There was a surprising announcement yesterday in the OT detection space with the creation of the Emerging Threat Open Sharing (ETHOS) organization, open source project and development plan. Surprising because of the members. The big three in OT detection: Claroty, Nozomi and Dragos. Plus two in the next tier, Tenable and Forescout, and a handful of others that offer supporting services.
If this effort was government driven, ISAC driven or some other group with market power, then getting competitors into an organization like this would be less surprising. Instead this was initiated by the competitors. It’s a bold move, a worthy attempt, by the founding companies.
Some early thoughts after reading the press release, FAQ and being briefed.
What Is ETHOS?
ETHOS is a non-profit entity. ETHOS is an open-source platform for sharing anonymized threat information created and maintained with the assistance of the non-profit entity.
The open source platform will initially be integrated into OT detection and analysis products that will then be able to anonymize and send data to an ETHOS server. This ETHOS server can then share this data, and analyzed output, as the organization running the server desires.
The FAQ states “ETHOS is sharing and correlating IOC-style information such as hashes, IP Addresses and Domains.”
Emerging Threats And Other Offerings
ETHOS is for sharing of “early warning threat information”. Not information that is already known. The ETHOS FAQ states this is not a replacement for other information sharing programs such as CISCP, Essence, or CRISP from the US Government. In theory it is not a replacement for Dragos’ Neighborhood Keeper and other OT security or ICS vendor offerings, or ISAC offerings, or MSSP services.
A known hash, IP address, or domain would not be sent, in theory. It is up to the asset owner with the data to determine what is sent and to which ETHOS server(s).
I’m skeptical that there is a place for just emerging threat information sharing. It’s more likely that ETHOS becomes a widely used OT information sharing platform for emerging and known threat information, or doesn’t broadly succeed.
A second potential problem with this approach is many of the founding members and others in the space run marketing campaigns based on finding emerging threats, giving the threat or threat actor a clever name, and being the first to disclose some details publicly and more details to their paying customers. If this info is truly new, and the information is shared, more parties enter the race to analyze, name and market the new attack. Perhaps I’m being too cynical.
Where Will ETHOS Be?
The key to success of the project will be having ETHOS server hosts who asset owners feel comfortable sending data to and have the ability to analyze and make the data available to a receptive community. Who might this be?
The US DHS CISA provided a quote that they are “looking forward to collaborating”. The US Government has a lot of information sharing efforts undergoing and envisioned. ETHOS being one more source is likely. For example, CISA could bring ETHOS data in and use it to enhance already existing threat delivery systems.
The ISAC’s are ETHOS server host candidates, especially those that don’t have a robust information sharing capability today. If the next version of Claroty, Dragos, Nozomi, … includes a ETHOS capability it might be the fastest and cheapest way to get a threat information sharing program started.
Neither governments or ISACs are moneymakers. In the briefing, the ETHOS team discussed how they looked at other open source projects to see key factors for success. Kubernetes was one of the highlighted examples. One key with Kubernetes is for profit companies found the software helped them make and save money, directly and indirectly. Some moneymaking ETHOS server hosts could be:
- MSSPs – Their customers may not have their preferred or supported OT Detection solution deployed. ETHOS could be a standard way to bring information into their SOC.
- ICS Vendors – Schneider Electric is a founding member. Siemens, Honeywell and others have MSSP, support and incident response services. This could be an easier way to onboard and migrate asset owners to their services.
- Large Asset Owners – Many large asset owners have a wide variety of systems deployed. This happens through various regimes making different choices and acquisition. While ripping out and replacing an OT detection solution is easier than an ICS, it still costs money.
Is There Room, Or A Need, For An OT Only Threat Sharing Platform
Look who is not on the list: Google, Amazon, Microsoft, IBM, Splunk, Cisco, … The big players in IT who have their own consortiums.
ETHOS has a powerhouse of OT security vendors at launch. Will there be enough ETHOS recipients, the people getting and acting on the data to warrant an OT only approach? In the short run I believe the answer is yes. 3+ years out is an open question.
I must admit that back in 2019 I thought that the IT detection and response would have absorbed more of the OT market in 2023 than it has. The OT market has twists and turns and this effort is worth watching and considering.