“From the 2010 Stuxnet incident, the Ukraine power grid attack in 2015 to the discovery of the PIPEDREAM malware toolkit, the importance of OT cybersecurity could not have been repeatedly impressed upon us”, said David Koh (Commissioner of Cybersecurity and Chief Executive of the Cyber Security Agency (CSA) of Singapore) at the “Operational Technology Cybersecurity Expert Panel” (OTCEP) Forum 2023 [1].
Held in Singapore from 22nd to 23rd August, the forum brought together experts and practitioners to discuss security and resilience within critical sectors, including industrial organisations.
With Pipedream, and the ever-persistent ransomware attacks coupled with the latest artificial intelligence technology – which have already been boldly weaponised by threat actors – rising concerns over the preparedness to combat these threats are not unwarranted.
It is therefore no surprise that the 2023 edition of the forum attracted the largest ever international and local participation since it kicked off in 2021 at the height of Covid.
Here are some highlights from topics ranging from “Cyber Threat Landscape” to “Emerging Regulations in OT Software supply chain security”, “Security-by-Design” and “Talent attraction”.
OTCEP appointed members
How has the Pipedream malware heightened potential threats faced by industrial organisations?
Pipedream was discovered in April 2022, “the seventh-known such malware targeting Industrial Control Systems (ICS)”, said Robert M. Lee (CEO, Co-founder of Dragos, Inc).
Stuxnet, the first-known malware targeting ICS, was once considered to be novel.
Fast forward to the 2022 Russia-Ukraine conflict, when the emergence of the sixth-known malware (“Industryer2”) and the seventh (“Pipedream”) underscores the growing confidence of the threat actors.
Arguably, previous “ICS-malware” did break new grounds.
“BlackEnergy2” that hit 3 power companies in Ukraine in December 2015, was the first known cyber incident that disrupted an electric grid operator.
“CrashOverride” (or “Industroyer”) which caused a power outage in Ukraine in December 2016, was the first malware to target a transmission substation.
However, both “Industroyer2” and “Pipedream” represent a substantial escalation in adversarial capabilities.
Industroyer2 showcases a capability to embed customized configurations that adapt the malware to specific devices within the victim’s environment. In other words, it reduces the efforts to replicate the attack across various victims, thereby facilitating the deployment of malware on a larger scale.
The ability to scale was even more concerning with Pipedream.
According to Mr Lee, Pipedream targets “common” components and protocols (such as Codesys, MODBUS, OPC UA) [2] that are found across thousands of devices supplied by hundreds of vendors and manufacturers, and deployed in a wide variety of industrial organisations.
Further advancing this supply-chain attack are its extensible and modular characteristics. These functionalities suggest that Pipedream is intended for continuous adaptation to more protocols, which could expand its potential target space and give it even more cross-industry flexibility, Mr Lee added.
How concerning are ransomware attacks for industrial organisations?
REVil ransomware gang was taken down in January 2021, and Conti was dissolved in early 2022. However, the demise of such ransomware gangs has not slowed down ransomware activity.
Mr Robert Lee highlighted 605 ransomware attacks that targeted industrial organisations and infrastructures in 2022, marking an 87% increase compared to the previous year.
One reason is the continued growth of ransomware-as-a-service (RaaS), such as the Lockbit and its affiliates.
The surge in ransomware attacks underscores how RaaS has significantly lowered the entry barrier, enabling threat actors who has neither the expertise nor access, to buy services ranging from phishing campaigns to data exfiltration tools.
New capabilities to evade detection – such as anti-debugging and Windows Defender software deactivation mechanisms offered by Lockbit, further boost ransomware infection rate and “make Lockbit 3.0 one of the fastest-growing ransomware strains”, he added.
“Manufacturing industry more than any other —nearly twice as much as the other industrial groups combined” was targeted, he also revealed.
Panel discussion – Cyber Threat Landscape
Joining virtually – Mr Robert M. Lee (CEO & Co-founder, Dragos
How have cyber mitigation measures in ICSs evolved in the past 12 months?
ICS systems have historically operated under the convenient illusion of security through obscurity and isolation – that they are less susceptible to cyberattacks due to their complex and proprietary protocols and interfaces, and often also due to their “separation” from the internet.
However, ransomware targeting ICSs and the discovery of Pipedream laid bare the fallacy of the above assumptions.
First, digital connectivity has enlarged the attack surface. Second, adversaries remain relentless in systemically probing ICS operational capabilities.
