Operational Technology: The evolving threats that might shift regulatory policy
Mitch: Twice a year, the team at Nozomi Networks known for their expertise in OT and IoT security release a threat landscape report that sheds light on how threat actors are shifting their tactics, who they're targeting, and where. In this episode, Roya Gordon from Nozomi unpacks the latest OT/ IoT threat report, covering not only the newest threats, but offering insight into what we might see on the cyber insurance side for the sector and how regulation might change in the face of increasingly aggressive criminals. Join us and together we'll venture Into the Breach. So Roya, Nozomi just released your biannual threat intelligence report focused on OT and IoT. What was your biggest aha moment with this one? And if you could give one piece of advice to friends in those industries, what would it be?
Roya Gordon: So, yeah, thanks for bringing that up, Mitch. So our security report was just released January of this year, and we share a lot of very interesting information. I've been in the threat intelligence space for a while, and I love this report because I'm seeing insights that I haven't seen in previous reports. But one section I would say was my biggest aha, like, " Wow, this is really crazy," is our IoT botnet landscape section. So in this section we share information that we've collected from our honeypots. We set up a couple honeypots to simulate IoT devices. So it attracts these botnets that are trying to access these devices. And with that information we're able to see IP addresses and locations of where these attacks are coming from, credentials and things like that. One of the most interesting pieces under that section is top credentials used. So botnets, they're preloaded with default credentials. If you look at the report, you'll see admin1234, or adminpassword. And it's crazy because a lot of organizations with IoT devices, they're not changing their passwords. So you have these botnets that are purposely using default passwords to access IoT devices, and on the other hand, organizations aren't changing their passwords. So that's been one of the strongest messages out of this report.
Mitch: Okay. So wait, I have to actually ask you this. So are you saying that when an organization deploys some IoT technology that they're just keeping the default password?
Roya Gordon: Yes, that's exactly right.
Mitch: Oh my gosh, okay. So yeah, my little threat intel brain is doing back flips right now. So not in a good way.
Roya Gordon: Yeah. So that was my big aha. Again, a lot of other juicy parts to the report, but that was definitely one that stood out.
Mitch: Okay. Well, that would stand out to me too. So if you're listening to this, change your password. The report is very interesting. So for the folks on the line, I do the threat intelligence report for IBM X- Force. If you haven't already seen it, you got to go look at it, but I want to talk about the fact that you, Roya, are seeing OT and IoT becoming the victims of hybrid attacks, and that's something that we are seeing in other industries here at X- Force as well. What are you seeing specifically at Nozomi?
Roya Gordon: Yeah, okay. So tell me if I'm wrong here, Mitch, because I've noticed throughout my experience that different types of threat actors, they had different types of TTPs tactics, techniques and procedures. So nation state threat actors, they were the spies. So they were conducting cyber espionage and maybe stealing data, cyber criminals, they were always financially motivated. So they're launching ransomware attacks and extortion attacks and stealing data to sell on the dark web. And then hacktivists, I was never concerned about them. They were protesting a cause, doing a data breach and then trying to embarrass the company. So there were very clear lines between the different threat actors and their motives.
Mitch: Yeah. You're definitely right on that. They definitely fell into three pretty clear buckets, but not necessarily the case anymore.
Roya Gordon: At all. So I noticed it at first with a colonial pipeline. It's a ransomware attack. So these threat actors are cyber criminals, they're financially motivated, but it's an attack on a pipeline on critical infrastructure, which is something a nation state threat actor would do in wartime. So that's when I started noticing, okay, they're leveraging different types of tactics as a means to their end. There still are some nuances. So like a nation state threat actor, they're going to want to disrupt critical infrastructure. Ransomware, threat actors, they're just doing it for you to pay the ransom. They're not really trying to be that disruptive, but I've noticed that especially last year, hacktivists are now starting to disrupt critical infrastructure still as a means of protests, but they're disrupting rail, they're disrupting industrial control systems. So it's starting to become a bit concerning. I like to tell people maybe we shouldn't focus so much on attribution. Why does it matter hacktivist versus nation state versus criminal is attacking critical infrastructure. Let's focus on how to secure a asset, how to be resilient in the event of an attack.
