U.S. critical infrastructure facilities, particularly the energy sector, are in the cyber cross hairs of foreign adversaries as never before. By one researcher’s estimate, some 41% of operational technology (OT) computers were hit by malicious attacks in one form or another last year.
In particular, in the second half of 2022, roughly 34% of industrial sector computers were affected by malware. Indeed, 2022 ended up accounting for the highest percentage of OT computers affected by malware.
Dragos Chief Executive Testifies on Capitol Hill
With those daunting statistics as a backdrop, Robert M. Lee, chief executive and co-founder of industrial cybersecurity company Dragos, testified recently before the full U.S. Senate Committee on Energy and Natural Resource. Lee urged that more targeted collaboration between the private and public sector is needed to cover a "shifting" industrial cyber landscape.
The committee was looking for information and potential answers to how U.S. energy resources are being exploited for geopolitical gain by the nation’s adversaries and the numerous strikes that have hit the energy sector to challenge security and disrupt the economy.
“We must do more than identify and implement best practices deployed in other areas such as enterprise information technology,” Lee said.
In his remarks, he segmented his presentation into three macro categories:
- The importance of prioritizing OT/ICS (industrial control systems) networks with a focus on security controls that have demonstrated success against adversaries.
- Government should seek to understand what is and is not working and act to leverage collaborations that already exist but are under-deployed. Such collaborations will hone the federal government and private sector’s ability to make strategic decisions about the capabilities and partnerships necessary for the future.
- The private sector and the government must deploy resources. Government agencies too often ask the private sector to take actions on its infrastructure that the government has not taken internally on its own infrastructure.
Lee Offers Cyber Strategies
On prioritizing OC/ICS networks with a focus on tactics and strategies that have worked in the past...
Lee suggested the heterogeneous nature of industrial systems led to limited commonality among facilities to deal with cybersecurity issues that put the entire sector in danger.
As he explained:
“For all the right reasons, the industry moved toward more homogenous infrastructure with common software packages, common network protocols, common facility designs and more. This has brought a lot of advantages to the industry and those that depend on it but reduced the complexity that the adversaries have to operate in while increasing the complexity of what defenders have to defend."
It's at that point that a malware crew dubbed Pipedream surfaced, developed by the threat group Chernovite, a “highly capable” strategic adversary, which Lee described as “the first reusable cross-industry capability that can achieve disruptive or even destructive effects on ICS/OT equipment.”
Pipedream was not a bug that can be patched away, he said. Once the malware is nestled in the target’s network, it’s a “reliable tool” for an attack because it leverages native functionality and common software in all infrastructure sites. That means an attack on one is an attack on all.
Pipedream became an opportunity for Dragos, the National Security Agency, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Energy and an undisclosed partner of Dragos (perhaps a managed security service provider?) to “identify, analyze and report on the malware" in what Lee called a “significant public-private partnership wins of all time in cybersecurity…”
On government understanding what is and is not working...
Lee pointed out that he could not remember “even one cybersecurity technology in the last 20 years” that was developed by a national lab.
In his testimony, Lee said:
“There is not a lack of funding for cybersecurity technology in the private sector and yet government funding continues to go to efforts that are very often simply science projects looking for a problem to solve."
Lee advised that government should follow a model of why and what, but not how, leaving the expertise of the infrastructure operators to determine how to achieve the desired outcome.
“Doing it any other way has shown to be a disaster,” Lee said.
Regulation has long been the bane of the private sector. But perhaps how regulations are arrived at and implemented is much of the problem, with multiple levels of government advising on various regulations.
“If the government seeks to push for future regulations, it must understand why and what it is seeking to accomplish and place the priority on those outcomes.
“The key message,” is that “when government partners closely with the private sector and uses their expertise, we achieve better outcomes.”
As for the supply chain, Lee argued that vendors must be held accountable to baseline requirements similar to infrastructure owners and operators. Today, there are very few requirements on vendors and instead many make optional choices.
“Government, and especially the energy sector, need the ability to choose the right partners for the right situations, regardless of perception," he said.
On government agencies deploying resources...
Owners and operators would have a much clearer idea on what to do in the event of an attack if the government clarified roles and responsibilities, identified requirements and the infrastructure needs to support and the threats each might face, Lee noted.
He believes it would be a good idea if government agencies were tasked with meeting the same regulations and standards that owners and operators are required to attain.
As he explained, “Inside the government there are resourcing and authorities required to increase the level of cybersecurity to what the government is asking the private sector to reach."
In concluding his remarks, Lee reiterated the refrain of nettlesome problems: Everyone has an opinion on what should be done but it is up to leadership to set the priorities and requirements on both the government and private sector.
Emphasizing his point, Lee said:
“Pipedream has shown that the threat landscape has irreversibly changed and that a sense of urgency is required. We are all keenly aware that we live and work in the communities we serve. I would take an empowered energy sector and its partners over any state actor any day.”
Other witnesses at the hearing included Puesh M. Kumar, director of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) of the U.S. Department of Energy (DOE), and Stephen L. Swick, chief security officer at American Electric Power (AEP).