Open-source ETHOS platform to improve availability of OT/ICS devices, networks for data sharing, collaboration

With the release of the OT-centric, vendor-agnostic, open-source ETHOS platform, cybersecurity teams and stakeholders can improve industrial process automation and optimize production while reducing operational costs. Launched by a group of OT (operational technology) vendors, the platform can anonymously share early warning threat information across industries with peers and governments to investigate early threat indicators and discover new and novel attacks. 

One of the key benefits of the ETHOS (Emerging Threat Open Sharing) platform is its modularity, as it has been designed to be highly configurable, allowing users to tailor it to their specific requirements. The adoption of open-source adds community software development that helps drive rapid development and deployment opportunities and shortens the gap in time and resources that would hinder comparable initiatives attempted by a single entity. Besides, open-source development provides innovation, collaboration, transparency, and aggregation of subject matter expertise. 

The ETHOS platform intends to share vital OT information to enable real-time security awareness across various critical infrastructure sectors and locations. Run by an independent mutual benefit corporation with an open-source GitHub community, the ETHOS platform will not allow any single entity to have control over its content and the members of the community are responsible for decision-making and authorizing user licenses.

Founding ETHOS community members include 1898 & Co., ABS Group, Claroty, Dragos, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable, and Waterfall Security. General membership applications will be available in June this year. 

The objectives of the open-source platform include building an open-source codebase and platform for ETHOS’ OT/ICS devices and networks for data sharing and collaboration, making innovative and egalitarian design and governance decisions, and producing code that allows for early warning detections for cybersecurity teams and stakeholders, to benefit the cybersecurity community without seeking a profit.

Industrial Cyber interviewed members of the ETHOS community to determine whether it would be wise to make the development of their community and software portal open-source, while keeping the intelligence within each ETHOS server, in light of increasing adversarial threats and supply chain attacks. The executives also address whether the platform is going to be available outside of the U.S.

As bad actors increasingly set their sights on crippling networks and systems of essential services within critical infrastructure, getting an early warning about emerging cybersecurity threats can be the difference between continuous productivity and major disruption, Marty Edwards, deputy CTO for OT/IoT at Tenable, told Industrial Cyber. “ETHOS will compare shared information to identify statistically significant behaviors, anomalies, and indicators of new and novel attacks — for which there is no threat intelligence or known attack pattern available.” 

Edwards added that organizations worldwide across both private and public sectors stand to benefit greatly from ETHOS, which will ultimately help them prevent incidents while maintaining the availability of their critical services to the communities they support. “The ETHOS organization has just recently been formed and we have yet to determine if there will be any limitations on participation, however, my opinion is that cybersecurity is a global issue and defenders need to be collaborating at a global scale,” he added. 

Andrea Carcano, co-founder and CPO at Nozomi Networks, told Industrial Cyber that ETHOS answers an urgent need to corroborate information to detect attacks earlier. “Siloes exist today, creating single sources of intelligence without due diligence and corroboration to indicate the significance of shared intelligence,” he added. 

“ETHOS will share data across security vendors with the best and most immediate access to security data across the OT threat landscape,” according to Carcano. “The open-source nature of ETHOS means the technology can be utilized globally, and security vendor products that connect to any ETHOS server will also inevitably include global customers if they choose to share their data.”

Making the software open source is the best way to ensure that as many people as possible can audit it while nobody can make changes secretly, Daniel dos Santos, head of security research at Forescout, told Industrial Cyber. “That should increase transparency and help to catch any problems (including vulnerabilities or malicious use) early on. The generated intelligence, on the other hand, should only be shared with trusted organizations that will use it with the goal of protecting themselves against attacks.” 

“Once there is intelligence generated from ETHOS that is relevant for public consumption and will not harm participants, that can be published by the organizations holding the ETHOS servers,” dos Santos said. 

He added that the platform should be available for organizations outside the US to upload their data and receive notifications, “while we are looking to set up an initial server within the US.”

