Prior to the pandemic, cyber-sabotage attacks on manufacturing plants were non-existent. Today, the situation has changed dramatically. As per a recent report, attacks that led to physical consequences in process manufacturing, discrete manufacturing and critical industrial infrastructures impacted over 150 industrial operations in 2022. In addition, the total number of attacks increased 2.4x over the previous year. At this rate of growth, cyberattacks may shut down up to 15,000 industrial sites within the next five years.

Growing threat to OT systems

In 2022, a 140% surge in cyberattacks against industrial operations resulted in more than 150 incidents, per a recent Waterfall Security report. In an ominous warning, the report says, “At this rate of growth, we expect cyberattacks to shut down 15,000 industrial sites in 2027, that is: in less than five years.”

The majority of these assaults were in the form of ransomware, encrypting critical computer systems and invaluable data across IT networks. However, the attacks impacted operational technology (OT) as well. Waterfall reported that most ransomware attacks only impaired the IT network, not the OT network.

The report states, “Nonetheless, in all ransomware attacks we track, there were physical consequences, either because physical operations relied on crippled IT systems for minute-by-minute operations, or because ransomware victims did not trust the strength of their OT security systems and so shut down operations ‘in an abundance of caution.’”

Real world damage

Attacks that impact OT can lead to real-world consequences beyond mere system delays. The Waterfall report highlighted some more notable events, such as:

• Outages at widely known companies, including 14 of a top automobile manufacturing brand’s plants, 23 tire plants of a well-known brand and outages at a major food company and publishing company
• Flight delays for tens of thousands of air travelers in four separate attacks
• Physical operations were impacted in four attacks on metals and mining; One of the attacks resulted in a fire and material equipment damage
• Malfunctions of loading and unloading of cargo containers, fuel and bulk oil for half a dozen seaports on three continents
• Attacks contributed to the bankruptcy of two victim organizations.

As per the Waterfall researchers, public reports of cyberattacks with physical consequences in the industries studied have more than doubled annually since 2020. At the current rate, the number of attacks and the number of affected sites is increasing at a rate of 10x every 2.5 years. If this trend continues, a 100-fold increase in attacks and impacted sites may occur from 2022 to 2027.

These numbers may seem exaggerated to some. However, if we look at the explosion in ransomware attacks over the last several years, the Waterfall prediction may turn out to be an underestimate.

Examining attacker motives

While ransomware attacks clearly have financial motives at their core, attacks on the industrial sector attract hacktivists as well. In the report, 17% of 2022’s attacks had no identifiable motive. The majority of the attacks were ransomware (74%) and the remaining 9% were by hacktivists.

None of 2022’s hacktivist attacks included a ransom demand. Instead, hacktivist groups were motivated by political or ideological agendas. In every hacktivist incident, the sole motive was to disrupt critical infrastructure or services, per Waterfall.

Most of the hacktivist incidents went hand-in-hand with the ongoing conflict between Iran and Israel or the Russo-Ukrainian conflict. Of the six total hacktivist attacks, four incidents disrupted transportation operations (rails, public transportation or taxi services) and one targeted a steel mill which resulted in a fire and equipment damage. The last hacktivist attack targeted EV charging stations belonging to a power utility.

Ransomware impacts OT

In 2022, 42 identified ransomware attacks resulted in physical consequences in discrete manufacturing, process industries and industrial critical infrastructure. The total number of attacks with physical impact in 2022 nearly equals the total attacks (47) in all previous study years combined (2010-2021). Of the known ransomware attacks in 2022, 40% were attributed to known ransomware groups, including BlackCat, Conti, Lockbit, Hive, Black Basta, Black Byte, RansomEXX and LV.

Sophisticated attacks more common

Another trend highlighted in the report is the increased sophistication of attacks against the industrial sector. In the past, only state-sponsored actors had access to advanced TTPs. Now, advanced capabilities are at the disposal of more cyber groups than ever. The report quotes the US National Cybersecurity Strategy document:

“Once available only to a small number of well-resourced countries, offensive hacking tools and services, including foreign commercial spyware, are now widely accessible. These tools and services empower countries that previously lacked the ability to harm U.S. interests in cyberspace and enable a growing threat from organized criminal syndicates.”

The IT/OT overlap

As per the report, the TSA has rolled out new directives that explicitly address IT/OT interdependencies. In response to the Colonial Pipeline attack, the TSA’s cybersecurity response seems to be guiding mandates to other industries. As per Waterfall, the TSA directives start by defining network and system criticality in terms of the worst-case consequences of cyber compromise. Specific security measures are then required at the IT/OT criticality boundary.

Worst-case scenarios of compromise on OT networks are typically physical (e.g., production downtime, equipment damage or worse). Worst-case outcomes on IT networks tend to be business-related (e.g., clean-up costs, the theft of proprietary data and lawsuits related to PII). At the interface between IT and OT, the TSA requires very specific security measures. As per the Waterfall report, these measures include:

• OT networks must continue operating at “necessary capacity,” even when IT networks are compromised
• Owners and operators must eliminate all OT dependencies on IT services. If they cannot, they must document residual dependencies and compensating measures to the TSA
• Owners and operators must eliminate all OT to IT domain trust relationships, and if they cannot, they must develop policies to manage the risks due to those dangerous trusts
• OT networks must be designed so that they can be isolated from IT networks during incident response procedures.

Cybersecurity and the OT/IT convergence

The number of cyberattacks on manufacturing and critical infrastructure is increasing exponentially. From OT strategy development and vulnerability assessment to building and optimizing an OT SOC, there’s no time to waste. Learn more by reading The OT Security imperative — What is your strategy?