Mitch: Well, I agree with that because regardless of the attribution, the attack aftermath is pretty much the same. And when it comes to attribution, we are also seeing things like hacktivist acting on behest of a nation state or in defense of a nation state, whether it's tats or some other agreement that's happening. So it's becoming extremely murky to try to attribute, but again, end game still the same. You're disrupted, bad things are going to happen. So I agree with you, protect your assets. So speaking of protecting your assets, you make mention of cyber insurance in the report. This has been a super hot topic over the course of at least last calendar year in heating up again this calendar year. And that's actually for all industries. My suspicion is that OT and IoT are really coming under scrutiny when it comes to cyber insurance. What do you anticipate seeing here?
Roya Gordon: I'm anti- cyber insurance.
Mitch: Wow. Controversy. Go ahead, please.
Roya Gordon: I know, but only because organizations use it as a crutch. So they feel like they can lack insecurity or lack in really developing a robust cybersecurity program because they have cyber insurance, they're covered, but there's just a lot of in the fine print that they're not reading. So if you think about it, the people that are doing the underwriting for cyber insurance, they don't have any cyber background. They have insurance backgrounds but not cyber backgrounds. So you couple that with increasing attacks, with complexity of supply chain attacks. So like what happened with solar winds. What happens if maybe a piece of technology is compromised, but it's in my environment and I'm the organization who gets paid out? So there's all these nuances to the point where a lot of companies don't even qualify. They're not even eligible for their payouts because of the nuances. Another issue is threat actors are getting smarter and they're tailoring their ransom asks to the percentage that they know cyber insurance is going to pay out. So it's almost really not preventing anything. It's causing organizations to be a little bit lazier. And then we're essentially giving these threat actors what they want because organizations are going to feel like, " Well, I'll just pay the ransom and I'll get money back through cyber insurance." It's not a part of being cyber resilient. The way to be cyber resilient is have strong backups. So if you're hit with a ransomware attack or worse a wiper malware, you can't even pay a ransom to get your data back. You're good because you have strong and current and robust backups. That should be the focus instead of cyber insurance. But I do think that cyber insurance is going to change because of all these factors that I brought up. And I'm curious to see what these new policies will look like in 2023.
Mitch: Yeah. So am I. I agree with you, I think it's going to change a lot, not to the satisfaction of those who are insured, but that's an interesting point though about cyber insurance actually offering a carrot to threat actors. If they know you're insured, they're like, " Hey, this company gets a$ 500,000 payout, if they get hacked let's ask for 500 K." So hadn't thought about that. And an interesting point, speaking to popular topics, we should have a little drum roll here. Let's talk about regulation. Not really popular with most of the industries in OT and IoT, but I am hearing rumblings from the Biden administration that we're likely going to see increased regulation for OT and specifically industrial control systems. I read a recent interview with Anne Neuberger, she's the deputy national security advisor for cyber and emerging technology, and the quote that stood out to me was, " Voluntary efforts have been insufficient against the threat of the critical infrastructure services Americans rely on." What does she mean they've been insufficient?
Roya Gordon: Okay. Before I answer that, I do want to say that the increase in regulations, it's not a bad thing. Isn't the government forcing industry to do something they don't want to do? Industry is actually asking for this. I've been in rooms where asset owners are pressuring TSA and other organizations to do more. So it may seem daunting, but I think real asset owners that understand how critical their assets are and they want it to be secure, they're asking for more guidance from the government. Second point is when you read these regulations, they're very practical. They're not really telling organizations to do something that's just totally out of line. Most of the time it's requiring companies to designate a person who will be the reporting authority of cyber incidents. I mean, the fact that organizations don't even have that is pretty unsettling. But yeah, I think regulations are good. Now, what I think Miss Neuberger meant by saying voluntary efforts have been insufficient is that there's just too many gaps in the process. So if NIST is just guidance and some companies follow it and some don't, then you create a gap. If everyone isn't doing their part, then it's obsolete to even have guidance or voluntary guidance. So I think it's good to have standardization, and if you look in tech, there's standardization in protocols and different types of technologies, but there's no standardization in processes. And I think that's what the government is trying to do. They're trying to standardize the process of reporting between industry and government agencies, which I think it's only going to be beneficial for everyone in the end.
