OT giants collaborate on ETHOS early threat and attack warning system

One of the greatest fears among government officials and security experts is a crippling cyberattack on industrial organizations that run essential services, including electricity, water, oil and gas production, and manufacturing systems. The proprietary and complex nature of the operational technology (OT) tools used in these systems, not to mention their rapid convergence with IT technology, makes securing OT systems a chronic, high-stakes challenge.

The growing demand for greater OT and industrial control system (ICS) security expertise has led to the rise of a vibrant group of OT security companies that vigorously compete with one another to grab customers in the growing space. These competitors are setting aside their rivalries to collaborate on a new vendor-neutral, open-source, and anonymous OT threat early warning system called ETHOS (Emerging Threat Open Sharing) that aims to share data on early threat indicators and discover new and novel attacks.

ETHOS community and board members include the top OT security companies: 1898 & Co., ABS Group, Claroty, Dragos, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable, and Waterfall Security. Formed as a nonprofit, ETHOS hopes to spot threats for which no intelligence or attack pattern is available among stakeholders, aiming to stop them at the outset before they can cause damage.

The ETHOS concept is getting out of the gate with an endorsement from the US Cybersecurity and Infrastructure Security Agency (CISA), a boost that could give the initiative greater traction. “The scale of threats facing critical infrastructure operators, and in particular operational technology networks, requires an approach to information sharing grounded in collaboration and interoperability,” said Eric Goldstein, executive assistant director for cybersecurity at CISA, in the press release announcing ETHOS. “CISA is eager to continue support for community-driven efforts to reduce silos that impede timely and effective information sharing. We look forward to collaborating with such communities, including the ETHOS community, to improve early warning and response to potential cyber threats while appropriately protecting sensitive information about our nation’s critical infrastructure community.”

Creating something the “world has never seen”

“It’s important to have companies that are healthy competing in the market, working together for a bigger scope,” Andrea Carcano, co-founder and chief product officer at Nozomi Networks, tells CSO. “The scope does not involve dollars but is an initiative making our country, the United States in this case –but who knows potentially other governments or bigger alliances–more aware of what’s happening in the field. The principle behind everything was, ‘Let’s try to create something that the world has never seen. Let’s try to really sit down, even if we’re competing very, very hard on the field, let’s try to be all together.'”

Marty Edwards, deputy chief technology officer for OT and IoT at Tenable, tells CSO, “ETHOS came about a couple of years ago. A group of competitors in the OT cybersecurity space came together and said, ‘We’re not making enough progress.’ It became fairly evident that a number of us had proprietary solutions for information sharing, but what the community really lacked was a vendor-agnostic, technology-neutral way to share all of this threat information regardless of whose cybersecurity platform a customer has in place so that we can pull it together, analyze it, and get some early warning indicators out of that system.”

“ETHOS is intended to be a threat and attack information sharing system,” Brian Dunphy, vice president of product management at Claroty, tells CSO. “I think what differentiates it from other attempts by other vendors out there is it’s intended to be vendor agnostic and open, so regardless of what vendor you use, you can still benefit from that threat sharing system to ultimately better protect yourself as a critical infrastructure user.”

ETHOS is still in its early days

It is unclear at this nascent stage how precisely ETHOS will operate. One thing seems settled: All organizations, including public and private asset owners, can contribute to ETHOS at no cost, although individual companies on the board of directors will have to pay an annual fee.

Carcano offers an example of how ETHOS might function, using four hypothetical oil and gas companies, each running its own unique technology in which a particular suspicious IP address appears. ETHOS can correlate data among all contributors and warn, “Hey, be careful. In the same time period, the same IP showed up in four very different oil and gas companies spread across the country.”

Dunphy says, “Some of the initial things that we expect to be shared are the traditional threat indicators, whether that be IP addresses, hashes signatures triggered, or other IOCs [indicators of compromise] that are triggered. So that’s the sort of the phase one batch set of indicators we expect to share.”

Once the IOCs are analyzed, “That should enable us to start to see over time that all of a sudden we’re seeing an uptick in this particular indicator, or we see a whole new set of indicators that we haven’t seen before start to trigger at a particular period of time. And so, it can answer questions of, ‘Hey, we’re seeing these attacks, but are these attacks isolated? Are they broad? Are we seeing an uptick in attacks of a certain nature?'”

How ETHOS will evolve over time

The group of companies has started working on an early-stage version of an ETHOS platform, with some of the code already written thanks to pro-bono work inside the initial founding companies. ETHOS does not yet have any employees, but Carcano envisions ETHOS evolving along the lines of open-source software Linux. Linux started as a group of volunteers but ultimately became an influential nonprofit organization with its own employees. “ETHOS could potentially one day be like that,” he says.

Edwards sees ETHOS evolving in two stages. “The first phase is for each of the member organizations that have cybersecurity products to build the API hooks into our environment so we can provide data anonymously when the customer elects to send the data over to the ETHOS infrastructure for analysis.” He adds, “That’s no easy feat when you’re talking about perhaps a dozen different competitors or companies that have their own products and structures in place.”

The second stage, which is occurring in parallel with the first stage, is to build the data analytics platform, which is where Edwards sees the federal government providing a big assist. “That’s where we’re hoping — and we’ve had fairly good conversations with organizations such as CISA or the Department of Energy — that we can partner with some of the government analytical entities to help do some of the analytical lifting,” he says.

The companies behind ETHOS are adamant that no single company owns ETHOS, according to Edwards. “This is a community effort. We’re hoping that we can get a technology-neutral third party [to stand up ETHOS] and whether that’s a government entity, an information sharing and analysis center, or quite frankly, whether we have to stand up our own entity under the nonprofit organization.”

Dunphy says, “I think the community that we represent, the community that we protect, will benefit from the collective defense from the threat sharing over time. So, we have two missions at hand:  Ultimately protect the critical infrastructure of our customers, but also a broader mission of being able to contribute back to the overall protection of the larger critical infrastructure community.”