Adversaries do not usually have to work too hard to discover valuable information to plan and execute attacks against their targets. Even threat actors targeting ICS are able to find plenty of open source information during their reconnaissance phase to disrupt operational functions. For example, Dragos observed adversaries conducting ICS-targeting activities that sought data about energy infrastructure and physical processes necessary to recover from a compromise. According to Dragos, with this data, an adversary could target operational functions that are pertinent to recoverability to further the consequences of an attack. Therefore, it is important for organizations to think like an adversary and identify data about their organization that is found in open source (hopefully before the bad guys/girls do). In that light, Dragos revisits its OSINT Collection Risk Framework to help organizations identify and limit the information/data an adversary can use against them in a potential attack. The framework review includes a useful matrix to help ICS asset owners and operators assign severity scores on the risk that data poses to the organization.
All utilities are encouraged to at least identify sources and collect information to understand their public and semi-public facing exposure. For more information on open source intelligence assessments, Dragos published a whitepaper in December 2020 that discusses:
- How ICS-specific attacks differ from traditional enterprise targets
- How to develop an OSINT security assessment
- How to improve your defense using an OSINT collection and risk framework
- A useful and comprehensive set of OSINT key definitions
Access the blog post and whitepaper at Dragos.