RSA Conference A group of some of the largest operational technology companies are using this year’s RSA Conference as an opportunity to launch an open source early-threat-warning system designed for OT and industrial control systems (ICS) environments.
Dubbed ETHOS (that’s Emerging THreat Open Sharing), the information-sharing platform is being designed to function in as open and vendor-neutral a manner as possible – even allowing individuals to contribute, not just large corporations with an advanced security posture. The idea being that those in ETHOS can help out others by giving them details and other know-how to improve the defenses of their networks.
The timing of such a platform couldn’t be better: critical infrastructure sectors, where much of the world’s OT and ICS systems live, remain alluring targets for miscreants and spies.
ETHOS is still under initial cooperative development, the nonprofit entity behind the project said in a press release, with founding members including OT and ICS security firms and tech consultancies such as 1898 & Co., Claroty, NetRise, and Schneider Electric. The companies founded ETHOS in response to Uncle Sam’s CISA’s Shields Up initiative and the Biden administration’s various 100 day sprints to improve cybersecurity in critical sectors.
Once up and running, “ETHOS will collectively uncover and share emerging threats for which there is no threat intelligence or no known attack pattern available, across private and public sector stakeholders,” the ETHOS Community said. It describes ETHOS further as an always-on, hotline-esque system that will “correlate info from many security vendors to identify anomalous behavior.”
This, all while ETHOS plans to maintain itself as “an independent mutual benefit corporation with an open-source GitHub community.” With that comes no central ownership authority and governance structured by community members and licensed users, the ETHOS Association said.
With the effort now formally launched, an ETHOS spokesperson told us that the community is focused on providing access to technical teams belonging to its founding members. A general membership application system will go live in June, after which time anyone can join and contribute, the ETHOS spokesperson said.
“We will have more information on the fully public launch date after the ETHOS community has an opportunity to discuss the criteria for a general availability release,” the spokesperson told us.
What, STIX and TAXIIs not good enough for ya?
If all this talk of open standards and threat intelligence sharing sounds familiar, it might be because ETHOS sounds a lot like the US Department of Homeland Security’s Cyber Information Sharing and Collaboration Program and its Automated Indicator Sharing system.
Described by CISA as a “real-time exchange of machine-readable cyber threat indicators and defensive measures between public and private-sector organizations,” it looks like there could be overlap between the systems, or at least the appearance of trying to reinvent the wheel.
The ETHOS Association even addresses that on its website, saying that ETHOS isn’t a replacement for Homeland Security’s system and its Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) standards.
“[ETHOS] is complementary to STIX/TAXII information sharing, the existing DHS Cyber Information Sharing and Collaboration Program (CISCP) and Department of Energy technologies including Essence and Cyber Risk Information Sharing Program (CRISP),” the Ethos Association said in its FAQs.
How it’ll be different isn’t clear, and the ETHOS Association’s GitHub page isn’t much help, either: it’s a blank slate.
Luckily, a spokesperson for ETHOS answered The Reg’s questions, telling us ETHOS is working with unrefined data that could be used to create future STIX rules, though ETHOS won’t ingest data from TAXII servers so it’s not up on known threat intelligence from those particular sources.
“ETHOS is a different data sharing standard focused on real-time sharing, real-time correlations of shared data, and real-time updates,” the spokesperson said. They added that “correlations from ETHOS will inevitably result in confirmed threat intelligence that could be shared via STIX/TAXII,” but said that’s not the aim of the platform.
ETHOS, by working with a different data set than what would be available on a STIX/TAXII system, is able to provide a key benefit in “an accelerated time to discovery through the correlation engine,” the spokesperson said. We assume anyone interested in learning how the correlation engine works will have to wait until the general application doors open in June.
Lest you think ETHOS is stepping on the US government’s toes, the association made sure to quote CISA’s Executive Assistant Director for Cybersecurity Eric Goldstein in its announcement release to prove Uncle Sam’s security team is onboard.
“CISA is eager to continue support for community-driven efforts to reduce silos that impede timely and effective information sharing. We look forward to collaborating with such communities, including the ETHOS community,” Goldstein said. ®