Open-source community software development drives rapid development and deployment opportunities and shortens the gap in time and resources that would hinder comparable initiatives attempted by a single entity, Paul Veeneman, an IT|OT|ICS| cybersecurity and risk management professional, told Industrial Cyber. “Open-source development provides innovation, collaboration, transparency, and aggregation of subject matter expertise. The concern would be how to scale the endeavor without the advantage of a community leveraging the capability to bring multiple large enterprise organizations together, assimilate decades of knowledge and expertise, packaged into a scalable solution,” he added.

“Open and sharing doesn’t lend itself to tenets of isolation and segmentation synonymous with OT cybersecurity efforts as of late,” Veeneman said. “The ETHOS platform will likely need an information distribution and dissemination mechanism, allowing for the potential crowd-sourcing of threat information, accelerating time-to-detection and time-to-response factors, across numerous ETHOS deployments nationally, funneling relevant and timely information to a central ‘hive-mind.’ Individual ETHOS deployments could have a configurable option to connect and share information, or operate in a stand-alone deployment model.”

Veeneman added that ETHOS will give critical industries a vendor-neutral option for information sharing to combat the growing number of cyber threats. “An always-on, open-source solution that functions like a hotline to correlate information from many security vendors to identify anomalous behaviors will strengthen cybersecurity defenses across industries and ensure more effective government communication and support,” he added.

The executives addressed the safeguards that have been installed to ensure that nation-state actors and RaaS developers won’t contribute to ETHOS, as part of the platform’s direction and its future developments. These also draw out the measures in place to prevent threat actors from infiltrating the organizational perimeter defenses before they can cause any harm.

“The project is currently maintained by a community of developers focused on ensuring it grows to continue meeting the needs of cybersecurity practitioners who rely on actionable intelligence concerning emerging and novel cyberattacks,” Edwards cautioned. “As stated above, the ETHOS organization is relatively new, but we will take this under advisement as we go forward,” he added.

Carcano said that to be part of the initial beta test of ETHOS contributors must fill out a membership application and sign a contributor license agreement. “After the proof of concept is debuted, the repositories will be fully public, though contributors will still be required to sign CLAs, and certain participants will continue to have review and approval authority for the code that ultimately is accepted for building ETHOS servers and clients.” 

He added that because data is sent to ETHOS from an existing monitoring solution, “ETHOS servers will not have entity-level information and the security features provided by each vendor are extended to their ETHOS integrations. This trusted relationship makes it easier to share information with third parties through well-established partnerships with trusted security vendors.”

“Every person who wants to contribute code to ETHOS will have to apply for membership and this membership will have to be sponsored by two board members,” dos Santos said. “That should ensure that no unknown entities can modify the code. Keeping the project open source is also a way to ensure that more people can audit the code and spot any potentially malicious inclusions quickly.”

He added that the perimeter defenses for each deployed client and server will be up to the organizations hosting them, while ETHOS as a community can provide guidelines for a secure deployment.

Following the events involving SolarWinds, it is unlikely that there are any guarantees, Veeneman said. “Considering the compromise of a commercial platform solution, the immediate reaction might be that ‘open-source lacks the security, confidentiality, and sensitivity levels necessary for such an undertaking.’ This is a common misconception, in fact, the opposite is more the case as large multinational Fortune 100 and above organizations, such as Microsoft, Google, Amazon, BMW, Audi, McDonald’s, London & New York Stock Exchanges, and Harvard University, engage in open-source development consistently for solutions across their infrastructure and applications architecture,” he added.

“When looking at threats to ETHOS, ransomware tips the scales, with multiple threat vectors, the most frequent being business email compromise or remote access exploits,” Veeneman said. “There will be a vital requirement to leverage the industry talent pool of partners and others to safeguard the confidentiality, integrity, and availability of the ETHOS platform, development efforts, and sensitive data adequately and appropriately.”

