking the right questions concerning ICS cybersecurity spending and the best thing to do to get started or move forward.
- Organizations are being proactive (80%) in their ICS cybersecurity strategy, as opposed to reactively reaching out after having discovered a compromise.
Regardless of sector or size – from small utilities to large organizations and even vendors – everyone echoes similar concerns:
- What is on my network?
- Is my network under attack?
- How do I respond to threats or compromise?
While Dragos reports they did not discover new malware with any life-threatening or ICS-specific destructive capabilities in 2018, the observed research and reconnaissance activities indicate that type of information is being stolen to enable those destructive capabilities in the future. Furthermore, a common vector into the ICS network continues to be commodity threats associated with the business or IT networks, like malware and wormable ransomware causing ICS infections. This IT-based network compromise includes adversaries' continued use of native built-in tools and other "living off the land" techniques to blend in with the environment to bypass detection. Dragos