What is ETHOS? An Open Platform for OT/ICS Threat Sharing

In today’s interconnected world, the security of Operational Technology (OT) and Industrial Control Systems (ICS) is more critical than ever. As cyber threats become increasingly sophisticated and targeted, the need for robust security measures and effective information sharing within the OT/ICS community has become paramount. This is where ETHOS comes into play. But What Is Ethos, and why is it gaining traction in the cybersecurity landscape?

ETHOS, which stands for Emerging Threat Open Sharing, is a recently launched platform designed to facilitate the sharing of early warning signs of cyber threats specifically targeting critical infrastructure. Developed by a consortium of leading cybersecurity companies specializing in OT/ICS security, ETHOS aims to create a collaborative environment where critical infrastructure owners and operators can proactively monitor their networks and respond to emerging threats. It’s more than just a platform; it’s a community-driven initiative built on the principles of open source and collective defense.

Understanding the Core of ETHOS: Open Source and Community Driven

At its heart, ETHOS is a GitHub community project, emphasizing its commitment to transparency and open collaboration. The founding members, a group of prominent names in OT/ICS security including 1898 & Co., ABS Group, Claroty, Dragos, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable, and Waterfall Security, envision ETHOS becoming a fully open-source platform after an initial beta testing phase. This open approach is crucial for fostering trust and encouraging widespread adoption across the diverse OT/ICS ecosystem.

The design of ETHOS encourages broad participation. Any security vendor can develop integrations for an ETHOS server, and any organization, group, or company has the autonomy to establish and host their own ETHOS server. This decentralized and vendor-agnostic approach is a key differentiator, allowing for a more inclusive and adaptable threat intelligence sharing network.

How ETHOS Works: Correlating Security Events for Early Warning

The primary function of the ETHOS platform is to correlate security events from various sources, providing early warning signs of potential threats. It is designed to work across different security solutions, requiring integration with security vendor technologies to seamlessly send and receive correlated notifications. Currently, ETHOS offers a beta API that enables data-sharing functionalities, and the development of an initial server is underway.

The type of information shared on the ETHOS platform is specifically geared towards early threat detection. This includes:

• MITRE ATT&CK for ICS TTPs (Tactics, Techniques, and Procedures): Standardized frameworks for understanding and classifying attacker behavior in industrial control systems.
• IP Addresses: Indicators of potentially malicious network connections.
• Hashes: Cryptographic fingerprints of files, used to identify potentially malicious software.
• Domains: Website addresses that could be associated with malicious activity.

By focusing on these early warning indicators, ETHOS aims to empower organizations to detect and respond to threats in the reconnaissance and early stages of the cyber kill chain, significantly reducing dwell time and potential impact.

Addressing the Challenges of Information Sharing in Critical Infrastructure

The development of ETHOS is a direct response to the growing challenges in effective threat intelligence sharing within the critical infrastructure sectors. Several trends and challenges have highlighted the urgent need for a platform like ETHOS.

Information Sharing Trends:

1. Critical Infrastructure as Lucrative Targets: The realization that sectors with minimal tolerance for downtime, such as food, hospitals, and transportation, are prime targets for cyberattacks is widespread. Tailored attacks are on the rise, making proactive defense crucial.
2. The Need for Early Warning Indicators: While “fully baked” intelligence about known attacks is valuable, early warning indicators for novel attacks are essential for proactive defense. ETHOS focuses on this crucial aspect.
3. Information Silos: Silos exist within sectors, between private sector entities, and across government and international agencies, hindering comprehensive threat intelligence. ETHOS aims to break down these silos by creating a unified platform.
4. Single Points of Failure: Dependencies and vulnerabilities across equipment, cybersecurity measures, and business operations create single points of failure. Broader information sharing is needed to address these systemic risks.

Information Sharing Challenges:

1. Reluctance to Aggregate Information: Industries are often hesitant to share sensitive information without a trusted third-party mechanism. ETHOS, as an open and community-driven platform, aims to provide this trusted environment.
2. Lack of Vendor-Agnostic Real-Time Sharing: Historically, there has been a lack of platform-agnostic mechanisms for real-time sharing of early warning data. ETHOS is designed to fill this gap, providing a neutral and interoperable platform.
3. Complexity of OT/ICS Attacks: No two OT/ICS attacks are identical, making full automation of remediation challenging. Human expertise and shared insights are critical, and ETHOS facilitates this knowledge exchange.
4. Vast Attack Surface: The sheer number of potential targets in critical infrastructure, with millions of facilities globally, necessitates scalable and efficient threat intelligence sharing. ETHOS aims to enhance the efficiency of threat detection and response across this vast landscape.

The Benefits of Adopting the ETHOS Platform

The widespread adoption of ETHOS holds significant potential benefits for critical infrastructure security:

1. Reduced Dwell Time: By correlating early warning data, ETHOS can significantly reduce the time malicious actors spend undetected within critical infrastructure networks, limiting their reconnaissance and potential impact.
2. Mitigation of Attack Severity: Early warnings and reduced dwell time translate to a reduced severity of successful attacks. This includes minimizing exploitation capacity, payload delivery, downtime, and physical consequences.
3. Reverse Reconnaissance Analysis: Just as vulnerability researchers reverse engineer malware, ETHOS participants can utilize shared early warning data to perform “reverse reconnaissance analysis.” This proactive approach helps understand attacker tactics and anticipate future threats.
4. Enhanced Threat Research and Intelligence: ETHOS data can empower global threat research teams to prioritize systems and technologies for vulnerability research and enhance the understanding of prevalent TTPs in the early stages of cyberattacks targeting critical infrastructure.

ETHOS in Context: Not a Replacement, but a Complement

It’s crucial to understand what ETHOS is and what it is not. ETHOS is not a proprietary threat intelligence feed competing with commercial solutions. It does not provide signatures, detections, or alerts from specific monitoring tools. Instead, it serves as a complementary layer, enhancing existing security measures through collaborative early warning sharing.

Furthermore, ETHOS is not intended to replace STIX/TAXII (Structured Threat Information Expression/Trusted Automated Exchange of Intelligence Information), which are established standards for threat intelligence sharing. Instead, ETHOS is designed to be complementary to STIX/TAXII, focusing specifically on early warning indicators and fostering real-time community-driven exchange.

Conclusion: Embracing Collaborative Security with ETHOS

In conclusion, ETHOS represents a significant step forward in bolstering the cybersecurity posture of critical infrastructure. By providing an open, vendor-agnostic, and community-driven platform for sharing early warning threat intelligence, ETHOS addresses critical gaps in current information sharing practices. As the OT/ICS threat landscape continues to evolve, the collaborative approach embodied by ETHOS is essential for building a more resilient and secure future for critical infrastructure worldwide. The platform’s focus on early detection, combined with its open-source nature, positions ETHOS as a valuable asset in the ongoing battle to protect essential services and infrastructure from cyber threats.