Veeneman said that the ETHOS project will need to practice sound cybersecurity defenses not only at the perimeter but across the architecture to ensure the integrity of the platform. “Software development initiatives, open-source or commercial, should have a combination of access control and authorization, intrusion detection and prevention mechanisms, vulnerability scanning, and secure coding methodologies to prevent the compromise of the platform or the introduction of malicious code or vulnerabilities into the body of software, such as automated testing tools and static code analyzers, as well as best practices for the platform itself, input validation, error handling, secure communication, data encryption, etc., to name a few,” he added.

The experts also provided more detail on whether there will always be only one server or instance of ETHOS, or whether there are plans to add more such servers or instances as the community adopts the platform. Additionally, they examine the cybersecurity implications of allowing any organization to create its own ETHOS server, which can be used to invite and integrate with clients and vendors to share and corroborate information at any level.

Edwards said that the beta project will stand up one deployment with initial ETHOS community participants. “However, the open-source platform will allow any organization to host and manage their own ETHOS servers and invite and integrate with clients and vendors to share and corroborate information at any level. We see this as a positive outcome as the goal of ETHOS is to provide the entire community with more insights into threats targeting new and known vulnerabilities in OT systems.” 

He also added that the closer “we work together, the stronger and more cyber resilient the OT security community becomes.”

“Initial contributors will build a proof of concept. In the future there can be multiple separate and federated ETHOS servers owned by any entity, private, public, or international,” Carcano said. “Because data is sent to ETHOS from an existing monitoring solution, ETHOS servers will not have entity-level information and the security features provided by each vendor are extended to their ETHOS integrations. This trusted relationship makes it easier to share information with third parties through well-established partnerships with trusted security vendors,” he added.

The plan is to initially have a single server used by all the clients, according to dos Santos. “However, the ETHOS code will be open-source, and, as such, anyone can have their own ETHOS server. Examples may include ISACs, CERTs, and national organizations.” 

Nevertheless, he added that organizations deploying a client will probably choose to share their data with a server that they trust, via the client embedded by a vendor that they also trust. “There is no immediate implication of someone standing up a server, as long as the clients choose not to send their information to that server.”

Veeneman said that the current ETHOS single-server model is intended for use by owners and operators working with participating vendors, sharing threat intelligence that is sent anonymously, and can provide early warning to known or emerging threats. “There may be future drivers that push a single-server model to a multi-server architecture such as performance, scalability, security, and tiering of data and data flows. These would be factors for any similar initiative experiencing significant adoption, growth, and capacity, or an expansion of application, service, and system architecture and development roadmap,” he added.

“There are potential cybersecurity challenges for any solution that involves sharing and distribution among disparate entities,” according to Veeneman. “However, it is important to understand that the exchange of information and threat intelligence is first and foremost anonymous, and initially only contains the relevant IP addresses, domains, hashes, and signatures.”

The executives also address who bears the responsibility when using the platform, as the ‘ETHOS platform is run by an independent mutual benefit corporation with an open-source GitHub community. No central authority retains ownership of its intellectual property.’ Furthermore, they analyze the likely cyber insurance implications of such a move. 

Edwards said that ETHOS is owned by the mutual benefit corporation and individual companies are members of this organization. “Decisions are made by representatives on the board of directors.”

The responsibility for using a piece of software ultimately lies with the organization that chose to use it, dos Santos said. “The fact that ETHOS is open-source does not change the responsibility. Currently, virtually every organization (and individual) around the world already use open-source software and components, so there should be no major implications to cyber insurance.”

“Because data is sent to ETHOS from an existing monitoring solution, ETHOS servers will not have entity-level information and the security features provided by each vendor are extended to their ETHOS integrations,” Carcano said. “This trusted relationship makes it easier to share information with third parties through well-established partnerships with trusted security vendors.”

ETHOS is made available for public use, the organization assumes responsibility for the open-source product as a consumer of the solution or a participant to the activity openly sharing information, Veeneman said. 