Mitch: So I'm with you that I think that there has to be some regulation. So there's cohesiveness across the industry. So we don't have one company doing one thing and another doing a second thing and doing a thing because we are talking about protecting systems that actually work together and need to work together to keep a nation running. So what do we know about sector specific plans? Are they actually needed? And will organizations in these sectors actually be prepared to respond and implement? Let's pick on the aviation sector first since the airline industry in particular has had a few blips on the radar, no pun intended, in the recent past. So let's talk about that one.
Roya Gordon: So Mitch, I'm going to give you a politician's response and respond without really responding. So another thing that I'm anti is everyone focusing on specific industries. There are certain industries that yes, they're different, there's different protocols being used, different technologies, but all of the mitigations and the recommendations tend to be the exact same. Another point I want to bring up is that threat actors, sometimes they're not targeting industries. So when I was working with a mining organization, back when I was consulting, they wanted to know if they were specifically being targeted. And when we say targeted, I mean there's an active threat campaign that's targeting that specific company or that industry. Oftentimes threat actors aren't doing that. Maybe if it's nation state and there's a campaign specifically on cyber espionage and they're trying to get data from an organization, sure. But cyber criminals, they're not doing that. They're scanning devices, they're using Shodan and all of these other open source tools. They're seeing what's publicly accessible, they access them, and then from there, they either sell that access, they probably launch some ransomware to get money. A lot of times they don't even know what industry they're targeting or they have access to. Now, once they've done that, and I've seen this on the dark web, once they've accessed a company network and they do their reconnaissance, they tailor the price that they're selling that network access for based on the industry, the employee count and the revenue count. So there's a whole bunch of other factors that has nothing to do with the industry, but they're like, " If the revenue of this company is a couple hundred million dollars, then that means they have money to pay a ransom. So they're looking at it a little bit more strategically. But what I can say for the aviation sector is to continue to follow all the recommendations that the other sectors are doing to protect your assets from threat actors.
Mitch: Well, I respect your politicians' answer, but I want to raise one point that got me excited when you said it isn't like the dark web has become eBay for threat actors, hasn't it?
Roya Gordon: Yeah.
Mitch: It's like they've got these backdoor access to all of these companies and they're holding up for the highest bidder. So that just to me, is a freaking amazing development in how these guys are operating. They're literally grabbing pages out of the handbook of legitimate businesses, and it's clever in an evil way, but I still have to say clever.
Roya Gordon: No, it is. And I do want to piggyback on that. It also helps to streamline attacks because now you can have a novice that goes on the dark web and buys network access from one threat actor and then buys malware, ransomware, whatever, from another threat actor. And then now I'm able to launch a pretty sophisticated attack without building anything, without doing anything but just purchasing these items. So it creates more players in the game. But you're right, it's definitely clever because before the threat actor would develop their tool and then they have to find an exploit, and they pretty much had to do all the work. Now they're outsourcing everything. And again, it leads to lack of attribution because if you sell the ransomware that you develop, you're a ransomware developer. You sell it to a threat actor that launches the attack on Colonial Pipeline, now we're confused with, okay, this is the ransomware, but they sold it. Now we don't even know who the ones were that launched the attack. So yeah, the way that they've set things up on the dark web, it's very smart, it's efficient, it's just streamlining more successful attacks.
Mitch: I agree with you. I was going to actually make that attribution point as well because I think attribution is going to become something that we used to talk about because when we're looking at initial access brokers dropping in back doors and then selling the backdoor, and then another person coming in and developing the ransomware and a third person coming in, buying that backdoor, buying the ransomware, we're never going to really know who does these things. But the point is, is that particularly important? What's more important is making sure that you're protected. Now, I know you don't really want to talk about sectors, but I want to talk about the energy sector because this one's really interesting because we're now looking internationally at ways to protect it, especially given the Russian War in Ukraine. And there was an interesting meeting recently involving spoiler alert, your old stomping grounds. I'm going to let you talk about that, but what do you know about international efforts to keep this sector safer?
