The year 2021 was a busy one for cybersecurity experts, and IT professionals as businesses across the globe faced a barrage of cyber-attacks. According to an industry report, the average total cost of a data breach increased from $3.86 million to $4.24 million last year.
While cyber-attacks are making headlines on a near-daily basis, most discussions around cybersecurity focus on information technology (IT). Companies typically spend the most time and effort securing resources such as cloud solutions and data centres. However, in the recent past, operational technology (OT) – the hardware and software that monitors or controls equipment, assets and processes within industrial environments — has become a prime target for cybercriminals.
Unlike IT attacks, which are focused on stealing data and disrupting services, OT attacks are typically centred on industrial control systems (ICS) so criminals can have a physical impact. In an alarming prediction, Gartner revealed that cyber-attackers will aim to weaponise OT environments to harm or kill humans by 2025.
Over the years, the industrial community attracted tremendous attention. Major cybersecurity incidents struck industrial organisations across various sectors, elevating discussions on OT security and cyber readiness in ICS environments.
“One of the biggest changes we’ve seen over the last five years is the increasing acceptance and recognition that industrial environments have a security problem,” says Sergio Caltagirone, VP of Threat Intelligence, Dragos.
“There has been a great awakening that there are vulnerabilities and attacks against organisations in the industrial sector. As they say, acceptance is the first stage of recovery, and now we are seeing increased engagement from government and private sector firms to find solutions to this challenge.”
Traditionally, OT has not been a major cybersecurity concern as these machines often run independently of other systems and typically did not feature digital entry points. But with the rise of the Industrial Internet of Things (IIoT), everything from manufacturing to logistics networks and power grids is becoming more digitalised, increasing potential attack surfaces in these environments.
Dragos launched its Year in Review report to help industrial organisations fully understand the cyber risks surrounding their ICS/OT environments. The report provides data-driven insights and evidence from the field of how industrial organisations are progressing in their cybersecurity readiness and where they need to continue their work to provide safe and reliable operations into 2022 and beyond.
“We want to highlight both the bad and the good,” explains Caltagirone. “The purpose of the report is to give people perspective on what is or isn’t changing in the landscape. Everything we provide in the report is 100 per cent backed by data.”
New threats on the horizon
The past year has witnessed several cyber-attacks against high-profile ICS and OT targets. A primary example of this is the ransomware attack on Colonial Pipeline, which resulted in gas shortages and panic-buying among consumers. Another incident that made headlines was the attack on JBS Foods, one of the largest beef suppliers in the world. Launched by the notorious Russian hacker group REvil, the attack prompted the firm to shut down many of its operations and pay $11 million in Bitcoin ransom.
In observing the different threat activity groups targeting ICS and OT, Dragos uncovered three new activity groups with the assessed motivation of targeting ICS/OT.
“The first threat activity group is called Kostovite,” says Caltagirone. “This group has reached Stage 2 of the ICS kill chain. This means that they have learned enough about the ICS environments that they seek to target, and they may want to act on it. However, as far as our knowledge, they have not done anything to affect an industrial environment yet.
Kostovite uses dedicated operational relay infrastructure against its target to obfuscate the origin of its activities, then stole and used legitimate account credentials for its intrusion. It targets the energy industry, including traditional oil and gas companies as well as renewable energy firms. “This is a big deal for nations with a strong oil and gas sector but are also interested in diversifying their energy sources such as the UAE,” says Caltagirone.
The next threat group is Petrovite, which demonstrates Stage 1 of the ICS Kill Chain capabilities and targets mining and energy operations in Kazakhstan. Petrovite is currently focused on general system reconnaissance and collection and is not connected to any known, disruptive event.
Last but not least is Erythrite. This group targets organisations in US and Canada with ongoing, iterative malware campaigns. Dragos observed that this group had targeted the OT environments of a Fortune 500 company as well as large electrical utility, food and beverage companies, auto manufacturers, IT service providers, and multiple Oil and Natural Gas (ONG) service companies.
When asked about the motivations that drive these threat groups, Caltagirone concedes that there is no clear answer. “What I can tell you is that as we see substantial activity by criminal ransomware groups, we are also seeing massive amounts of money being paid to them. So, there are still many attacks being driven by financial motivation. However, from our perspective, the impact of financially motivated attacks versus what we think as not financially motivated are equal,” he says.
Taking the next steps
As with any security strategy, protecting industrial environments requires organisations to have ample visibility over their ICS tools and OT networks. This remains a crucial challenge for many organisations in the sector. The Dragos report revealed that 86 per cent of its services customers had limited to no visibility into their ICS environment. This makes detections, triage, and response incredibly difficult at scale for these companies.
While this figure seems alarmingly high, Caltagirone explains that this is a normal value and that the number will not go down significantly anytime soon. “As I have highlighted earlier, we’re now just starting to see acceptance and recognition to the security problems, which means that for many companies getting investments approved may take time.
He adds, “Additionally when it comes to security deployments, IT and OT differ immensely. In an IT environment, you have the ability to deploy security solutions across your enterprise with just one click. However, most OT networks are highly customised and vary in every market. A chocolate manufacturing facility in the Philippines may be using different tools and systems from a facility in Chicago. While they may produce very similar products or even the exact same product, they could be using different sets of technologies from different providers. This makes buying and deploying security tools a much more complex task.”
Caltagirone emphasises that while these challenges could take years to eradicate, there are steps that industrial organisations can take to protect their ICS environments against today’s cyber threats.
“The biggest near-term impact they can have on improving their security posture is establishing an effective incident response plan,” he says.
“Acknowledging that an attack will happen to you, whether you like it or not, is the best first step in preparing for a good cyber defence. Then you need to conduct a comprehensive risk assessment of their environments and capabilities.”
He underscores several measures organisations can start implementing now, such as two-factor authentication. In addition, they can also limit ‘east-west movements’ across the network. This entails monitoring lateral movements across the network perimeter to identify and block known and unknown threats as well as unauthorised access.
“These are the things they can do right now as they begin to build and invest in a full-blown cybersecurity program around industrial systems,” says Caltagirone. “If they start on this path today, they will be better prepared than 50 per cent of other industrial organisations.”
More than investing in tools and developing robust security strategies, having the right data and gaining actionable intelligence is crucial in safeguarding ICS environments. This is where Dragos can bring unique value and support to industrial sector players.
“The worst thing in the world is telling people to be prepared against the ‘boogeyman’,” says Caltagirone. “They don’t need to hear about hypothetical threats. Instead, they should be able to focus on the real problems so they can find the right solutions. Our job is to uncover the threats that surround the landscape today and provide organisations with the tools and information that will help them to understand the risks better to prevent falling victim to cyber-attacks.”
