Dragos CEO on building a robust OT security programme

Dragos CEO on building a robust OT security programme

As hyperconnectivity sweeps across industries, OT cybersecurity has risen to the top of the CISO’s priority list. But this complex environment requires a different approach than enterprise IT. Robert M. Lee, the CEO of Dragos, tells us about the various types of attacks and threat groups, the importance of threat intelligence and why the Middle East is an important region for the company.  

Robert M. Lee, the CEO of Dragos

Why is there more attention on Operational Technology (OT) and ICS cybersecurity now than in times past?

For a long time, organisations have fully appreciated the need to protect critical infrastructure, and it’s been a message carried by governments too. However, historically, companies have prioritised enterprise information technology environments. Though that was probably the right call for a long time, the reality is that OT environments are so important as the revenue-generating side of the house and the one that impacts the environment and safety, etc.

That side of the house has only ever been firewalled off but, as companies worldwide go through Digital Transformation or hyperconnectivity, we’re starting to see those OT environments being connected in a significant way and, therefore, an increase in the threats that are actively targeting them.

Organisations have realised that we have underappreciated the risk on the business side that is important for society, so we’re seeing a pendulum swing now where they are starting to invest back in OT security.

How much of a risk do ICS adversaries pose to organisations, particularly in the Middle East region?

The risk is high, but we all need to appreciate that the frequency will be higher in enterprise IT – we’re going to see more phishing emails and exploitation of IT environments than we’re going to see in terms of exploitation and accessing of operations environments.

However, the impact of a phishing email or the effect of compromising data in the enterprise, while meaningful, is nowhere near the same as the impact when you take down safety systems or critical systems or the ability to impact national security.

Tell us more about the different types of attacks, threat groups and what they’re seeking to achieve?

We see a wide variety of groups. Some have already crossed the divide and taken down infrastructure or tried to hurt people, such as the attacks in the Kingdom of Saudi Arabia (KSA), which went after the safety systems in a petrochemical plant.

There are three or four groups that have gotten to that level, though they were working on those capabilities for four or five years beforehand.

We see another 12 or so groups behind, exploring and attempting to access operations environments. They’re trying to research industrial control systems and perform reconnaissance against companies. These groups are getting into operations environments but not yet capable of carrying out the types of attacks we worry about. But if we look at that trend, we need to be cognisant that OT security is more than a project for a quarter.

Usually, you’re talking about a multi-year journey. We’re kind of in this storm path, where we’re trying to advise people not to overhype the problem, but realise the trend is getting to a place that we need to get ahead of it if we hope to keep our people safe three to four years from now.

How can organisations best achieve the required level of asset visibility?

It’s a cliché, but it’s true – it’s impossible to protect what you don’t know you have. Time and time again, when our incident response team gets called into cases ranging from targeted threat groups to ransomware cases, it’s consistent that there’s been a level of what we call ‘prevention atrophy’ in those environments.

In other words, there have been many good investments in preventative controls, firewalls, patching, passwords, robust access control, etc., but they put all the focus into prevention to the detriment of visibility, detection, and response. Without that consistency of visibility, they end up missing things.

We find that entities largely get that visibility by doing three things:

  1. Developing a good culture between the operations and the enterprise side. We need to educate people, but we also need to do it correctly.
  2. Start deploying technologies inside those environments to get consistent visibility.
  3. Developing staff, ensuring that they’re putting people and processes in place with the expertise required.

How important is threat intelligence in detecting and responding to these types of attacks, and how does your organisation approach this?

It’s extremely important to learn from adversaries, and that’s all that threat intelligence is. What have we seen before? What would we have done differently the next time?

Many organisations have focused heavily on indicators of compromise and are looking for an IP address or a piece of malware that they can find next time. While that’s not bad, it’s not scalable, especially when you think about attacks that may use the same methods but happen against different types of facilities or different equipment.

When we think about threat intelligence, we think about it in understanding adversaries’ tactics and techniques and the methods they’re accomplishing.

I want to know how somebody is modifying a safety system, not which one it is. Where intel shines are that it’s not just creating another detection or alert. It’s understanding the context and prioritising the things we see so that we take the right response when something happens.

How important is the Middle East market for your company, and how do you work with partners to provide solutions and services to end-users?

Our tagline is ‘safeguarding civilisation’, and to us, that means something. I think this region specifically has some strategic adversaries, and we are at an inflection point where they’re taking advantage of the transformation happening to industries here.

The Middle East was the first place we went outside of the US. Our first team on the ground here was based in Riyadh, and then we built out our office in Dubai, and we are starting to work in Kuwait and Oman.

We have found that this region, more than most places globally, is all about partnership.

If we come as a seller of a box, demanding payment, and saying we’ll see you in three months, that’s not going to work. We have no better partners in the world than the ones we’ve developed here.

How does Dragos set itself apart from others in this market?

First, we take that intelligent further approach. Dragos professionals have been part of the response to any significant industrial attack that’s ever occurred. Those insights are things that we can codify and bring to our customers.

Second, we’ve hired the best of the best. We don’t just operate as a technology company, we have a services team and an intel team, and we want to have really smart individuals who are used to being in these environments.

We do many ancillary things that aren’t business lines for us, like training or learning management systems with classes. Still, these things are helpful in that partnership discussion and making sure that people can be successful.

Third, through being a Dragos customer, you get that partnership feel from the moment the PO is signed. Most of our focus and the way that we’ve built our sales, customer success and professional services teams is to understand the risk that a customer’s taking and the work ahead of them so that when they take that leap of faith to try and do right by their community, we are with them every step of the way to ensure they can be successful.

How can organisations implement simple but effective security policies and procedures to lower their cyber risk?

It’s a very daunting thing to be a CISO or a CEO looking at this problem for two reasons. One, it’s not been done before, and now there’s a significant focus on it – you’ve got to walk a very delicate balance of helping to inform on the risk without coming off with fear, uncertainty and doubt.

Second, there are many security controls, products and services in enterprise IT. It can seem overwhelming that you might now need to copy that into the other side of the business, which is larger and more complex.

But you don’t need to copy and paste what you have in IT. Instead, we need to look at a couple of critical controls and figure out the OT specific nature of them and apply those well and consistently.

Step one: Figure out a defensible architecture.

Step two: Get the visibility and monitoring in place to understand what’s going on and what needs to be protected.

Step three: Have multi-factor authentication wherever you can put it in terms of remote access.

Step four: Ensure you have a vulnerability management programme – don’t try to fix every vulnerability out there.

Step five: Have an ICS specific incident response plan.

If you were to do those five controls well across your operations environment, you’d have a world-leading OT security programme.

Browse our latest issue

Intelligent Tech Channels

View Magazine Archive