What is ETHOS and Why Now? How Will it Help Critical Infrastructure?

A group of cybersecurity companies specialized in ICS and OT security recently launched ETHOS, the Emerging Threat Open Sharing a platform. The platform is meant for sharing early warning signs across critical infrastructure owners and operators monitoring their operational technology networks and activity. ETHOS is a GitHub community project. The founding members aim to make the platform fully open source after an initial beta test of their proof of concept.

Founding members include 1898 & Co., ABS Group, Claroty, Dragos, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable, and Waterfall Security. Any security vendor can build an integration for an ETHOS server, and any organization, group or company can develop and host their own ETHOS server.

The platform is being built to correlate security events across any number of end users regardless of the security solutions they use, requiring integration with security vendor technologies to send and receive correlated notifications. ETHOS currently has a beta API that provides data-sharing functionality, and an initial server is in development. Shared information for ETHOS signs includes MITRE TTPs, IP addresses, hashes, and domains.

Information Sharing Trends

There are IT attacks that can cause process shutdowns out of caution, IT attacks that can impact OT systems directly as collateral damage, and OT or ICS specific attacks that exploit IT components as access points. Whether asset owners and sectors are preparing for the worst possible targeted attack or the perfect storm of an accident, defenders are left feeling as though they’re searching for a needle in many haystacks. Four key trends have emerged for information sharing across critical infrastructure sectors:

1. There has been broad realization that operations that tolerate little to no physical downtime are lucrative targets, with seemingly no sector off limits – food, hospitals, transportation – and tailored attacks are increasing
2. There are two different types of information sharing – known detections or “fully baked” intelligence based on something seen before, and early warning indicators for novel attacks
3. Silos exist; sector specific, within the private sector, and across government and international agencies, creating single sources of intelligence without due diligence and corroboration to indicate the significance of shared intelligence
4. Single points of dependence and failure exist across equipment, cybersecurity, and business/operation, involving people, processes, and technology alike

Information Sharing Challenges

Given the trends in information sharing, it is becoming more difficult for security teams to utilize available threat intelligence and understand how to reduce the severity of potential vulnerabilities in OT and ICS. Four key challenges have emerged for information sharing across critical infrastructure sectors:

1. A key takeaway from much of the Cyber Solarium Commission’s work is that industry is reluctant to aggregate information without a trusted third-party mechanism
2. No vendor-agnostic mechanism or platform exists for real-time sharing of early warning data
3. Despite commonalities, no two attacks on OT/ICS are ever the exact same and it is nearly impossible to fully automate remediation in process control systems and networks
4. There are millions of potential targets with cyber-physical components and operations. Energy, manufacturing, water and wastewater, and food and agriculture facilities alone represent more than 8 million facilities and locations globally

Benefits of the ETHOS Platform

Threats to critical infrastructure can be adversarial or accidental, structural, and/or environmental. Increased digitization continues to expand the attack surface and propels technology interdependence. The OT cybersecurity industry is working to include real-world impact analysis into their products and solutions. Still, prioritization and information sharing across multiple sectors that deploy similar technologies in a multitude of purpose-built ways remains increasingly difficult.

There are many hypothetical scenarios and possibilities for OT/ICS cyber incidents, but less shared evidence and indicators for real-world cascading impacts. Lab experimentation and research is more useful than hyperbolic fearmongering. With widespread future adoption of the ETHOS platform and multiple interoperable servers, the open source platform has potential to deliver four key benefits to critical infrastructure:

1. Correlation of early warning data has the potential to reduce dwell times for malicious threat actors doing reconnaissance in critical infrastructure networks and environments
2. Early warning and reduced dwell time has the potential to reduce the severity of fully completed threat actor campaigns, exploitation capacity, delivered payloads, downtime, and physical impacts
3. Like vulnerability researchers deploy reverse engineering to understand the exploitation and payloads crafted by threat actors, ETHOS participants can begin to do reverse reconnaissance analysis
4. This analysis can assist global threat research teams with selecting particular systems and technologies to research for CVE disclosures, and global cyber threat intelligence teams with enhanced understanding of frequently deployed TTPs in early phases of the cyber kill chain in critical infrastructure

ETHOS is not a shared proprietary threat intelligence feed with signatures, detections, and alerts from competitive monitoring tools and solutions. ETHOS is also not a replacement for STIX/TAXII and is complementary to STIX/TAXII information sharing. The ETHOS platform is run by an independent mutual benefit corporation with an open-source GitHub community. No central authority retains ownership of its intellectual property. Governance is structured by community members and licensed users, and membership applications will be available in June 2023.