Dragos’ Lee calls upon CISA to enforce cybersecurity requirements, as industrial cyber threat landscape shifts irreversibly

Prioritizing OT/ICS networks is required, with an emphasis on security measures that have proven effective against attackers and going beyond just identifying and adopting best practices used in other domains like business information technology (IT), Robert M. Lee, CEO and co-founder of industrial cybersecurity company Dragos informed the U.S. Senate Committee on Energy and Natural Resources. He also pointed to the Pipedream malware which has shown that the threat landscape has irreversibly changed and that a sense of urgency is required.

A full committee hearing was held last week to examine cybersecurity vulnerabilities to the nation’s energy infrastructure. Focused on three key points, Lee said that the industrial cyber threat landscape has irreversibly shifted this past year, resulting in heightened attention required. Secondly, the government should seek to understand what is and is not working and act while taking advantage of collaborative efforts that already exist and are being underutilized. Thirdly, it is important to identify what sites are critical, and what risks they need to be protected against and to properly resource these efforts. The private sector and the government must deploy resources.

Lee also pointed out that the Cybersecurity and Infrastructure Security Agency (CISA) could be more well-resourced and authorized to enforce cybersecurity requirements and efforts across federal agencies and institutions. It is difficult for the government to talk credibly on the topic of cybersecurity when its institutions have less security than most energy sites in the country.

For all the right reasons, Lee identified in his Senate Testimony that the industry moved towards a more homogenous infrastructure with common software packages, common network protocols, common facility designs, and more. “This has brought a lot of advantages to the industry and those that depend on it, but reduced the complexity that the adversaries have to operate in while increasing the complexity of what defenders have to defend. Years ago, I often warned that I was not worried about the threats of today because our infrastructure owners and operators had focused so much on reliability and safety that it naturally helped cybersecurity.” 

But, that one day, “we would get an adversary that took advantage of the homogenous infrastructure, and it would be a massive shift for the industry. In 2022 such an adversary emerged,” he added.

Highlighting the Pipedream malware that Dragos was called upon by an undisclosed third party to analyze the new collection of malware capabilities and with permission partnered closely with U.S. government agencies. “The capability was coined Pipedream and was developed by a highly capable strategic state adversary. Pipedream is the first reusable cross-industry capability that can achieve disruptive or even destructive effects on ICS/OT equipment,” Lee highlighted. 

Developed by the Chernovite threat group, the Pipedream toolkit has the capabilities that led to the initial ‘cross-industry disruptive/destructive’ ICS/OT malware impacting tens of thousands of industrial devices that control critical infrastructure – devices that manage the electrical grid, oil and gas pipelines, water systems, and manufacturing plants.

Based on Dragos’ assessment Pipedream was initially targeted towards energy assets such as liquid natural gas and electric transmission equipment but can work in almost all OT environments ranging from the heating, ventilation, and cooling equipment in data centers to the control systems used in next-generation military equipment and weapon systems. 

“The addition of Pipedream provides the first realistic cyber capability that can significantly disrupt critical infrastructure domestically. Pipedream is not a capability you can simply patch away or otherwise prevent,” Lee revealed. “Once it is in its target’s networks, it is a reliable tool for an attack as it takes advantage of the native functionality and common software now deployed across infrastructure sites. This demands an effort to not just focus cybersecurity on preventing cyber attacks, but on detecting and responding to them as well. Pipedream rightfully sounds concerning but it is important to take a moment to acknowledge the victory here as well.” 

Dragos, with its undisclosed partner, was able to work with the National Security Agency (NSA), Federal Bureau of Investigations (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and DOE to identify, analyze, and report on Pipedream out to the broader infrastructure community prior to Pipedream being employed. 

Lee called attention to the need to determine and act on what does and does not work. “Governments around the world are appropriately apprehensive on picking winners and losers in the market. That apprehension has sometimes extended to even suggesting ideas or strategies for fear of the perception of preference. This has led to the repeated resourcing of ideas and efforts that lead to very little value while not further focusing on efforts that have shown success,” he emphasized. 

