The Threat Landscape
According to a report published by Dragos, a cybersecurity company specializing in Industrial Control Systems (ICS), 2020 saw more attacks against industrial networks, utilities and critical industrial infrastructure than ever before. Dragos researchers identified 15 threat groups that specifically targeted industrial environments in 2020. Their main aim was to attack and compromise Operational Technology (OT) and ICS. Of the 15 groups, 4 started operations in 2020, namely Stibnite, Talonite, Kamacite and Vanadinite. A couple of these new groups have extremely specific targets. Stibnite mainly targets turbine companies generating power in Azerbaijan. While Talonite, on the other hand, focuses its attacks on electricity providers in the US. Of the other two new groups, Vanadinite targets energy, manufacturing and transportation in Asia, Australia, Europe and North America. This group’s main aim is information gathering and ICS compromise. The fourth group, Kamacite, which Dragos researchers believe is linked to the Sandworm group, targets energy companies in North America and Europe. Campaigns targeting industrial systems often involve the use of remote access services like TeamViewer, as was the case in the Florida water supply attack. And phishing attacks, as occurred in last year’s reported campaigns against the oil and gas industry. With these attack methods cybercriminals use real user accounts to compromise systems, which helps them to avoid detection for months.
Threats to ICS and OT Security
The Dragos report identified some serious threats to industrial environments and, ICS and OT security. These threats originate from cybercriminal groups wanting to steal business intelligence or encrypt systems with ransomware. Others originate from nation-state backed APT groups looking to disrupt vital services in other countries. Such as Iran’s suspected hacking of a European Energy company around this time last year. According to Dragos, these threats stem from a lack of visibility across OT networks, improper network segmentation and users sharing credentials to OT systems.
Lack of visibility
Of the companies studied for the report, 90% of them did not have companywide visibility of their OT systems. “The lack of visibility raises risks significantly because it allows adversaries freedom to conduct operations unimpeded, time to understand the victim environment to locate their objectives, achieve their desired effects and satisfy the intent for conducting a compromise,” said Sergio Caltagirone, vice president of threat intelligence at Dragos.
Improper network segmentation
Furthermore, 88% of the companies studied didn’t use proper network segmentation. And users in 54% of the companies shared credentials to OT systems. Even when vulnerabilities were identified in ICS, the report states that in 43% of cases the vulnerability advisories sent to affected companies by vendors contained errors. Furthermore, 64% of advisories that didn’t provide patches also did not offer practical mitigation advice to companies affected by vulnerabilities. And 61% of advisories that did provide patches also didn’t offer alternative mitigation measures. Such measures are important in industrial environments, as it’s difficult for companies to shutdown critical systems to apply patches.
Why Target Industrial Environments
Cybercriminals target industrial environments because many companies in this sector can’t afford to have their systems offline for extended periods of time. This includes companies running factory production lines, like car parts manufacturers, and those running utility plants. Consequently, they are more likely to pay the ransom, since downtime could have huge impact further down their supply chain. Or to their customers. Furthermore, these companies often operate around the clock and are thus reluctant to take systems offline to apply required patches to their systems. Not applying security updates is one means by which ransomware groups gain access to vital industrial systems. That is if updates against security vulnerabilities exist at all. Systems in industrial environments often run obsolete or unsupported technology for which no updates are available. “Organisations in this vertical are heavily reliant on systems that are outdated and thus require significant efforts to maintain vulnerability management. Additionally, these systems are so vital to the day-to-day operations of these organizations taking them offline for patching is a significant undertaking,” says Jamie Hart, cyberthreat intelligence analyst at Digital Shadows (now Reliaquest).
Industries Most Targeted by Ransomware
No sector is safe from cyberattack. However, more cybercriminal groups are now attempting to compromise companies providing vital services, such as electric power and water. Also highly targeted are the oil and gas and manufacturing industries. Cybersecurity firm Digital Shadows (now Reliaquest) recently conducted a study into which industries were most targeted by ransomware in 2020. The study found that Industrial Goods and Services was the most targeted sector by ransomware groups. 29% of all alerts received by Digital Shadows (now Reliaquest) originated from this sector. This is more attacks than on the next three most targeted sectors of Construction (9%), Technology (8%) and Retail (7%) combined. The study also found that North American companies were the most targeted. 66% of all alerts received by Digital Shadows (now Reliaquest) came from companies running from this geographic region. The next highest number of alerts was 23% originating from Europe and 6% from Asia.
Recommendations for Industrial Environments
According to Caltagirone, “OT network attacks requires a different approach than traditional IT security. IT incidents see high frequency, relatively low-impact incidents and effects when compared to OT attacks that are lower frequency, but have potentially very high impacts and effects”. There are, however, cybersecurity procedures that companies in industrial environments can implement to safeguard their vital systems from cyber intrusion. Dragos’s report provides some practical recommendations for administrators of industrial OT and ICS.
The first recommendation involves increasing visibility across OT networks by using network monitoring tools and host logging. Using such tools and methods allows companies to detect abnormal activity more quickly. This in turn allows them to stop attacks before they can cause harm or disruption. Dragos also recommends that companies apply network segmentation, which involves separating OT from other Information Technology (IT). In this way, should cybercriminals gain access to IT networks they won’t be able to move laterally and access OT systems as well, as these would not be on the same network. Lastly, Dragos recommends identifying which systems have control over critical operations and ensuring they are most secure. And managing IT and OT credentials separately. The latter includes users not sharing login credentials to OT or using default passwords across systems. Such measures will help protect vital systems from cyberattacks.