Dragos OT-CERT bolsters industrial environments, supply chains with cybersecurity resources for SMBs

Dragos OT-CERT bolsters industrial environments, supply chains with cybersecurity resources for SMBs

It has been a year since industrial cybersecurity company Dragos launched its OT-CERT (Operational Technology – Cyber Emergency Readiness Team) cybersecurity resource program, designed to provide industrial asset owners and operators with free OT-specific cybersecurity resources to help them build their OT cybersecurity programs, improve their security postures, and reduce OT risk. The community-focused program provides member organizations access to various materials, including OT cybersecurity best practices, cybersecurity maturity assessments, training, workshops, tabletop exercises, and webinars. 

Dragos OT-CERT partners include the National Association of Manufacturers, Emerson, Rockwell Automation, and seven Information Sharing and Analysis Centers: E-ISAC (electricity), OT-ISAC (operational technology), MFG-ISAC (manufacturing), ONG-ISAC (oil and natural gas), DNG-ISAC (downstream natural gas), WaterISAC (water), MM-ISAC (mining and metals), the Massachusetts Cybersecurity Program within the Massachusetts Commonwealth Fusion Center, and Catalyst Connection, a member of the NIST Manufacturing Extension Partnership. 

Launched at the 2022 RSA Conference, Dragos OT-CERT was designed to address a critical gap in securing industrial infrastructure: the lack of OT-specific cybersecurity resources readily available to the industrial infrastructure community. The gap is especially critical among small and medium-sized businesses (SMBs) that often have limited in-house cybersecurity expertise and lack the financial and technical resources to address ICS/OT cybersecurity risks.

Addressing how the Dragos’ OT-CERT program addressed the gap in securing industrial infrastructure in its inaugural year, Dawn Cappelli, Dragos’ OT-CERT director told Industrial Cyber that “much of our global industrial infrastructure relies upon small and medium businesses (SMBs) that do not have the resources – people or financial – to be able to address cybersecurity, especially in their operational technology/industrial control systems (OT/ICS) environments. Yet that is where the true impact of the risk lies – in the OT/ICS environment.”

Cappelli added that there are some resources out there for SMBs for securing their IT infrastructure, but OT cybersecurity resources for SMBs remain sparse, and “we found that most that we examined addressed what needs to be done, but not how to do it. SMBs with little to no cybersecurity expertise, especially in OT, are presented with lists of things to do but no tools that can be used to do them.”

Since its launch one year ago, Cappelli disclosed that Dragos OT-CERT has over 900 members in over 50 countries. Members are asset owners and operators across all sectors, including electric, oil and gas, manufacturing, chemical, water, transportation, and pharma. “We have provided 28 resources to date: 7 guides, 8 videos, a tabletop exercise, a self-assessment survey, 3 templates, 6 best practice blogs, 1 worksheet, and access to an ICS Crash Course, along with some workshops with our partners. All our resources are created for people with no cybersecurity expertise,” she added.

“We realized that just putting out resources isn’t enough – we need to build a community where members can collaborate with us and with each other. Cybersecurity is scary, and we felt strongly we needed to build a relationship with our members,” Cappelli said. “So we started holding monthly working sessions – zoom meetings where members can get to know each other, ask questions, get advice, and share our successes and challenges.” 

Cappelli added that “we have held working sessions every month since November, and just this month added a second working session each month in the AWST time zone, for the convenience and at the request of our members in Australia, New Zealand, and Asia Pacific. We gather tips and tricks contributed by the members in each working session, and have provided a collection of 18 Tips & Tricks to our members so far.”

Listing some of the key challenges and successes that the Dragos OT-CERT program has seen over the last year, Cappelli stated that the challenge has been getting the word out to the SMB community. “Our target audience is not paying attention to security. They don’t follow security experts or security companies on social media. Our partnership program is critical in helping us to reach the SMB community,” she added.

The two successes that Cappelli listed were feedback from members and the impacts made in collaboration with partners. “The number of members that attend our working sessions grows substantially each month, and all the feedback we have received is extremely appreciative and attests to the value we bring to their companies,” she added.

On the collaboration impact with partners, Cappelli said that “we held 2 tabletop exercises for SMBs with the WaterISAC and held a half-day workshop / tabletop exercise with Catalyst Connection, a not-for-profit organization in Pittsburgh that works with small manufacturers in southwestern Pennsylvania. OT-CERT and Catalyst then created our first local chapter of OT-CERT – a Pittsburgh-based Cybersecurity Peer Network that meets monthly. We will use this as a model for creating similar local chapters in partnership with other partners and Dragos employees globally. We have also held webinars in collaboration with our ISAC partners and other partners like the Massachusetts State Police,” she added.

Shedding some light on how OT-CERT coordinates with OEMs regarding disclosures for vulnerabilities discovered by Dragos threat intelligence researchers and cyber threats detected by Dragos targeted at the OEMs’ products, Cappelli said that as a CVE Numbering Authority (CNA), Dragos is authorized to assign CVE IDs to newly discovered vulnerabilities and publicly disclose information about these vulnerabilities through CVE Records. 

“After discovering vulnerabilities or cyber threats detected by the Dragos Platform targeted at OEMs’ products, Dragos attempts to contact the affected vendor. OT-CERT has established partnerships with some OEMs, such as Rockwell Automation and Emerson, to make that contact quicker and more efficient,” she added. “Our preferred method is coordinated disclosure, in which the vendor and Dragos publish advisories on an agreed-upon date.” 

Dragos believes this is the most beneficial outcome for customers as they receive both an official vendor advisory and an advisory containing Dragos’s unique security expertise at the same time, Cappelli said. “We also believe coordinated disclosure fosters strong relationships between vendors and the cyber security providers. To further strengthen this bond, Dragos commits to providing vendors with a draft of our advisory before publication. We encourage vendors to do the same.”

Looking at the goals that the OT-CERT program set for itself over the next year, Cappelli said that “in our first year, we established the foundation of the OT-CERT program, and we will continue building upon that foundation in the second year. Our content roadmap has been designed using the SANS Institute ‘5 Critical Controls for ICS/OT Cybersecurity.’” 

In 2023, Cappelli outlined that “we will continue to publish resources according to that roadmap. We will also continue our community outreach via working sessions, workshops, and tabletop exercises. We will also focus on increasing implementation of OT-CERT resources to increase our impact on supply chain risk across the global industrial infrastructure ecosystem.” 

Cappelli said that this will be done by working with partners to conduct broader outreach and awareness activities to their members/constituents; working closely with companies to incorporate OT-CERT into their third-party risk programs; and creating additional local OT-CERT chapters.

She also highlighted that recent regulations and guidelines have helped to establish ‘what’ small and medium-sized organizations should do to secure their OT environments, but OT-CERT takes it a step further by assisting with ‘how’ to do it. 

Cappelli said that “we provide templates, how-to video demonstrations, and detailed implementation guides. We also hold OT-CERT working sessions every month exclusively for our members where we get to know each other, ask questions, get advice, and share our successes and challenges. We’re thrilled with the exponential growth, the strong community we’ve created, and the security outcomes we’re achieving,” she added.

“As a community-owned utility, we are responsible for the critical services of more than 100,000 customers and households. Building an industrial cybersecurity program to protect the infrastructure this entire community relies on can be challenging at times,” Brad Wynes, supervisor-OT cybersecurity at City Utilities of Springfield, said in a media statement. “With Dragos OT-CERT, we have been able to learn from others and share our experiences in an open and inviting forum. We have consistently learned something new in every session and have applied these insights to our processes.” 

Wynes added that “the interactive working group sessions along with the content Dragos experts have provided has been invaluable whether you are Crawling, Walking or Running in your programs. No matter what your maturity level, Dragos OT-CERT is an incredible opportunity to gain and share knowledge, supporting the cause to safeguard civilization one community at a time.”

“Designing, manufacturing, and deploying telecommunications equipment and systems for critical communications sectors, in more than 60 countries, requires a constant effort in the renewal of knowledge and application of current and future technologies, as well as a deep understanding of the ecosystem,” according to Oscar Blanco Torras, cybersecurity product manager at Teltronic. “Cybersecurity plays a critical role, and Dragos OT-CERT provides tools and cross-cutting knowledge among the members of the group. Being a part of the OT-CERT community means we no longer feel like we are working on our OT cybersecurity program in an isolated silo.”

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related