Roya Gordon: Yeah. Energy has a special place in my heart because I started out in OT security in energy and in oil and nuclear. So that's always been my focus. And then utilities, and then it's spread out to manufacturing and other parts of critical infrastructure. What's really unique about energy is that it truly is global compared to other critical infrastructures that are more national or regional. So power grid operators, they're focused on things in the United States or whatever country they're in that's affecting the power grid. But if you are like a Shell or a Chevron and you have assets globally, now you have to focus on foreign policy. You have to focus on in stable regions, wars, conflict, different types of data exchange and retention policies and things like that. So you have to look at geopolitics, you have to look at so many more things outside of just domestic policy and just operations of your assets in country.
Mitch: So I agree with those points. And the meeting that I was referring to that took place was at the Idaho... You're going to have to correct me on this term, the Idaho Engineering Laboratory out of Idaho Falls?
Roya Gordon: Idaho National Laboratory, INL.
Mitch: Idaho National, INL. So yeah, for those of you who are listening, I am also from Idaho. And apparently Roya lived like two hours from me. So small world folks, but had to bring that in. Idaho's got a place in everything, doesn't it?
Roya Gordon: Yeah. You wouldn't think because when people think of Idaho, they think of potatoes, but when I told them, " Yeah, I worked at a nuclear laboratory doing cybersecurity on critical infrastructure, and they're like, huh?"
Mitch: In Idaho Falls of all places. Yeah, right. All right. So when we're talking about increased regulation, which is obviously going to happen, are these organizations in OT and IoT, are they going to be ready for this?
Roya Gordon: You know what? So I did mention before that the regulations are practical, but it's also because there's been a lot of cohesion between organizations and government lately. So maybe in the beginning, and I started noticing the increase in these policies and regulations after the 2015 and 2016 attacks on Ukraine's power grid. The FBI, they went around to electric utility companies and was telling them about how to be secure, how to protect their assets from that threat. And then there's been regulations in oil and gas and then now rail and a whole bunch of other industries. But what I'm noticing is the government's actually reaching out to asset owners, vendors and getting feedback and saying, " Hey, this is a draft policy. What do you all think?" They're reaching out to experts because we have insights to say, " Well, this is feasible. This isn't due to these factors." So you can't just say, " We need you to do this within six months." Maybe this can be done within a year, within two. And because of that, I'm noticing that the regulations are more well received by organizations, which is good. But there was a little bit of friction probably a year or two ago when everyone was in an uproar because they're like, there's no way that we can do this. This isn't practical. But yeah, I think we've smoothed that over now. I'm now a part of this organization where we focus on control system security for rail, and we pull NTSA agents directly into those meetings. So we're not just waiting for them, we drag them in. We want them to be a part of the conversation, we want their input, and then that's how we're able to build these regulations together. And I think that's the right approach for that.
Mitch: Actually have to agree with you because at X- Force, we are also becoming part of those conversations when there's policy under development where people are saying, " Hey, this is a proposed policy. What do you guys think of us? Please give us feedback." So we have an opportunity to chime in too, to say, " Hey, that's realistic. This is not so much, and by the way, you should consider this," which is so much better than what we used to have. I won't pick on anything GDPR. So we're getting policy that's actually more effective and realistic and probably actually going to work better. All right. So last question for you. What advice would you give our IoT, and OT friends today?
Roya Gordon: Man, what? There's so many.
Mitch: Okay, pick two.
