Hanover, MD – February 14, 2019-- Dragos, Inc., provider of the industry’s most trusted industrial threat detection and response platform and services, released its annual industrial controls system (ICS) 2018 Year in Reviewreports today. These annual Year in Review reports provide important metrics and findings from the Dragos team’s first-hand experience tracking ICS adversaries, identifying vulnerabilities and threats, and performing assessments, threat hunts, and incident response in industrial environments.
“As a community, we must learn from real experiences and insights to ensure we are constantly pushing the security of our industrial infrastructure forward,” said Robert M. Lee, CEO and Co-founder of Dragos. “It is always the Dragos team’s pleasure to share our knowledge, and we hope these reports serve as both a unique set of insights and a call to action.”
Details of Year in Review
● Industrial Controls System Vulnerabilities Report: The Dragos Intelligence team provides analysis of the ICS-specific vulnerabilities from 2018 and provides impacts, risks, and mitigation options. In 2018, Dragos tracked 204 public vulnerability advisories with an impact on ICS. 68% of advisories covered network-exploitable vulnerabilities, yet only 28% of these network-exploitable advisories provided mitigation advice sufficient to take effective action.
● ICS Activity Groups and the Threat Landscape Report: The Dragos Intelligence team provides insights into threat activity groups actively targeting industrial organizations and provides details of their activity, methodology, victimology, and future concerns. The Dragos Intelligence team has tracked three new ICS activity groups since 2017 and identified a growing trend of adversaries using open source or commercially-available penetration testing tools to pivot from IT networks to ICS networks.
● Lessons Learned from Hunting and Responding to Industrial Intrusions Report:
The Dragos Threat Operations Center (TOC) provides a synopsis of lessons learned while proactively hunting for adversaries in industrial environments and responding to intrusions. In 2018, 37% of Dragos’ incident response engagements involved an initial vector dating over 365 days, while all other engagements were either inconclusive or detected and contained by facility teams and Dragos as they occurred.
Year in Review reports can be found here: https://dragos.com/year-in-review/. To learn more about Dragos’ trusted team of practitioners and its industrial asset identification, threat detection, and response platform and services, contact [email protected]or visit dragos.com for more information.
Reid Wightman, Senior Vulnerability Researcher, said: "There was a surprisingly high error rate among the advisories published by ICS-CERT. I think there is a public perception that the organization fact-checks advisories, but either they don't do it, or aren't doing it very well. It is great to see though that when vendors collaborate with researchers to disclose vulnerabilities, the error rate significantly decreases. I hope we see more of that in the future."
Key Findings
Industrial Controls System Vulnerabilities Report: Analyzes ICS-specific vulnerabilities and discusses impacts, risks, and mitigation options
What’s new: In 2018, Dragos began tracking advisory report accuracy. The advisories covered 443 individual Common Vulnerability and Exploit identifiers (CVEs), and Dragos found that one-third of these had errors in describing and rating the severity of reported vulnerabilities.
Why this is important: Many ICS organizations use public advisory data to either reduce risk or satisfy compliance requirements, and Dragos found a high number of inaccurate reports, which is a risk to the ICS community. Inaccurate advisories mean efforts are wasted, and relying upon advisories to prioritize patching or other remediation is not meeting the goal of reducing risk.
YIR 2017 vs. 2018: In 2017, Dragos was not tracking the accuracy of public advisory reports. This is a new component to the 2018 YIR reports. Dragos tracked 204 public vulnerability advisories with an impact on ICS.
ICS Activity Groups and the Threat Landscape Report: Discusses the threat activity groups actively targeting ICS and provides details of their activity, methodologies, victimologies, and future concerns
What’s new:
- In 2018, Dragos began publicly tracking three new activity groups: ALLANITE, XENOTIME, and RASPITE and identified new activity for CHRSYENE, MAGNALLIUM, DYMALLOY.
- Dragos identified a growing trend of adversaries using open source or commercially-available penetration testing tools in real-world campaigns, exemplifying pivots from IT networks to ICS networks
- The report will include new recommendations and predictions from the Dragos Intel Team that have not been made public
YIR 2017 vs. 2018: In 2017, Dragos was tracking 5 activity groups. In 2018, they discovered three new activity groups to offer more insight into the ICS threat landscape, as well as new recommendations and defense strategies. This is not a decrease in threats but a growing trend of new threat activity groups each year. Previous to Dragos there was 1-2 threats discussed a year.
Lessons Learned from Hunting and Responding to Industrial Intrusions Report:
Provides a synopsis from the Dragos Threat Operations Center (TOC) of trends observed within the industry and lessons learned through proactively hunting for adversaries in industrial environments and responding to industrial intrusions.
What’s new:
- Majority of Dragos TOC engagements in 2018 were focused on helping customers gain an understanding of their industrial environments, identify active threats through threat hunting, and helping them better prepare for and respond to incidents
- 55 percent of Dragos’ engagements throughout 2018 were focused on energy (oil, gas, electric, transmission, generation, management, and renewables). The remaining 44 percent was equally split between engineering and production of chemical, biomedical, and pharmaceutical products; manufacturing; transportation and shipping; water utilities and wastewater treatment.
- In 2018, 37 percent of Dragos’ incident response engagements involved an initial vector dating over 365 days, while all other engagements were either inconclusive or detected and contained by facility teams and Dragos as they occurred.
- Communication and data sharing is taking place within each sector, and organizations are leveraging trusted relationships with peers to better the industry
- Incident response is increasingly being used by companies to “rule out” cybersecurity causes during outage impact analysis
- Dragos reviewed the recently published NIST Cyber Security Framework and identified controls offering the greatest return on investment to industrial networks (this will be a follow on a whitepaper that will be released at the end of Feb)
Why this is important:
Dragos engagements in 2018 demonstrate a positive industry trend for the future: the ICS community is focused on increasing knowledge of their own networks to better identify and respond to threats. Incident response is increasingly being used by companies to “rule out” cybersecurity causes during outage impact analysis--in part because they lack the visibility to make these determinations on their own. Because organizations are taking the security of their control networks seriously and improve their defenses, Dragos is focused on identifying practical approaches to facilitate these improvements.
YIR 2017 vs. 2018: Last year, Dragos did not disclose its TOC services distribution. In YIR 2018, Dragos provides insights into exactly what percentages of services they provided, so readers have better insight into trends, how organizations are learning about their networks and proactive observations of potential improvements in ICS security measures.
About Dragos
The Dragos ICS threat detection and response platform distills decades of real-world experience from an elite team of ICS cybersecurity experts across the U.S. intelligence community and private industrial companies to provide OT and IT practitioners unprecedented visibility and prescriptive procedures to respond to adversaries in the industrial threat landscape. With the Dragos platform, ICS cybersecurity personnel can independently identify ICS assets, detect ICS threats, and determine ICS cybersecurity-specific responses. Dragos’ offerings include the Dragos Platform for ICS threat detection and response; Dragos’ Threat Operations Center for ICS threat hunting and incident response services; and Dragos ICS WorldView for weekly threat intelligence reports. Dragos’ platform distills decades of real-world experience from an elite team of ICS cybersecurity experts across the U.S. intelligence community and private industrial companies. Visit dragos.com for more information.
