We explore Dragos’ Year in Review report on ICS/OT cyber threats, vulnerabilities, and incident response observations launched to address the looming ICS/OT threat landscape.
Trends in OT cyber-attacks
Ransomware has become the cyber weapon of choice for compromises in the industrial sector, with 2021 proving to be a critical year for ransomware gangs and their affiliates. Targeting the manufacturing industry more than any other, nearly twice as much as the other industrial groups combined, Dragos emphasises the importance of understanding how adversaries gain access and steal information to better prepare for threats in the future. Adversaries tend to build their operations and capabilities methodically over time; their previous efforts often determine their future success. Dragos tracks threats, also identified as activity groups, which show the intent, opportunity, or capability of impacting industrial operations. These threats may be in the early stages of their journey, and have only shown the intent to target industrial organisations by attempting to gain access to ICS/OT networks or collecting organisational information.
Threat groups strategies
Dragos tracks a number of groups that have targeted industrial networks, but do not show the intention of disrupting them. Adversaries may do this for intellectual property theft, capability development for future attacks, or simply gaining and maintaining access for future undetermined needs. In some cases, adversaries gain access to the IT networks of an organisation or its supply chain to get information about the ICS of the target. Currently, Dragos tracks 18 worldwide threat groups, with three of the newest groups discovered during 2021. Two of the new Activity Groups, KOSTOVITE and ERYTHRITE, demonstrate Stage 2 ICS Cyber Kill Chain1 intrusions with a focus on access operations and data theft over disruption. This shows that adversaries are willing to spend time, effort, and resources targeting, compromising, and harvesting information from ICS/OT environments for future purposes.
Threat exploration: A snapshot of the cyber risks in GCC’s oil and gas sector
The attack surface is expanding
In 2021, external connections to OT spiked upwards, more than doubling to 70 percent. Dragos assesses that this increase is due to the high demand for remote access in the wake of the Covid pandemic. Many OT environments appear fully segmented on paper, yet when validated with the Dragos Platform analysis, the Dragos team discovered that the environments often have several connections and are not as segmented as originally believed. Add to this the increased usage of a public cloud; the use of cyber-physical systems; and highly connected supply chains have exposed new attack surfaces. During 2020, there was a significant improvement in isolated ICS environments (with a two-thirds drop in external routable network connections). These environments may have been initially designed and implemented as segmented, but over time, firewall exceptions and persistent vendor connections steadily bridged the gap between IT and OT.
Specific industries at risk
Analysing industrial security trends during 2021, Dragos compiled data on these ransomware sectors: manufacturing accounted for 65 percent; food & beverage at 11 percent; and transportation at eight percent. When analysing manufacturing subsectors, Dragos discovered that metal components accounted for 17 percent; automotive at eight percent; and technology at 6 percent. Unfortunately, it is this very sector that the Dragos services team found to be the least mature in their OT security defenses. Another industry considered an attractive target by cybercriminals seeking to exploit ICS environments is the Oil and Natural Gas (ONG) sector, as evidenced when Colonial Pipeline, one the largest oil pipeline operators in the United States, made headlines when a ransomware attack hit it. The breach impacted the company’s digital systems, shutting them down for several days. As Colonial Pipeline provides around 45 percent of fuel supply to the US East Coast, the attack resulted in nation-wide monumental disruptions. This is only one example of how a successful cyber-attack could compromise critical infrastructure and services or cause widespread harm.
Why do companies need to pay attention to them?
Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations and OT environments, whether through the integration of OT kill processes into ransomware strains, the existence of flattened networks to prevent ransomware from spreading into OT environments, or through operators shutting down OT environments as a precaution while they attempt to stop IT ransomware from spreading to OT systems. There are many ways for ICS operators to improve cyber defence and implement simple, effective controls and security measures to manage vulnerabilities and mitigate threats. Dragos recommends that ONG companies and other organisations using ICS take several steps to defend against these attacks, such as developing incident response plans, segmenting networks to prevent lateral movement, and collecting logs in ICS environments to improve visibility. The Dragos Platform is the most trusted industrial control systems (ICS) cybersecurity technology–providing comprehensive visibility of your ICS/OT assets and the threats you face, with best-practice guidance to respond before a significant compromise.
This article was originally published in our sister publication ArabianBusiness.com.