Roya Gordon: Where do I begin? Okay. I will say, since we're wrapping up policies that while policies can be frustrating, it's just better to have policy than no policy. I know industries have been receptive. A part of it has been a little bit of overload, policy overload, especially when you're in an industry and you fall under several jurisdictions of different government agencies. So for example, if I'm a pipeline operator, maybe an attack happened and I'm going to reach out to the FBI to trace that activity or to try to trace the funds. Maybe I paid the ransom and we're trying to retrieve a part of the funds, the FBI would get involved. TSA will come in because a pipeline is under TSA's jurisdiction. But then DOE, Department of Energy would probably need to get involved because again, you're feeding into other energy assets. Oil is energy, and then it could have cascading effects. So because government agencies don't seem to be talking to each other, it can't become frustrating for organizations. So again, policy isn't bad, but I think the next step is to make sure there's cohesion. Maybe there should be a portal that government agencies can share and pull that information from there instead of doing all of these separate engagements with the organization. But I would say definitely don't look at policy as a bad thing. And then a final piece of advice I would share is don't sleep on cyber hygiene. I have presented to CISOs, technical people, board members, and everyone's focused on how do we secure OT environments. And it seems like the focus shifts from the basic, make sure you have strong passwords, change default passwords, have identity and access management, have backups. All of the things you should already be doing for your IT. They seem to gloss over that and they're like, " No, how do I specifically secure OT and IoT?" And I'm like, " If you look at a series of previous attacks, the right actors are getting in from stolen credentials from employees that no longer work at the company or have access they shouldn't have." These are basic cyber hygiene things. So yeah, I would say definitely still do cyber hygiene because that's also a way to secure OT and IoT. It's not just for securing the IT.
Mitch: Well, I will say as well that IT has traditionally been the domain of threat actors. And we've come a long way in helping the IT side of the house figure out safeguards and ways to protect against it. And that's been going on for years. But OT has more recently come under the microscope of threat actors, and it's actually a more sensitive and vulnerable technology. And I think folks are just getting up to speed on how this actually can be used against them.
Roya Gordon: Yeah, I totally agree. I guess I'm just saying don't throw the baby out with the bath water. Don't just focus on one thing and then it's now you're just insecure because maybe you're focusing on security and OT, but there's ways that threat actors can pivot from the IT into the OT. I always say that there's different infection vectors when it comes to OT. It could be from the IT where it's a pivot into OT, it could be via IoT, because they're bridging that gap between two environments. Or it could be trying to exploit an industrial control system directly. So that space is unique because now there's a tax coming from so many different angles. I'll give an example. I was working with an electric utility a couple years ago, and they had a software called My ID, and IT allowed remote connection into industrial control systems at substations. Super convenient. It sat in the IT and the credentials were an active directory. And you already know that's like the first place that threat actors look, you're trying to escalate privileges. So that's an example of how maybe you're trying to secure your OT environments, but if you're having stuff like that occurring in your IT and it's giving threat actors direct access, then now you need to backtrack and make sure you're segmenting and you're just securing your IT or just finding a DMZ or another place for the credentials to sit.
Mitch: So I'm hearing a thread through this entire episode, and maybe it's just because I am Mitch, and you're probably going to appreciate this too, but a common thread here is orchestrated communication. It's just like between government entities when they're helping a victim of an attack, it's between the IT team and the OT team. And inside an organization, orchestrated communication can't be undersold. We're starting to see organizations include people like the board of directors and understanding that cybersecurity isn't just IT's business anymore, it belongs to everyone. So we're moving along the pike, but as communication people or nerdy communication people in this area, I think that we have to give a shout out to our peeps who are doing this. So keep going guys. More communication.
Roya Gordon: Yeah. You make a great point. Because I see a lot of weaknesses, like you said, the communication with the government and organizations, but the governments between themselves, OT, IT departments, and then also board members. So I did want to harp on that a little bit because when I present to the board, I'm like the translator of all of the technical work because the board, they don't really care about the technical details. They care about the value. What does this mean? Do we need to decrease, increase something? What is the value of all the work that's being done? And let's talk money. Let's talk about security. So you have to speak a different language. So yeah, it's good to have people like us that's bridging that gap and doing the translations. Because if the people that are on the board or the CISO or the executives, they don't understand the value of the work, then they're not going to invest. So it is like you need to talk to technical people. And technical people need to understand security just as much as board members and investors.