Several cyber defence approaches were discussed, including the “Software Bills of Material (SBOM)” [3].
For example, “OPC UA” targeted by Pipedream is used in a wide range of industrial devices and equipment, including PLCs, sensors, actuators, SCADA systems, HMIs, and more, within industrial organizations, manufacturing companies, and facilities across various industries. [4]
Given its ubiquity, forming a reliable picture of an industrial organisation’s risk exposure to Pipedream is not straightforward. One hurdle is the lack of transparency into the components that make up the devices /equipment operating within the complex ICS.
This challenge could be addressed by vendors listing such details in a “SBOM”.
Indeed, Mr. Dale Peterson (Founder & Program Chair, S4 Events. Founder & CEO, Digital Bond Inc) noted the growing momentum of this concept.
He stated that “based on the early stage venture funding”, SBOM and software/firmware visibility and risk analysis is “potentially the next big thing in the OT security category.”
Beyond visibility, risk management also requires mitigating vulnerable components, an undertaking that poses significant challenges within ICS.
For instance, while a website temporary shutdown is acceptable, sudden interruptions in electrical supply services to patch security vulnerabilities are clearly less tolerable.
To address this challenge, Mr Dale Peterson highlighted the “Now, Next, Never” framework developed by CERT/ Coordination Center (CERT/CC).
Within this framework, vulnerabilities are categorised into those that require immediate action (“Now”), no action (“Never”), and those that do not directly impact OT operations but do require mitigations (“Next”).
As an illustration, Mr Robert Lee revealed that 30% of reported vulnerabilities in 2022 fell under the “Never” category. Such information might prove highly beneficial for industrial organizations as they weigh the options of either monitoring for signs of exploitation, or taking services offline for patching.
How has artificial intelligence (AI) shaped “OT” cybersecurity conversations?
Frequently used terms such as “zero trust” and “air gap” were noticeably absent during the forum, indicating a shift to addressing practical details.
Another factor was the attention garnered by AI’s “Large Language models” (LLM) which have been notably exploited by threat actors in phishing campaigns.
To combat the rise of AI-assisted cyberattacks, cyber defenders must harness the full power of AI technologies.
The use of AI in cybersecurity is not new – for example, there are AI detection models trained to spot network traffic anomalies.
However, beyond traditional AI, cyber defenders must tap the revolutionary capabilities of the latest AI technologies.
In fact, CE David Koh highlighted the rise of emerging technologies, including AI, and stressed that given the “constantly evolving” threat landscape, “we cannot rely on old answers to address new challenges we face”.
Preliminary discussions include using LLMs to rapidly collate threat intelligence and generate reports. With the intense focus and interest in integrating LLMs into organisations, there is no doubt that more applications for cyber defence will surface.
The human aspect – talent and teamwork
The success of the RaaS ecosystem epitomises the collaborations amongst the threat actors to achieve their malicious goal.
To counter these adversaries, cyber defenders must likewise leverage the collective efforts from businesses, government, academia, and society.
Reflecting the importance of partnerships were several initiatives announced during OTCEP 2023.
One is the inaugural Singapore-Industrial Control Systems Cybersecurity 301 (SG-ICS301) course.
Organised jointly by Singapore’s CSA Academy and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and represented by delegates from Singapore, ASEAN, Bangladesh, and Maldives, the initiative unites international efforts to fight threat actors exploiting the borderless cyber world.
Two Memorandum of Understandings (MoUs) were also signed, that further bolster public-private partnerships.
These were (a) MoU between CSA and Dragos, to fortify Singapore’s OT cybersecurity capabilities through collaborations in threat intelligence, consultancy and risk assessment, incident response and training, [5] and (b) MoU between ST Engineering and Siemens Energy, where both parties will jointly develop OT Cyber Security solutions to enhance the cyber resilience of critical sectors. [6]
ST Engineering
Last words – linking to mission critical goals
Competing for security resources to combat today’s threat landscape often requires answering the “return on investment” (ROI) question demanded by the boards. In other words, “how do we know if the investments are worth it?” Mr Dale Peterson said.
Rather than accumulating security controls because they are “good practices”, it is more important to “measure the effectiveness of your security control against key mission metric,” Mr Dale Peterson suggested.
One practical way is applying “Consequence-Driven Cyber-Informed Engineering”, (CCE) – pointed out by Mr Marco Ayala (Director, ICS Cybersecurity 1898&Co, & InfraGard Sector Chief).
