In 2022, breakthrough evolution in the development of malware targeting industrial control systems (ICS), scaled ransomware attacks against manufacturing, and geopolitical tensions brought increased attention to the industrial cyber threat landscape, according to the 2022 Dragos ICS/OT Cybersecurity Year in Review.
Omar Al Barghouthi, Regional Director, Middle East, at Dragos said “As in previous years, the ICS/OT community has managed a growing number of vulnerabilities, many without the right mitigations needed to reduce risk and maintain operations. Meanwhile, electric grids, oil and gas pipelines, water systems, and manufacturing plants continued to struggle with more complex regulatory environments that demand marked progress in shoring up defences.”
Al Barghouthi added “The sixth edition of Dragos’s report, which provides an ‘on-the-ground’ understanding of what is happening in the industrial space, contains the latest threat intelligence on adversary activity targeting operational technology (OT) and recent ICS-specific malware discoveries, data to inform vulnerability management practices, and cybersecurity benchmarks for industries.”
Industrial control systems (ICS) malware PIPEDREAM, the eighth ICS-specific malware and a modular cross-industry toolkit, had a breakthrough increase in capabilities in 2022. PIPEDREAM was created by CHERNOVITE, one of two new ICS Threat Groups that Dragos detected in 2022. It can affect equipment that controls the water system, manufacturing plants, oil and gas pipelines, and electrical grid. Given that the techniques target important vendor systems, this may be seen as a supply chain risk by industrial operators.
In 2022, a newly identified ICS Threat Group called BENTONITE has been found to focus on industrial control systems and operational technology. They have been targeting maritime oil and gas, as well as state, local, tribal, and territorial governments, and the manufacturing industry since 2021. BENTONITE carries out offensive activities to gather intelligence and create disruptions. They exploit weaknesses in internet-exposed assets to gain access.
Ransomware is cited as the top financial and operational risk to industrial organizations. Out of the 57 ransomware groups targeting industrial organizations and infrastructures, Dragos observed, through public incidents, network telemetry, and dark web resources, that only 39 groups were active in 2022. Dragos identified 605 ransomware attacks against industrial organizations in 2022, an increase of 87% over last year.
By region, North America accounted for 40% of all ransomware attacks, followed by Europe (32%). The Middle East saw only 3% of all ransomware attacks, which is the equivalent of 17 incidents. In terms of sectors, manufacturing claimed the highest share, a staggering 72%, but ransomware attacks spanned many industries, including food and beverage, energy, pharmaceuticals, oil and gas, water, mining, and metals.
There is still a long way to go in defending against ransomware risks as evidenced by the findings of Dragos service engagements, which included a finding of improper network segmentation in 50% of cases and a finding of external connections from OEMs, IT networks, or the Internet to the OT network in 53% of cases.
In 2022, there was a significant rise of 27% in reported vulnerabilities related to ICS/OT. This highlights the heightened awareness and concern among security experts about the dangers posed to industrial infrastructure. A majority (83%) of the vulnerabilities were located in the innermost parts of the ICS network. The Dragos Threat Intelligence team studied 2170 common vulnerabilities and exposures (CVEs) during 2022, which is an increase from 1703 CVEs analyzed in 2021.
Dragos has been using its Professional Services team for the past six years to gain an “on the ground” understanding of the challenges the industrial community faces and to bring back observations and lessons learnt from the field. Since 2019, Dragos has tracked four major discoveries and has reported on them annually.
• 80% of Dragos services engagements had limited to no visibility into their ICS/OT environment, showing no significant change from 2019.
• 50% of services engagements identified issues with network segmentation with poor security perimeters, a 27% decrease over the previous year.
• Dragos engagement that included findings of external connections to OT in 2022 dropped significantly from 70% to 53%.
• 54% of Dragos services engagements included findings related to shared credentials, up from 44% in 2021.
Al Barghouthi commented “Based on findings of our Year in Review Report, I would urge organizations in the critical infrastructure sector to be proactive about having an OT cybersecurity program that is distinct from IT. OT involves different devices, communication protocols, adversary behaviours, and vulnerability management practices. Cyber attacks can result in physical impacts and investigations require a different set of tools. For guidance, the SANS Institute identified five critical controls for ICS/OT cybersecurity including having an ICS incident response plan, a defensible architecture, visibility and monitoring, secure remote access, and risk-based vulnerability management.”