Dragos’ Lee provides insights on OT threats and detection strategies at S4x24 event

Day 2 of the ongoing S4x24 event began with a fireside chat with Dragos’ CEO and co-founder Robert M. Lee and Dale Peterson, the founder of S4xEvent and CEO/catalyst at Digital Bond. They delved into the threats and the extent of targeted activity against OT (operational technology) and explored the potential value of detection measures.

Addressing employed versus deployed with deployed meaning it may be somewhere in the world, Lee said “It may be on a test site, maybe on a research system, maybe somewhere accessible. Employed means it’s actually client, target, and there are different actions operating. And so Pipedream was not employed. It was not in any victim networks that they were targeting. It was deployed somewhere in the world that would have been able to access it and not to be too secret about it. But there is a reason that we don’t disclose too much because the various parties involved don’t want to tell the adversary, hey, here’s how we talk to you. Here’s where we saw your capability. You don’t want to give them play-by-play information.”

Lee added that the key point is that adversaries kicked out key targets across the U.S. that they were going to employ and they still needed to.

“That’s what the government typically talks about left of the kind of moment. And yet when I hear that, I always think we don’t know what we don’t know. How confident are you that it’s not deployed? I’m not. Yeah. So I think from a broader community point,” according to Lee. “You’re getting on very well. We have a visibility problem, right? So some companies go, oh, it was in our networks for 365 days. That’s a year. Which means that’s just your log retention, isn’t it? Longer. Same thing, I would say sub 5% of the global infrastructure is monitored currently, like east-west monitoring sub 5%. And we’re talking about 21 groups, here’s the activity, here’s all the pictures seen at sub 5% of the collection.”

Lee pointed out that the biggest thing that has been exciting and interesting, “is the first time we’ve seen something that is cross-industry and reusable with disruption or disruption profile will allow it as a capability. So if you look back at any of the IPS now, or we’ve seen over the years that could do disruption, it was industry, sub-industry, or site-specific. The more data you want to do, the more specific that site is. But as we become more modern, we become more similar across industries.”

“We’re starting to see scalable and reusable capabilities. And Python isn’t something that you just hack away. It sort of has vulnerabilities in it and vulnerabilities will be an interesting portion of it,” Lee said. “It’s really just really good engineering workstation software. It’s all really new. I mean, Siemens figured out interoperability like this is a very capable engineering workstation software that will allow you to reprogram controllers and do whatever this will fire, and that makes it dangerous, and one day it will get out. And I hope that we as a community stop moving this thing where we go, look, the report was published, we’re good onto the next thing.”

Lee highlighted that there were a lot of people who started picking up on the fact, yeah, “Actually I can hit one facility or use the capability to hit another facility. Well, if I just tune it this way I can get another 15. That is a realization that I think has come to bear in the last five years. And there’s industries that haven’t gone down as monuments curve yet will.”

“Water industry is a great example. A month ago, whatever. You look at a lot more water systems across the United States. There’s an antiquated older system that is not digital, that is not connected, but the Emersons and payments of the world are not allowing them to have those anymore for all the right reasons,” according to Lee. “And so as those systems get upgraded over the next three to five years, you’re going to start to see a massively more connected, massively more modern water sector than we’ve ever had before. And I think we will see what happens to manufacturing.” 

Lee added that manufacturing got just dominated by ransomware over the past couple of years because they were homogeneous with the digital system and they were getting excited, right? “Far more than any data will ever cover.”

Lee added that he thinks that’s coming for water and “I think you’ll see that industry by industry, as kind of that connectivity and homogeneous. Okay, yeah, I’m definitely with you on the connectivity issue, which maybe exposes the homogeneous war, but I understand what you’re saying.” 

Peterson asked him a Pipedream question – It came out two years ago and now it is still the most dangerous piece of malware. Why hasn’t something happened in two years? What should we draw from the fact that we’re not seeing Pipedream 2 and whatever we may want to come up with for something? 

“Yeah. Right. Go back to that 5% monitoring, you’re probably not seeing a lot of things. But when I look at Python, that adversary has developed. It doesn’t need to develop Python. It works. I can use it today,” Lee said. “Other states that look back, I think, are in their development phases. You don’t build out ICS security-specific houses, development capabilities with experience, and so forth in a two-year period. But I think we will see state actors developing pipe-in-line capabilities. I’m aware of at least one that is trying right now, but my real concern isn’t when 20.” 

Lee said that his real concern is that capability leaking out criminal groups.” I think we’ve talked about this on the side. What bothers me is not Russia, China, Iran, the US, or whatever, picks up hydro Death Star. You should all think about that. What bothers me is the criminal networks picking up hydrogen capabilities and letting it become kind of a cobalt strike of attacking ICS. That’s going to suck,” he added. 

He said that he truly believed the US would have power, expertise, insight, and capability for that level. “And that individual who I thought highly of had no idea about the capabilities that they were employing and what actually effect work tells me that the other team definitely doesn’t know. And so I’d rather draw a line and go. None of you all are mature enough to even have this conversation, to stay out like this.” 

Addressing what can be done, Lee said “You’re going to go put capability development, say I’d like to target that manufacturing site or that’s something. Okay, I need an 18-month team, 30 people, and $20 million. And okay, that’s what we’re going to do. You go to the pilot and wait a minute, you’re going to say, I need about 6 hours of sobering up, and then I can do all right, stop this influence.”

“I don’t know how persuasive. Oh no, they won’t. Listen. I’m happy to stand by my moral right now and still do these things like investigate. That’s another reason we don’t do the tech for our team because we don’t do attribution. So how am I happy to take everybody out? Well, I’m sure the Chinese and Russians have these,” Lee said. “Maybe I can see you in a fat hand or something. One other thing from the report that caught my attention, and I don’t know how you pronounce that one. I thought if there was one in there that was going to actually see results, it was attacking Oracle and manufacturing. And you mentioned manufacturing as having a lot of outages. I mentioned that in my opening keynote. I could see if they took out Oracle manufacturing, I would watch the manufacturing outages.”

Taking the main stage on Tuesday, Peterson said “The attacker just has to succeed one time, while the defender has to stop all attacks. Who can really believe they’ll be perfect,” Peterson said in his speech. “I see many OT security professionals. Some of you in this audience give conference presentations, webinars, white papers on a growing number of ominous-sounding adversaries and attacks.” 

He added that “perfect shouldn’t be our measure. There are too many people making mistakes, too many latent vulnerabilities in our products, too many players in our supply chain. I can’t believe that I can stop every attack against a computer switch PLC sensor actuator from ever succeeding. We need different metrics.”

He also highlighted that “we need metrics and stories that highlight success and feed the belief that we can succeed. Not a false success. But when we succeed, and we often do, we shouldn’t just brush it aside until we wait till the next time we can hype up failure.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.