Dragos Platform in the Electric Industry

Introduction

A mid-sized electric utility in the US that serves morethan one million customers adopted  the Dragos  Industrial  Cybersecurity  Platformin  early  2018.  This  utility generates  electricity  across  low-sulfur  coal,  natural  gas,  wind  farms,  and  solar farms.Dragos  deployed  16  sensors  across  the  utility’s  two  data  centers  to  monitor communications in the Energy Management System (EMS) and Demilitarized Zone (DMZ),  four  gas  plants,  two  coal  fire generationplants,  three  wind  farms,  and  its solar farms across the region.

Challenges

The electric grid can, at a high level, be categorized into three functions: generation of electricity at power plants, transmission from the power plants across typically long distances at high voltage, and lower-voltage distribution networks that power customers. Along these long transmission and distribution systems are substations that  transform  voltage  levels,  serve  as  switching  stations and feeders,  and  fault protection. Many industries feed into the electric grid, and those differences require an  in-depth  understanding  of  the  different  systems  and  communications–which means,  there  is  no  one-size-fits-all  security  approach  to  protecting  them  and  it requires comprehensive understanding of the highly heterogeneous nature of their environments. The challenges  expressed  by the electric utility include: :•Lack of visibility of ICS environment and asset management •Lack of resources for a dedicated ICS security team •Lack of insights into OT-specific threats and how to respond to these events

Solution: Lack of ICS Visibility & Asset Management

The  Dragos  Platform’s  in-depth,automated passive  asset  discovery  capabilities, coupled  with  unique  mapping  and  zoning  abilities,  allow  this  utility’s  analysts  to gain a comprehensive understanding of their assets beyond simply understanding the  protocols  transmitted  and  provides   them  the   ability  to   see   their   assets represented   in   an   easy-to-categorize   map   view.   Analysts   can   quickly   and automatically  organize  their  different  assets  by  custom  zones,  as  well  as  view  a particular  device’s  history,  the  last  time  seen,  the  protocols  used  including  deep packet inspection of ICS protocols, and create alerts for any new device seen on the network.

Solution:Lack of Resources for a Dedicated ICS Security Team

To combat these challenges, the Dragos Platform empowers this utility’s analysts with our team’s ICS-specific knowledge, so they can independently function, learn from our practitioners who have decades of hands-on ICS security experience, and rely on our team’s experience to supplement where theirs may lack.Threat behavior analytics, characterized by the Dragos Intelligence team and based on the ICS-specific adversaries they track, are codified into the platform to provide analysts with context-rich alerts and pinpoint malicious activity accurately.

Solution:Lack of Insights into Specific OT Threats and How to Respond

The  first  step  we  took  to  solve  these  challenges  for  this  utility  was  providing visibility  of  the  ICS  adversaries  targeting  the  ICS  industry,  specifically  electric-facing.  The  Dragos  Threat  Intelligence team  currently  tracks  eight  ICS  activity groups,  with  four  publicly  known  to  specifically  target  electric  utilities: RASPITE, ELECTRUM, COVELLITE, and ALLANITE. Each month, our intelligence team releases private intel reports to this utility  via its WorldView subscription, so they not  only have  visibility  of  any  threats  or  vulnerabilities  specifically  facing  the  electric industry,  but  they  are  provided  with  recommendations  to  identify  and  respond  to them. In order to effectively respond to threats if they occur, the Dragos Platform provides this utility’s analysts with unique step-by-step  investigation  playbook  inside  of  a workbench and case management tool to aid their investigations, reduce dwell time, and   offer   insights from   our   team   as   to   how   to   best   investigate   incidents. Investigation  playbooks  are  custom-authored  by  our  threat  operations  team  and include  step-by-step  guidance  to  this  utility’s  analysts  to  start  down  the  correct (and efficient) path to respond to potential threats. Because our threat operations team  has  first-hand  experience  hunting   and  responding  to   ICS  threats,   their guidance not only supplements this utility’s team, but helps reduce their time to act and increases effectiveness of their response.