In 2022, breakthrough evolution in the development of malware targeting industrial control systems, scaled ransomware attacks against manufacturing, and geopolitical tensions brought increased attention to the industrial cyber threat landscape, according to the 2022 Dragos ICS OT Cybersecurity Year in Review.
“As in previous years, the ICS OT community has managed a growing number of vulnerabilities, many without the right mitigations needed to reduce risk and maintain operations. Meanwhile electric grids, oil and gas pipelines, water systems, and manufacturing plants continued to struggle with more complex regulatory environments that demand marked progress in shoring up defences,” commented Omar Al Barghouthi, Regional Director, Middle East, at Dragos.
“The sixth edition of Dragos’s report, which provides an ‘on-the-ground’ understanding of what is happening in the industrial space, contains the latest threat intelligence on adversary activity targeting operational technology (OT) and recent ICS-specific malware discoveries, data to inform vulnerability management practices, and cybersecurity benchmarks for industries.”
Key threat group findings
2022 saw a breakthrough escalation in capabilities by a new industrial control systems (ICS) malware, PIPEDREAM, the seventh ICS-specific malware and a modular cross-industry toolkit. Developed by CHERNOVITE, one of two new ICS Threat Groups identified by Dragos in 2022, PIPEDREAM has the capabilities to impact devices that manage the electrical grid, oil and gas pipelines, water systems, and manufacturing plants. For industrial operators this can be viewed as a supply chain risk, as the methods target key vendor systems.
The other newly discovered ICS Threat Group targeting industrial control systems and operational technology in 2022, was BENTONITE. The group has been increasingly and opportunistically targeting maritime oil and gas (ONG); state, local, tribal, and territorial (SLTT) governments; and manufacturing sectors since 2021. BENTONITE conducts offensive operations for espionage and disruptive purposes, targeting vulnerabilities in internet-exposed assets to facilitate access.
Key industrial ransomware findings
Ransomware is cited as the top financial and operational risks to industrial organizations. Out of the 57 ransomware groups targeting industrial organizations and infrastructures, Dragos observed, through public incidents, network telemetry, and dark web resources, that only 39 groups were active in 2022. Dragos identified 605 ransomware attacks against industrial organizations in 2022, an increase of 87 percent over last year.
By region, North America accounted for 40 percent of all ransomware attacks, followed by Europe (32 percent). The Middle East saw only 3 percent of all ransomware attacks, which is the equivalent of 17 incidents. In terms of sectors, manufacturing claimed the highest share, a staggering 72 percent, but ransomware attacks spanned many industries, including food and beverage, energy, pharmaceuticals, oil and gas, water, mining, and metals.
Dragos service engagements included a finding about improper network segmentation in 50 percent of cases and a finding of external connections from OEMs, IT networks, or the Internet to the OT network in 53 percent, showing there is still a long way to go to defend against ransomware risks.
Key findings on ICS/OT vulnerabilities
In 2022, the number of reported ICS/OT vulnerabilities showed a material increase of 27 percent, which demonstrates the increased attention and focus on the risks to industrial infrastructure by security researchers. Furthermore, 83 percent of the vulnerabilities were found to reside deep within the ICS network. The Dragos Threat Intelligence team analysed 2170 common vulnerabilities and exposures (CVEs) during 2022, up from 1703 CVEs in 2021.
Key findings from Dragos’ work in the field
For the last six years, Dragos has leveraged its Professional Services team to develop an ‘on the-ground’ understanding of the realities facing the industrial community and to bring back insights and lessons learned from the field. Dragos reports to four key findings that it continues to track year over year since 2019.
- 80 percent of Dragos services engagements had limited to no visibility into their ICS/OT environment, showing no significant change from 2019.
- 50 percent of services engagements identified issues with network segmentation with poor security perimeters, a 27 percent decrease over the previous year.
- Dragos engagement that included findings of external connections to OT in 2022 dropped significantly from 70 percent to 53 percent.
- 54 percent of Dragos services engagements included findings related to shared credentials, up from 44 percent in 2021.
“Based on findings of our Year in Review Report, I would urge organizations in the critical infrastructure sector to be proactive about having an OT cybersecurity program that is distinct from IT. OT involves different devices, communication protocols, adversary behaviors, and vulnerability management practices. Cyber attacks can result in physical impacts and investigations require a different set of tools. For guidance, the SANS Institute identified five critical controls for ICS/OT cybersecurity including having an ICS incident response plan, a defensible architecture, visibility and monitoring, secure remote access, and risk-based vulnerability management,” added Al Barghouthi.