“Regardless of ETHOS or any other open-source software platform, service, or application, the cyber insurance implications lie with the consumer, in the form of policy coverage, exclusions, limits, reporting and compliance requirements that organizations must meet in order to qualify for coverage, those requirements being specific cybersecurity controls or adhering to specific regulatory obligations,” Veeneman pointed out. “Organizations will need to review cyber insurance policies to understand the impact and ramifications, assessing risks, and taking the appropriate measures…as with any scenario involving personnel, process, and technology.”

The executives explore whether it is likely that the ETHOS platform will get a government partner, such as CISA or NIST, or maybe a non-profit organization, such as MITRE. They also address the rationale behind keeping it all vendors only.

CISA has received a technical briefing on the fundamental objectives of ETHOS and has expressed excitement for the industry to be collaborating for the betterment of critical infrastructure cybersecurity, according to Edwards. “They will be in communication as the project proceeds.”

“I am not aware of any intent to keep ETHOS ‘vendor only’ as we have a number of consultants as members and do envision end-user members as well,” Edwards said. “We are in the early stages of standing up the organization and it made the most sense to get the cybersecurity vendor players in alignment first.”

Edwards added that a big challenge for the OT industry is differentiating which threats pose an actual risk to an organization and where they are exposed to such risk. “By being vendor-agnostic, ETHOS aspires to cut through the noise by automating the discovery and dissemination of real-world threat information from its industry members. The goal will be to provide the entire community with more insights into threats targeting new and known vulnerabilities in OT systems. By working together, the OT security community is stronger and more cyber resilient.”

“Yes, it is likely and desired that the platform will get partners from governments and non-profits,” dos Santos said. “ETHOS was initially an industry-driven initiative because industry players can more easily commit resources to developing such an emerging technology and because these organizations already develop the tools that currently protect critical infrastructure and provide local visibility into threats.”

CISA has received a technical briefing on the fundamental objectives of ETHOS and has expressed excitement for the industry to be collaborating for the betterment of critical infrastructure cybersecurity, according to dos Santos. “They will be in communication as the project proceeds. We are also currently reaching out to ISACs and other communities for inclusion in ETHOS and scheduling technical briefings with interested parties.”

The ETHOS Community is eager to work with government partners who have ideas for creating ETHOS server rules, correlating activity and behaviors in OT to provide early warning detections, and those that want to create and host their instances, Carcano said. “ETHOS is not limited to the founding corporation companies that will govern the proof-of-concept development. The project is open to any individual or corporate entity that wants to be part of the community.”

Veeneman said that potentially the National Cybersecurity Center of Excellence (NCCoE) would serve as a precedence for ETHOS government partnership, under the NIST and within the Department of Commerce, established in Maryland in February 2012 working with private industry to identify cybersecurity challenges across individual or multiple sectors, working in partnership to develop best practices, guidance, and solution deployment documentation. 

He added that the additional participation of organizations such as MITRE acting in supporting roles to the ETHOS mission objectives would come by way of similar efforts such as the Federally Funded Research and Development Center (FFRDC) and its support of the NCCoE, helping to foster conflict-free collaborative public-private partnership involving industry, academia, and government.

Veeneman also pointed out that initially, a ‘vendors-only’ focus has the potential to significantly accelerate the integration of systems and solutions through vendor-specific APIs, collecting vast amounts of vital information across sectors, the capability, and capacity to sift through large datasets more efficiently and effectively, determine what is relevant and applicable, recognize potential threat behavior, indicators of compromise, new and novel attacks, and the prevention and mitigation efforts.

“Over time the community will expand, presumably following the June 2023 open registration and launch dates, to companies and government agencies, hosting an ETHOS server,” according to Veeneman. “Community growth and adoption of the ETHOS open-source project provides the opportunity to increase the open sharing of information across clients and servers, secured and authenticated, without disclosing vendor customer information, maintaining the confidentiality of sensitive data.”

Veeneman concluded that funneling threat intelligence ‘upward’ from customer deployments of specific vendor solutions to an ETHOS server allows response teams to proactively perform analysis, take steps to mitigate the identified threat and risk, then distribute and disseminate valuable mitigation and prevention information.