Under this approach, risk management starts from identifying high consequence events (HCE’s) of the operations that must not fail. With this understanding, the next step is to identify the enabling functions and build out of targeting scenarios that will help guide and prioritise mitigation measures.
Indeed, aligning mission-critical goals with cyberattacks and protection strategies reshapes the security budget ROI conversation with the board into a more constructive dialogue.
Ultimately, the goals of achieving reliable and safe services are indisputable. As threat actors persistently exploit digital vulnerabilities to cause real-world ramifications, the need for robust and proportional cybersecurity measures is equally undeniable.
Notes:
[1] Announced in 2020 with the inaugural meeting in 2021, the OTCEP augments Singapore’s OT Cybersecurity Masterplan which was launched at the Singapore International Cyber Week 2019 (by Senior Minister and Coordinating Minister for National Security, Mr Teo Chee Hean). The Masterplan was developed as part of CSA’s continuous efforts to enhance the security and resilience of Singapore’s critical sectors, improve cross-sector response to mitigate cyber threats in the OT environment and strengthen partnerships with industry and stakeholders.
[2] CODESYS (“Controller Development System”) is a platform; Modbus and OPC UA (“OPC Unified Architecture”) are communication protocols
[3] Defined in the May 2021 Executive Order 14028 issued by the U.S. White House as ““formal record containing the details and supply chain relationships of various components used in building software.”
[4] “OPC technology is currently installed in over 17 million machines and factories around the world. These case studies span several industries and highlight the real-world savings and benefits from using OPC technology.” https://opcfoundation.org/resources/case-studies/. Additionally, “today, there are more than 5,200 suppliers who have created more than 42,000 different OPC products used in more than 52 million applications.” https://opcfoundation.org/
[5] In addition, the MOU will facilitate more information sharing and cross-fertilisation of ideas, foster alignment with industry best practices and provide CII sectors access to expert knowledge. Local cybersecurity companies will also have opportunities to work collaboratively with Dragos through this MOU.
[6] The collaboration between these companies on OT cybersecurity will enhance the resilience of Singapore’s national critical infrastructure. In addition, the MOU will facilitate knowledge sharing, information exchange, and joint exploration or entry into new markets and use cases for both companies.
Images
OTCEP appointed members
Minister Josephine Teo (Minster for Communications and Information); Mr David Koh (Commissioner of Cybersecurity and Chief Executive of the Cyber Security Agency (CSA) of Singapore); Mr Chua Kuan Seah (Deputy Chief Executive of CSA). From left: Dr Terence Liu (CEO, TXone Networks), Mr Marco Ayala (Director, ICS Cybersecurity 1898&Co, & InfraGard Sector Chief), Ms Saltanat Mashirova (Advanced Cybersecurity Architect, Honeywell; Founder, Women in Cybersecurity (Kazakhstan), Ms Sarah Fluchs (CTO, admeritia GmbH), Mr David Koh, Minister Josephine Teo, Mr Chua Kuan Seah, Mr Dale Peterson (Founder & Program Chair, S4 Events. Founder & CEO, Digital Bond Inc), Mr Zachary Tudor (Associate Laboratory Director, National and Homeland Security Science at Idaho National Laboratory), Mr Eric Byre (CTO, aDolus Technology Inc; Senior Partner, ICS Secure Ltd), Dr Lim Woo Lip (CTO (Cyber) of ST Engineering), Mr Justin Searle (Director of ICS Security, InGuardians, Inc), Joining virtually, Mr Robert M. Lee (CEO & Co-founder, Dragos, Inc). Photo credit Ministry of Communications and Information (MCI).
ST Engineering, from left
Mr Je Jun Oh, Senior Vice President, Gas Services, Siemens Energy, Mr Leo Simono-vich, Vice President and Global Head, Industrial Cyber & Digital Security, Simens Energy, Mr Goh Eng Choon, President, Cyber, ST Engineering,
Mr Chua Kuan Seah, Deputy Chief Executive, Cyber Security Agency of Singapore, Mr Lim Meng Hwee, Senior Vice President and General Manager, Cybersecurity Solutions & Services, ST Engineering, Mr Christopher Anthony, Director, Critical Information Infrastructure, Cyber Security Agency of Singapore, Mr Mex Martinot, Vice President and Global Head, Industrial Cybersecurity, Simens Energy, Mr Hubert Heng, Assistant Vice President, Cybersecurity Systems, ST Engineering. Photo Credit: ST Engineering.
