A major concern among government officials and security experts is the possibility of a devastating cyberattack on industrial organizations that operate critical services such as electricity, water, oil and gas production, and manufacturing systems. The intricate and unique nature of the operational technology (OT) tools used in these systems, as well as their increasing convergence with IT technology, present an ongoing and high-risk challenge to secure OT systems. The increasing demand for expertise in greater OT and industrial control system (ICS) security has led to a flourishing group of OT security companies competing with each other to gain customers in this growing field.
Despite their competition, these companies have joined forces to create a new, vendor-neutral, open-source, and anonymous OT threat early warning system known as ETHOS (Emerging Threat Open Sharing). The objective of ETHOS is to share data on early threat indicators and identify new and innovative attacks. The community and board members of ETHOS include the top OT security companies: 1898 & Co., ABS Group, Claroty, Dragos, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable, and Waterfall Security. ETHOS, a non-profit, aims to identify threats for which there is no intelligence or attack pattern available among stakeholders, with the goal of preventing them before they cause harm.
The ETHOS concept has received an endorsement from the US Cybersecurity and Infrastructure Security Agency (CISA), which could give the initiative greater traction. According to Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, the magnitude of threats facing critical infrastructure operators, particularly operational technology networks, necessitates an approach to information sharing that is based on collaboration and interoperability. CISA is eager to continue supporting community-driven efforts to reduce silos that hinder timely and effective information sharing, and they look forward to collaborating with communities such as the ETHOS community to enhance early warning and response to potential cyber threats while safeguarding sensitive information about our nation’s critical infrastructure community.
Creating something the “world has never seen”
“Healthy competition among companies in the market is essential for achieving a bigger scope,” according to Andrea Carcano, co-founder and chief product officer at Nozomi Networks, who spoke to CSO. “The scope is not limited to dollars but is an initiative aimed at making our country, the United States in this case, but potentially other governments or larger alliances, more aware of what is happening in the field. The underlying principle behind everything is to create something that the world has never seen before. Even though we are competitors in the field, let’s try to sit down together and work towards our common goal.”
Marty Edwards, deputy chief technology officer for OT and IoT at Tenable, explained to CSO how ETHOS was formed a few years ago when a group of competitors in the OT cybersecurity space realized they were not making enough progress. Edwards explained that while many companies had proprietary solutions for information sharing, the community lacked a vendor-agnostic, technology-neutral way to share threat information regardless of whose cybersecurity platform a customer uses. The aim of ETHOS is to create a threat and attack information sharing system that pulls together all available data, analyzes it, and produces early warning indicators.
Brian Dunphy, vice president of product management at Claroty, told CSO that ETHOS is intended to be an open, vendor-agnostic threat sharing system that benefits critical infrastructure users regardless of the vendor they use. He believes that what differentiates ETHOS from other similar attempts by other vendors is its vendor-agnostic and open nature.
ETHOS is still in its early days
Currently, the exact operational details of ETHOS are unclear in its early stages. However, it is confirmed that all organizations, including public and private asset owners, can contribute to ETHOS at no cost. Nevertheless, individual companies on the board of directors will be required to pay an annual fee. Carcano provides a hypothetical example of how ETHOS could work with four oil and gas companies using their distinct technology, wherein a suspicious IP address appears.
By correlating data from all contributors, ETHOS can issue a warning and say, “Be careful. In the same time period, the same IP showed up in four very different oil and gas companies spread across the country.” Dunphy adds that they expect traditional threat indicators, such as IP addresses, hashes signatures triggered, or other IOCs (indicators of compromise) to be initially shared. After analyzing the IOCs, it will enable them to see if there is an uptick in a particular indicator or if a whole new set of indicators starts to trigger at a specific time. This information can help answer questions like, “Hey, we’re seeing these attacks, but are these attacks isolated? Are they broad? Are we seeing an uptick in attacks of a certain nature?”
How ETHOS will evolve over time
The companies forming the group have commenced development on an initial version of the ETHOS platform. Some code has already been written through pro-bono work conducted by the founding companies. ETHOS currently has no employees, but Carcano envisions it becoming an open-source software similar to Linux. Linux began with a group of volunteers, but eventually became a notable nonprofit organization with its employees. Edwards envisions ETHOS evolving in two stages.
The first stage involves member organizations that have cybersecurity products building API hooks into the environment to anonymously provide data for analysis when customers choose to send it to ETHOS. This is a challenging task when dealing with different competitors and companies with their products and structures. The second stage involves building the data analytics platform, where Edwards believes the federal government can provide significant support.
The companies behind ETHOS are determined that no single company owns it. They hope to get a technology-neutral third party to establish ETHOS, whether it is a government entity, an information sharing and analysis center, or an entity they set up under a nonprofit organization. Dunphy emphasizes the community’s benefits and protection from the collective defense of threat sharing over time. Their missions are to protect customers’ critical infrastructure and contribute to the larger critical infrastructure community’s overall protection.
Go to Source
Author:
