Some of the largest operational technology cybersecurity vendors are building an open-sourced, opt-in threat intelligence sharing portal to provide early warnings about threats to critical infrastructure.
The platform called Emerging THreat Open Sharing, or ETHOS, is designed to break down information gaps that occur because organizations don’t have access to the same information about the latest hacks or vulnerabilities that could affect the entire energy sector, pipeline operators or other industrial sectors.
“The majority of the threat intelligence is contained within vendor silos,” said Andrea Carcano, co-founder and chief product officer at Nozomi Networks. “We’re not looking to be disruptive from that perspective. We’re looking to elevate the game. Your intelligence will always be limited by what you can see and it doesn’t matter how big your market share is.”
The overall lack of visibility into critical networks has been a longstanding concern in the U.S. Due to this issue, the Biden administration has led multiple “sprints” to increase visibility among various critical industries. The ETHOS effort that includes well-known cybersecurity firms that operate in critical infrastructure space such as 1898 & Co., Dragos, Claroty, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable and Waterfall Security is one of the most significant industry initiatives to raise awareness across the entire sector.
“It’s a gigantic improvement of the visibility that we can have. It’s intelligence that we never had before,” Carcano said. “We can really discover if there is something going on in the country that, until today, is going to be buried inside of Nozomi alert, Dragos alert, Claroty alert.”
Marty Edwards, deputy chief technology officer for OT and IoT at Tenable, said in a statement that one large challenge within OT is knowing which threats actually pose a threat to an organization.
“ETHOS is a vendor agnostic initiative that aspires to cut through the noise by automating the discovery and dissemination of real-world threat information from its industry members,” said Edwards. “The goal will be to provide the entire community with more insights into threats targeting new and known vulnerabilities in OT systems.”
The idea has the approval of the Cybersecurity and Infrastructure Security Agency. Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a statement that the “scale of threats facing critical infrastructure operators, and in particular Operational Technology networks, requires an approach to information sharing grounded in collaboration and interoperability.”
Goldstein continued: “CISA is eager to continue support for community-driven efforts to reduce silos that impede timely and effective information sharing. We look forward to collaborating with such communities, including the ETHOS community, to improve early warning and response to potential cyber threats, while appropriately protecting sensitive information about our nation’s critical infrastructure community.”
The platform is supposed to work like this: owners and operators working with one of the participating vendors can choose to share anonymized intelligence that might provide an early alert about a large-scale attack, explained Carcano. The idea is to have the development of the community and software portal open-sourced while the intelligence will only be accessible within each ETHOS server.
The ETHOS feed won’t be public. Instead, only those signed up for each ETHOS instance will be able to see and share intelligence — right now that intelligence is typically an indicator of compromise like IP addresses, domains, and hashes. The initial beta is only going to be one server and general membership applications start in June.
Carcano gave the example of multiple energy companies that are seeing strange behavior but with little indication of an active attack. Within industrial sites, a malicious hacker can take months to learn the specific environment they’re targeting once infiltrated.
“The most sophisticated OT weapon that we see today, they didn’t act right away. It was not ransomware right?” Carcano said. “In the OT, there is more sophistication, there is more time that is required to be able to create damage or exfiltrate data.”
Carcano said that he hopes that one day utilities and other critical companies using ETHOS can choose to send information to CISA or to the Energy Department. Or, Carcano said, a utility can choose to alert CISA that they’re seeing suspicious activity directly through ETHOS and that can go to an international ETHOS server. “I like to dream big,” he said.