He also observed that when the government partners closely with the private sector and uses their expertise, “we achieve better outcomes. We have seen this through the model that the Federal Energy Regulatory Commission (FERC)and North American Energy Reliability Corporation (NERC) have used where the federal government proposes regulation with details on what it seeks to achieve. NERC then forms a committee of members across the community to evaluate the effectiveness and feasibility of the proposed changes. This allows for time, input, and alignment that creates regulations that better meet the objectives. Further, models for collaboration instead of simply information sharing have begun to show value.” 

“There are current efforts by the DOE and CISA to work with the electric industry to create the Electricity Threat Analysis Center (ETAC). The ETAC operates essentially as a sectorial specific spoke in CISA’s overarching strategy to partner with critical infrastructure providers,” Dragos’ Lee said. “The ETAC can centralize the efforts across government agencies and sharing centers such as the Electricity Information Sharing and Analysis Center (E-ISAC), and bring private sector companies and their trusted vendors to a central location to analyze and collaborate on cyber threats to the energy system.”

Lee also said that vendors must also be included in the discussions and held accountable to baseline requirements just like the asset owners and operators. “If vendors want to play a role in the service and protection of critical infrastructure, especially its critical parts such as OT/ICS, they must be aware of their role and risks through the supply chain to the customers they serve. Right now, there are very few requirements on vendors and instead many make optional choices,” he added. 

He also called upon the government to identify what is critical, the risks it should be prepared against, and ensure that the appropriate resources are able to be allocated against the challenge. Currently, there are multiple unclassified and classified lists of what is considered critical infrastructure beyond the high-level sectors. These lists often look to identify infrastructure by its size and impact for criticality or its proximity to important assets such as military bases.

“If the United States were to enter into conflict with China there are a set of infrastructure sites more important than others for the logistic lines and projection of force abroad,” Lee highlighted. “If the United States wants to launch intercontinental ballistic missiles back against an aggressor, those infrastructure sites would be different. If the requirement is a crank path to restart key portions of the energy system, that would additionally be a different set of infrastructure sites. Some would be large sites but some would be very small sites not well understood by the federal government. Infrastructure owners and operators are put in an impossible situation to advise on what the key infrastructure sites they maintain are relative to unknown requirements other than ‘national security.’”

Lee added that if the U.S. government were to clarify roles and responsibilities, identify the requirements that the infrastructure needs to support, and the threat scenarios that are realistic that each industry should be prepared for, there would be a much clearer picture for infrastructure asset owners and operators on what they should do and how they can best advise and contribute their expertise.  

“Inside the government, there are resourcing and authorities required to increase the level of cybersecurity to what the government is asking the private sector to reach,” according to Lee. “It can appear unintentionally hypocritical when asset owners and operators are held to regulations and standards that many government agencies and institutes themselves cannot meet.” 

When the DOE resources new projects, such as distributed energy resource efforts across renewable energy sites, it very often does not include cybersecurity in the project requirements or efforts, Lee added. “DOE’s Office of Cybersecurity, Energy Security, and Emergency Response could be resourced and authorized to ensure that a portion of the budget allocated for new energy technologies and efforts includes cybersecurity requirements to make these new sites more secure from the beginning.”

In his conclusion, Lee wrote that “everyone has an opinion on what needs done and where, but leadership is necessary to set the actual priorities and requirements across government and the private sector.” The infrastructure owner and operator community in the energy and natural resources sector has consistently shown that the majority of the players are focused on national security and not just business value creation. We must be willing to make hard choices as the threat landscape, and the energy system itself, has drastically changed.” 

Pipedream has shown that the threat landscape has irreversibly changed and that a sense of urgency is required, he added. “However, our infrastructure community has reliably shown that when empowered to do so, it will rise to the occasion and protect our communities and national security. We all are keenly aware that we live and work in the communities we serve. I would take an empowered energy sector and its partners over any state actor any day. Defense is doable.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.