Introduction

If you were a CISO about five and a half years ago, you may already have a playbook for raising the alert level of your security team in the wake of recent events between the US, Iran and Israel, as this is not the first time that the threat level from Iran has been elevated, especially the cyber threat.

In January​ ​2020, a US drone strike killed Iranian General Qassem Soleimani, a key figure in the country. In response to this incident, Iranian government leaders declared retaliation, and the US Department of Homeland Security also called for vigilance against possible cyber attacks from Iran. In addition, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a notice to US companies and government agencies to step up vigilance against cyber intrusions and business disruptions.

As the CISO at Rockwell Automation at the time, I took this warning seriously and my team and I began working to develop a playbook to address this growing threat.
This blog is divided into two parts. In the first part, I offer some key thoughts on OT cybersecurity based on my experiences in 2020. In the second part, I offer some suggested actions for all CISOs to consider in light of the current geopolitical situation.

Can your OT cybersecurity withstand geopolitical cyber attacks?

CISO As a the Company, EDR "We felt comfortable that our (endpoint detection and response) solution relied heavily on our threat intelligence team and threat hunting, and that they had a good grasp on the threats coming from Iran. However, IT In addition to assessing and strengthening the defense posture of the territory, given the Company role in the critical infrastructure sector, Rockwell O.T. We realized that the (control system) environment could also be a target. O.T. We reached out to several leaders in the security field. O.T. I decided to check whether the area was adequately protected. Dragos Company CEO is Rob Lee I had the opportunity to speak with him directly.

First of all, another O.T. We contacted security platform providers to ask how their platforms are able to respond to threats from Iran and if they are doing anything special to address the heightened threat level. However, their responses were quite alarming and unsatisfying. They rely on anomaly detection and do not proactively detect specific threats. That means they are not aware of the heightened cyber threat from Iran or any other threats. DHS/CISA They said they had not taken any special measures in response to the warning.

Next, the same question Dragos Company Rob Lee I was very impressed with his answer, and as a result 2 Years later, Rockwell After retiring from Dragos It was also the catalyst for my decision to change jobs. Rob teeth, Dragos He explained that the company's intelligence team is constantly searching for, tracking, and evaluating cyber threats from specific adversarial groups. They also track the specific tactics, techniques, and procedures used by each threat group. TTPs) Dragos It is continuously integrated into the platform's behavioral analytics capabilities, OT Watch I was told that threat hunters are actually actively searching for these threats in customer environments. That was exactly the response I was looking for.
Also, speaking from my own experience, Dragos Our intelligence team has been paying close attention to Iran-linked adversarial groups in recent times, sharing new intelligence, conducting threat hunts, and conducting new TTPs or IoC Even from within the company, we feel that the speed at which they were able to incorporate (traces of infringement) into the platform was extremely fast.

For example, one day last week:

• Central Standard Time (CT)afternoon 2 Around that time, Dragos From the Intelligence Team Dragos OT Watch New findings revealed to threat hunters BAUXITE Relevant threat information was promptly shared.
• afternoon 2 time 30 By the minute, Dragos WorldView A production-oriented report has been prepared and is ready for review and coordination with the relevant departments.
• By 3:00 p.m., a draft of the WorldView product report had been sent for peer review and the necessary partner engagements had been completed.
• By 4 p.m., the Dragos OT Watch team had conducted a sweep of all OT Watch customer environments with IOCs (indicators of compromise) extracted based on the shared intelligence.
• By 4:30 p.m., the OT Watch team had developed a daily query-based threat hunt for all OT Watch customers, and the intelligence team had published the report to WorldView subscribers.

Action Plan for CISOs

This is not a promotion for Dragos. I am not a salesperson, but as a former CISO, I have a deep understanding of the pressures and challenges that CISOs and security teams around the world face in a geopolitical climate like the one we find ourselves in today. While these climates may be relevant to a particular region, they have global implications for cybersecurity.

To be honest, when we started our cybersecurity program for manufacturing at Rockwell Automation in 2017, we prioritized the introduction of a security platform for visibility and monitoring of the OT domain. We knew at the time that we were already at high risk of being breached, and we felt it was essential to ensure visibility and monitoring in the factory, even given the cyber threat environment at the time (which was much calmer than it is today). This is the same idea that we prioritized in our IT security strategy.

If you haven’t yet implemented an OT security platform, I strongly encourage all CISOs to commit the necessary resources to it. However, it may not be enough, and you may find it difficult or time-consuming to implement. If so, don’t put it off.
Given the current geopolitical climate, we offer the following advice:

• Raise the level of vigilance for your security team. It's no secret that major cyber attacks often occur outside of business hours, including on weekends, so make sure your security team is ready and able to respond quickly.
• Don't forget to consider the OT environment. We are concerned that many companies, especially in the manufacturing industry, have a strong IT security system but have only just begun to consider OT security. CISOs, if a manufacturing site is shut down by a cyber attack, it will have a direct impact on the company's revenue. We urge you to take the current threat environment as an opportunity to actively consider applying for a special budget for OT cybersecurity.
• Build playbooks for both IT and OT for specific geopolitical threats such as those you are currently facing. Iran is not the only nation-state actor that will escalate threats in the future. Each competing threat group will use different TTPs (tactics, techniques, and procedures). While the focus is currently on Iran, the geopolitical situation is rapidly changing, so it is important to keep multiple scenarios in mind to accommodate new threat actors in the future.
• Be sure to incorporate active threat intelligence into your playbooks. It is crucial that your security platform is continually receiving, prioritizing, and implementing specific TTPs (tactics, techniques, procedures) and IOCs (indicators of compromise) to proactively threat hunt both your IT and OT environments.
• Also look at your supply chain and the entire ecosystem around your company. Iran-related hacktivists (BAUXITE Regarding threat groups Dragos Attacks by the hackers (see information here) have also targeted smaller water suppliers and other sectors. We are proactively reaching out to our key suppliers and partners to not only inform them of the current threat, but also to: Dragos Please also inform them about the free resources available from the .NET Framework (see below for details).
• Start by implementing the SANS ICS 5 Critical Controls. Whether you're just getting started on your OT cybersecurity journey or looking for ways to improve your maturity, SANS guidance can help you streamline the complexities that come with OT cybersecurity. And be sure to reevaluate the controls you already have in place to ensure they're still in place.
• Small electric, water and natural gas utilities have a vital role to play in our collective defense. Addressing OT cybersecurity can feel overwhelming, but by utilizing available resources and expanding your knowledge, you can make OT cybersecurity a reality. Organizations such as ISAC (Information Sharing and Analysis Center) are great resources to help you.
  For example, Dragos OT-CERT provides free information and resources to the global ICS/OT community to help them build OT cybersecurity programs, strengthen their security posture, and reduce risk, while the Dragos Community Defense program provides the Dragos platform, threat hunting, online training, and collective defense services to small electric, water, and natural gas utilities with annual revenues of less than $100 million in the U.S. and Canada, all at no cost to them.

lastly