This document discusses how a mid-sized US electric utility implemented the Dragos cybersecurity platform to improve the visibility of its operational technology (OT) assets and threats, enhance compliance functions, and better support its limited OT security team. The Dragos solution included passive network monitoring sensors, asset characterization, and threat intelligence reporting. It helped the utility address compliance requirements, leverage Dragos' expertise through training and assistance, and improve its detection of OT threats through behavioral analytics and investigation playbooks. The solution demonstrated that combining technology with personnel support can effectively address common industrial control system security challenges faced by electric utilities.
3. Dragos Platform
Threat Detection & Response
technology for ICS
Dragos WorldView
ICS/OT Threat Intelligence
Threat Operations Center
Experienced assistance &
training
The Dragos Offering
4. Case Study Background
⢠Mid-sized US Electric utility
⢠Generation, Transmission and
Distribution networks
⢠Diverse mix of control system vendors
⢠Limited team to support OT cyber
security functions
⢠Network infrastructure supportive of
monitoring
⢠Converging IT/OT SOC
5. Customer Objectives
Improve visibility of networked OT assets
Improve visibility of OT threats
Improve NERC/CIP compliance functions
Better enable limited OT security team
7. Objective 1: Asset Visibility
Summary
⢠30,000+ assets
⢠Vast volumes of data available
⢠Distributed across hundreds of
miles
⢠Some physical network separation
11. Objective 3: Personnel
Summary
⢠Small, dedicated team
⢠Varied experience levels
⢠Performing many different functions
⢠Converging OT/IT SOC
12. Objective 3: Personnel
Solution
⢠Leverage Dragos experience
through technology
⢠On site assistance and ongoing
support
⢠Training to empower customer
personnel
⢠IR support escalation through
retainer
13. Objective 4: OT Threats
Summary
⢠Limited information sharing of
industry-wide threats
⢠Improve detection based on
known TTPâs & behaviors
⢠Reduce amount of work
performed by analysts to
validate alerts
⢠Know how to respond to
threats.
16. Summary
Threats are increasing but defense is doable
IT and OT teams are blending
Solution requires combination of tech. & personnel to be effective+
Pursue proactive threat hunting vs reactive IR
Many companies are facing similar challenges
âWhatâs the goal for the conference?â
Personal intro
2nd Energysec conference
First things first, how many attended BeerISAC last night? â hopefully you are all caffeinated and awake by now
How many unfamiliar with BeerISAC?
Some of you might not be familiar with Dragos so id like to start with a quick introduction but will keep it brief so we can spend more time on the good stuff
Know that Dragos has a 3 pronged approach to OT cybersecurity
Know - Detect - Respond
The purpose of this presentation is to highlight the experience of an electric utility that Dragos worked with as we feel it could be applicable to many other utilieis
Serves over 750k people
Generation (coal, gas, wind, solar)
Including Emerson, GE, SEL, Rockwell, Siemens, Honeywell, Yokogawa
Managed switch infrastructure
Team of 3 supported by IT security team
Converging OT into existing IT Security operations
Customer is always right
Knowing ALL OT Assets and changes over time
Compliance efficiencies
Limited personnel, performing lots of tasks â better equip so they are more efficient
Rather than working in dark, try to better understand the threat landscape
âThatâs itâ
Before we jump into the objectives and solutions itâs important to understand the primary technology being used in this instance
Decreased risk of interruption to operations
On prem server (cloud is an option too)
Sensors positioned strategically to SPAN ports to give maximum visibility of different networks
Deployed over 3 months - Coordinated with Dragos and customer field personnel
If you donât know everything you have, you cannot protect
In this case they already have a lot of infrastructure and data collection already available BUT too much data for limited team to manually process
Utility covers expansive territory so network visibility essential
Physical separation challenges need to be addressed â usually recommend architecture review before deployment to ensure coverage goals meet infrastructure capability
ASSET
Visualizing on an easy to read graphical UI or map makes it easier for all experience levels. IP, MAC, TCP/UDP ports useful but need more.
Deep Packet Inspection drills into useful application layer content but requires a broad coverage of protocol dissectors (some proprietary). The more seen, the more learned - Serial numbers, fw versions, configurations
High level characterizations â HMI, Switch, Protective relay â all important for crown jewel analysis and investigations based upon intel â treat different device types differently
COMMUNICATIONS
Relationships between assets and between zone. Does it align to expectations. Are there any odd connections that require further exploration â ie unexpected internet connections
ZONES
Visualizing and analyzing thousands of assets is challenging. Breaking up the view into a representation that best meets your requirements â graphical, function, type, IP address range
TIMELINE
When did assets first appear/disappear? Does this correlate with other timestamps â surveillance cameras, door entry logs?
BENEFITS
Save analysts time in collecting asset details â more efficient, less money. Assists compliance requirements with standard reports. Aids improved threat detection and IR
Often security tools purchased to the benefit of security teams but important to explore other stakeholders such as those responsible for compliance (increase overall value)
Compliance != good security but is a legal requirement
Enhance compliance by developing improvements beyond current capability
Reduce people with clipboards and manual work
Outside vendors disrupting operations â inadvertent violations or downtime
Technology can enable enhanced NERC requirements inc: Patch management, Security event monitoring, IR planning, vuln assessments, etc
Begins with asset inventory AND knowing more about vulns â actual cvss score, impact, alternative work arounds â integrated threat intelligence expands on open source details â available through platform
Pasive vulnerability discovery coming
Behavior analytics â knowing what malicious behaviors observed in wild (intelligence) and known âexpectedâ behaviors based on assets and protocols â able to detect and alert and then take action
Log collection and analysis â easier collection and review for limited team
Playbooks and IR case management â augment with services â TTX to test and validate 15 months -> CIP-009-6 R1: Recovery Plans for BES Cyber Systems
Platform + Intel + Services
Asset inventory, ports and services
Specific compliance pains â apply understanding of NERC/CIP, customer pains and technology capabilities to improve
Improved credibility through partnerships with trusted partners such as SEL, DOE, EISAC
Better enable existing OT team
Wearing many hats â need to be focused/efficient with time
Assessments, patching, incident response
Utility does have security operations expanding coverage of OT
Dragos has over 200+ years combined ICS cyber security experience â further more develop asset characterizations through custom dev and working with partners
Analytics to improve detection â reduce false positive to focus efforts on real threats
Playbooks to guide effective IR
Emerging technology and limited resources, Dragos field team assisted with deployment until customer was comfortable â even helped run wire!
Full spectrum from detection through response
Expand domain areas of limited experience such as threat intelligence (knowing what we have learned of ICS focused adversaries) and proactive threat hunting â YIR highlighted 1/3 IR cases adversaries were undetected over 12 months
Augment existing team capabilities with Dragos support, training and IR team
Threats to OT are increasing in frequency and sophistication
Not a lot of industry wide information sharing
ALSO Limited information sharing compounded with inaccurate reporting and hype â wild goose chase
Lots of lessons to be learned
False positives
Having foresight to know what to do in a situation not experienced before
Derived from intelligence â ie observed in wild or collaboration with vendors â
Dragos team shares detections and response through continuously updated content packs
TBAâs improve confidence and provide context â TTPs and IOCâs
QFDâs streamline IR and proactive hunts by providing reports of key data in one view
Playbooks provide experience from the field on the appropriate response for new events
Intel reports provide supporting data
You might be able to relate to some of thisâŚ
Individual needs might be different â but likely need combination of tech and people
âAn ounce of prevention is worth a pound of cureâ
With that, thank you for your time and pass back to Tim