Semi Annual ICS/OT Cyberattack Roundup (1H 2023)

The first half of 2023 witnessed an assortment of attacks against Industrial Control Systems (ICSs) and critical infrastructure operators, with the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issuing numerous alerts and advisories, highlighting ICS vulnerabilities. Most Industrial Control Systems (ICSs) deploy outdated technologies and older computer systems that merely control simple functions in an industrial complex, such as temperature, water and pressure levels, and fire systems or climate controls. These technologies are usually from an era before the prevalence of cyberattacks, leading to neglected security mechanisms, or just simple measures attempting to provide security. To make matters worse, industrial units rarely patch and update their systems, especially if that leads to shutdowns or slower manufacturing times. At the same time, malicious actors deploy the latest technologies and have diversified their attack methods against ICSs and critical infrastructure. Previously, ICS attacks were confined to state-linked actors with geopolitical intentions. Major ongoing geopolitical incidents around the world—including Russia’s war in Ukraine—have intensified such attacks. Yet, the ICS/Operational Technology (OT) environment is witnessing a surge in ransomware attacks solely designed with profit as their objective. The 2021 Colonial Pipeline cyberattack that ended with a US$4.4 million ransom handout to the hackers is a prime example. The year 2023 has witnessed a rise in the three main categories of ICS/OT attacks: 1) accidental, 2) opportunistic, and 3) intentionally targeted attacks. Cybersecurity companies indicate that they witness hundreds of unique attacks against industrial organizations on a daily basis, especially aimed at the manufacturing, energy, and healthcare sectors.

This month, Australian energy sector supplier Energy One was targeted by a cyberattack, while BlackBerry announced that the supposedly Russian “Cuba” hacker group is deploying new methods to target high-profile vendors, including critical infrastructure organizations. Japanese watchmaker Seiko announced that its systems were compromised back in July, and data that included manufacturing intellectual property were stolen by the BlackCat ransomware group. ABI Research has reported extensively on the threat of intellectual property theft against industrial units and ways to improve an organization’s security posture. BlackCat, which deploys a Ransomware-as-a-Service (RaaS) approach, is increasingly targeting the industrial sector, including manufacturing, oil & gas, and mining industries. Ransomware groups are especially keen to gain access to Remote Monitoring and Management (RMM) tools that are particularly crucial for operation in industries like manufacturing, energy, oil & gas, utilities, and transportation. This led to a Remote Monitoring and Management Cyber Defense Plan issued by CISA and the Joint Cyber Defense Collaborative (JCDC) this month.

While threat actors experiment with sophisticated hacking tools, including Artificial Intelligence (AI) and Machine Learning (ML), a new study by industrial cybersecurity firm SynSaber reveals more than a third of ICS vulnerabilities in 2023, so far, were unpatched, while the number last year was only 13% of vulnerabilities. More than half of these vulnerabilities were critical and high-risk vulnerabilities impacting ICSs. Given the unique and different characteristics of OT environments, especially those that are custom built for a specific industry, industrial organizations need to work closely with OT cybersecurity providers to find effective solutions against the threats. Given the high levels of attacks, including OT protocol packet injection in industrial networks, the demand for threat monitoring technology like Extended Detection and Response (XDR) is expected to increase. XDR allows faster detection times across a wider range of sources and machines. Also, the deployment of physical industrial firewalls on the factory floor to secure ICS and Supervisory Control and Data Acquisition (SCADA) systems will be a prominent feature of the OT security market. Firewalls also help in network segmentation to isolate critical systems from non-critical systems. Virtual firewalls, also known as software firewalls, will grow in market share as industrial units increasingly move their operations and data centers to the cloud, and opt to deploy virtual machines in their design phases.

Industrial organizations need to initially identify, and then categorize their networks and assets, to better understand vulnerabilities and evaluate threats in their systems. After critical assets are identified, proper segmentation using firewalls can help secure critical assets, regulating inbound and outbound OT traffic. Other strategies to help secure the OT environment include defining a secure baseline for devices, firmware updates and patches, anomaly detection, access control, and finally developing a response plan in the case breaches do occur. To guarantee proper identification, mitigation, and prevention, collaboration with specialized OT/ICS vendors is imperative. In addition to providing OT cybersecurity technologies, these vendors could conduct regular penetration testing to evaluate cybersecurity robustness and agility. Industrial organizations can look at vendor case studies to gauge the compatibility of their needs with the vendor’s track record. Lastly, it is important to deploy proper firewalls for physical assets, versus virtual assets or networks. This means securing physical devices, hardware, and network cables with physical firewalls, while virtual environments and cloud infrastructure could be protected with virtualized firewalls. The latter are less costly compared with their physical counterparts, but are mostly effective in virtual environments.