Mitch: And I read in the recent past that there is going to be a requirement that all board of directors that have a certain clip level are going to be required to have at least someone with cybersecurity expertise on their board. Yeah, I remember reading that. Okay, another episode. We just got it right there. Let's go around.
Roya Gordon: Yeah. Let's talk about that. And I mean, I think that should be mandatory.
Mitch: I do too.
Roya Gordon: Every organization has cyber assets, and I don't think companies realize that until all these attacks started happening and they're like, " Crap, we don't know anything about cybersecurity." But you're right. How can they assure investors that their companies still going to stay afloat in the midst of a cyber attack? Because think about it. Why would you want to invest in a company that doesn't have a robust cyber program? Now cybersecurity is tying into other parts of business. I think that's a really, really good topic for next time. I'm excited.
Mitch: I do too. My first question, of course was please define cybersecurity expertise. That could mean anything. It's like, " I have a kid in college getting a degree for civilian cybersecurity. I can do it." Anyway, another topic for another day. Roya, tell us a bit about you. You have a pretty interesting past and you've worked in a lot of places. And I'm not just saying that because I've cyber stocked you and read your CV. Tell us where you come from and what you do.
Roya Gordon: Yeah. So I'll start with what I do now. I work at Nozomi Networks as a security research evangelist. So I'm on the security research team and I'm working with the brilliant people and that are finding zero day vulnerabilities in OT and ICS and IoT. I co- present with them. We co- publish reports. We just presented at Black Hat on vulnerabilities we found in a real- time locating system. We're hoping to present vulnerabilities we discovered in drones at this year's Black Hat. So that's my team. They're doing awesome things. Threat intelligence, vulnerability assessment, et cetera. So my role is to... I write the security report for the most part with the metrics from the team, creating the message of what does all of these statistics mean. And then I'm talking to media and doing things like this and speaking at conferences and just getting the word out there, talking to board members, talking to our partners and customers about the great work that the team is doing. But prior to this, I was in consulting. I was at Accenture and I was leading cyber threat intelligence for our resources practice. They just needed a go- to person that would come in and brief the CISO of Shell and Chevron and Saudi Aramco and give like a cyber threat landscape. And that's what I did. I loved it. Their amazing team there. And then before that I was in potato country.
Mitch: Yeah. Potatoes.
Roya Gordon: Yeah. So I worked at Idaho National Laboratory as a control system cybersecurity analyst. So I was on a lot of great projects, won a couple of awards for some research that I was doing. I think the last project I did, I was writing a paper to get DOE to fund studies on protective relays. And after I left, I found out that the lab got it approved and they got funding to do research on it, which is great. So I just had a very exciting career. I started in cyber and grad school when I studied cyber warfare for my capstone project, and that's what got my foot in the door. But prior to that, I was in the Navy for six years and I did threat intelligence. This was before there was any cybersecurity in the Navy, so it was just more about military threats and terrorist threats. So all of that experience led me here today to be a research evangelist friend.
Mitch: Well, we are glad to have you and glad to have you on the show today.
Roya Gordon: Yeah, happy to be here. Can't wait for next time.
Mitch: And next time it will happen. We have to talk about that topic about communication.
Roya Gordon: Yeah, for sure.
Mitch: Roya, thank you so much. We enjoyed having you. A special thanks to our guest, Roya Gordon and Nozomi Networks for their time and insight for this episode. If you want to hear more stories like this, make sure to subscribe to Into the Breach on Apple Podcasts, Google Podcasts, and Spotify. You've been listening to Into the Breach and IBM production. This episode was produced by Zach Ortega, and our music was composed by Jordan Wallace. Thanks for venturing Into the Breach.
DESCRIPTION
Host Mitch Mayne speaks with Roya Gordon of Nozomi Networks about the shifting operational technology (OT) threat landscape and how that is affecting regulatory policy. Using Nozomi Networks recent OT/IoT Security Report as a linchpin, they dive deeper into evolving attack types on critical infrastructure, how cyber insurance might change for this sector, and what we may see from a policy perspective in response to more aggressive threats.