How Dragos is protecting the industrial control systems and infrastructure

The development of control systems can be traced back to antiquity; however, since the industrial revolution, they have grown into an invisible backbone that underpins our society. Recent decades have seen industrial control systems (ICS) becoming more networked, allowing operators to be more connected to their operations. However, digitalisation and the increasing network of machines and industrial systems result in heightened cyberattack risks.

In 2021, 91 per cent of industrial organisations had at least one security incident in their operational technology (OT) environment, according to a security survey. Meanwhile, statistics imply that cybersecurity for ICS will likely increase rapidly over the next five years, with estimations forecasting that the industry will be worth $22.8bn by 2026. The industry has gathered an arsenal of awareness and security services with the support of researchers, studies of increasing attacks on industrial sites, and extended interest from corporate and government sectors. With this in mind, organisations like Dragos are developing cybersecurity solutions to assist businesses in developing their cybersecurity strategies.

Protecting industrial control systems
To protect industrial control systems, Dragos was established in 2016 and with the development of the company and its progress, it has raised over $360m in investments to become one of the most important emerging cybersecurity companies in the GCC.

“Keeping industrial control systems and operational technology safe means protecting the most important structures of an organisation. Cyberattacks focused on technology companies, or financial institutions generally don’t have physical effects, whereas cyberattacks targeting critical industries such as energy, oil and gas, mining and pharmaceuticals will leverage disruption of sometimes dangerous physical equipment which we rely on as a society. Other intrusions focus on retrieving intellectual property, or even staging access to critical parts of large industrial plants for future actions,” says Eddy Wade, principal industrial consultant at Dragos.

Within the Gulf Cooperative Council (GCC) region, Dragos determines that adversaries are very likely to cause small-scale disruptions in the OT environment and with moderate confidence that they could cause large-scale disruptions. Meanwhile, ransomware continues to be the most severe threat to IT and OT environments. If OT is not effectively segmented from IT systems, ransomware attacks might hinder production, and these disruptions have led to enormous financial loss, property, and reputational damage in the region. The company unveiled its Oil and Natural Gas Cyberthreat Perspective report for the GCC region in November 2021, which includes some of the below key findings:

• The ICS security risk to GCC ONG sectors is high due to increasing intrusions into ICS networks for reconnaissance, research, and espionage, from nation-states, as well as the criminal use of destructive malware or ransomware at ONG facilities in the region.
• Between 2018 and 2021, the number of ransomware attacks on ICS entities increased by over 500 per cent, according to Dragos’ data, with five per cent of attacks impacting ONG entities.
• Activity groups targeting original equipment manufacturers and third-party vendors pose a significant threat to ONG supply chains, and these effects are possibly already present in GCC ONG facilities.
• Malicious state actors will increasingly target ONG and related industries to further political, economic, and national security goals, potentially causing disruptive or destructive events.

Spotlight on cybercrime groups
With the world becoming increasingly interconnected and dependent on digital systems, targeting these technologies is an effective way to launch a cyberattack. In the report, Dragos also observes the emergence of some of the most dangerous cyber-enemies in recent years.

Some of the most active state groups in the ONG sector include:
Parisite targets utilities, aerospace, and ONG entities. Its geographic target includes the GCC, North America and Europe. The group uses open-source tools to compromise infrastructure and leverages known virtual private network vulnerabilities for initial access. This group has operated since at least 2017, according to research.
Hexane targets ONG and telecommunications in the GCC, Africa, and Southwest Asia. Dragos identified this group in May of 2019. The group drops malicious document files containing malware on victim machines, from which it can then proceed to further its goals in the target network.
Wassonite targets electric generation, nuclear energy, manufacturing, ONG, and research entities in the GCC, India, and likely South Korea and Japan. The group has been operating since at least 2018 and relies on DTrack malware, credential capture tools, and system tools for lateral movement.
Raspite targets electric utilities in the US and government entities located in the GCC. Dragos also identified additional victims in Saudi Arabia, Japan, and Western Europe but has not identified new activity since mid-2018.

Currently, Dragos is monitoring and tracking threat groups targeting industrial infrastructure.

Diverse services by Dragos
Dragos has played a significant role in protecting organisations’ infrastructures across the globe. In 2016 Dragos investigated a cyberattack on the electric power grid in Ukraine, and in 2017 countered cyberattacks on Saudi Arabia when hackers breached the security system and tried to kill people at a petrochemical facility. Today, Dragos offers solutions and services which focus on protecting critical infrastructure, including architectural review and evaluation of the corporate security programme, assessing the weaknesses of ICS devices and applications, identifying risks threatening industrial assets, evaluating ICS networks, and filling gaps in network defence systems and more.

“A comprehensive protection programme requires a continuous assessment of system activity and their vulnerabilities. Organisations must move toward increased visibility to identify intrusions early before the effects of an attack are realised. While there’s plenty of work to be done here, defending our infrastructure is doable, and most importantly it’s worth it,” concludes Wade.

Read: Cybersecurity firm Dragos announces opening of Dubai office