A new strain of malware discovered earlier this year with the capacity to disrupt operational technology (OT) systems deserves to be taken seriously by critical infrastructure operators, Robert Lee, CEO of cybersecurity firm Dragos, said Tuesday.
However, conscientious security professionals should already have the tools to defend their organizations from the new threat, he said.
“When we look at that capability [and] what that means for us, it sounds pretty ominous. But the good news is, if you’ve been paying attention over the last decade, you are well prepared,” Lee said at ReliabilityFirst’s Fall Workshop.
He observed that the new malware, which Dragos has dubbed Pipedream, combines the characteristics of a number of previous high-profile cyberattacks, including the Stuxnet intrusion in Iran, the CrashOverride malware in Ukraine, and last year’s hack of a water treatment facility in Oldsmar, Florida.
Dragos CEO Robert Lee addressed the workshop remotely. | ReliabilityFirst“If you were focusing on, not only indicators, not on patches, not on the exploits, but if you were focusing on the tactics, techniques and procedures of adversaries across those operations, and you were developing robust defenses … Pipedream does not really pose anything that different, because all it really did was perfect each one of those things and combined them together,” Lee said.
Dragos first disclosed the Pipedream malware suite in April. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency quickly confirmed the discovery separately in a joint statement with the FBI and National Security Agency. (See E-ISAC Warns of Escalating Russian Cyber Threats.) Lee said Tuesday that the security community was “so very fortunate” to have apparently discovered the tool before it was used in any attacks, though he acknowledged that researchers cannot be sure the technology has never been deployed in the wild.
Dragos warned at the time that Pipedream — whose developer they named Chernovite, in keeping with the firm’s policy of not attributing hacks to specific groups — potentially represented a major step forward in sophistication for threat groups. The tool’s modular structure allows for easy modification to attack a wide range of industrial control systems and is “professionally made and easy to use,” far from the “sloppy and defective” tools that attackers have used in the past. (See Dragos Warns Malware Developers Building Skills Fast.)
Looking over the broader cybersecurity landscape, Lee said it has been gratifying to see awareness of cyber concerns spreading among corporate leadership in many critical infrastructure sectors, particularly the electric industry. He pointed out that the Biden administration’s first 100-day “sprint” to enhance cybersecurity across infrastructure was launched specifically among electrical utilities, which Lee said indicated a perception of the power grid as ahead of other sectors on cybersecurity, thanks in part to the robust oversight of FERC, NERC and the regional entities.
“The White House and administration reached out to the electric sector to start with, saying, ‘We perceive you to be the maturest of our industrial sectors. And if we want to challenge … this OT security problem, it’s you who we should partner with first based on all the interactions and good work you’ve done over the years,” Lee said. “‘We’re not going to get inside of your head … we’re going to give you the why and the what, but not the how.’ Which to me is a perfect example of a policy done well.”
