At the 2019 Ovation Users’ Group conference, Dragos CEO Robert M. Lee provided an update on the cyber threats facing manufacturers and producers. Emerson and Dragos yesterday announced an agreement, Emerson Selects Dragos to Collaborate on Cybersecurity Protection for Power and Water Industries. The news:
Emerson and Dragos, Inc., developer of the Dragos Platform for industrial cybersecurity asset detection, threat detection and response, have signed a global agreement that will enable power producers and water utilities to further strengthen the security of their critical assets. Emerson will integrate threat detection technology from the Dragos Platform into its Ovation™ automation platform and Power and Water Cybersecurity Suite.
Robert opened his presentation describing risk in the industrial space by citing some statistics. 64% of all vulnerabilities did not eliminate risk.72% provided no alternative mitigation to the patch. Only 15% could be leveraged to gain initial access. Only 28% of network-exploitable advisories provided sufficient mitigation advice. Nearly 72% of advisories cover HMI, EWS, and field device components yet nearly all the vulnerabilities did not require the vulnerability to achieve the same functionality or impact.
While the threat landscape continues to grow, the actual incidents that affect industrial production are still rare. As an industry we’re finding more, because we’re looking more. Robert described and ICS Cyber Kill Chain as a two-phase kill chain. The adversary must understand the physical process and safeguards. It takes more steps to do the type of attacks that we’re most concerned about. Robert believes that industrial systems are much more defensible to cyber threats compared with IT systems.
The sliding scale of cybersecurity includes architecture, passive defense, active defense, intelligence, and offense (legal countermeasures). He cited the 2015 Ukraine cyberattack. It took 3 days for the attackers to gain remote access to the system, but 6 months to learn the industrial system enough to perform an industrial control system (ICS) attack. While access was easy, intrusion detection systems could have detected this 6-month phase to learn how the control strategies work in order to develop the attack to shut down power to the Ukrainian electrical grid. The lessons learned informed changes to architecture, passive and active defense.
For the Saudi Arabian “TRISIS” 2017 attack, the adversary had access to the safety system for 3 years to develop the attack. While intrusions happen, there is time to identify the threats during this time to learn the ICS configurations.
Visit the Cybersecurity for Power and Water section on Emerson.com for more on layers of defense to improve your cybersecurity posture.