June 26, 2023 By Jonathan Reed 4 min read

Prior to the pandemic, cyber-sabotage attacks on manufacturing plants were non-existent. Today, the situation has changed dramatically. As per a recent report, attacks that led to physical consequences in process manufacturing, discrete manufacturing and critical industrial infrastructures impacted over 150 industrial operations in 2022. In addition, the total number of attacks increased 2.4x over the previous year. At this rate of growth, cyberattacks may shut down up to 15,000 industrial sites within the next five years.

Growing threat to OT systems

In 2022, a 140% surge in cyberattacks against industrial operations resulted in more than 150 incidents, per a recent Waterfall Security report. In an ominous warning, the report says, “At this rate of growth, we expect cyberattacks to shut down 15,000 industrial sites in 2027, that is: in less than five years.”

The majority of these assaults were in the form of ransomware, encrypting critical computer systems and invaluable data across IT networks. However, the attacks impacted operational technology (OT) as well. Waterfall reported that most ransomware attacks only impaired the IT network, not the OT network.

The report states, “Nonetheless, in all ransomware attacks we track, there were physical consequences, either because physical operations relied on crippled IT systems for minute-by-minute operations, or because ransomware victims did not trust the strength of their OT security systems and so shut down operations ‘in an abundance of caution.’”

Real world damage

Attacks that impact OT can lead to real-world consequences beyond mere system delays. The Waterfall report highlighted some more notable events, such as:

  • Outages at widely known companies, including 14 of a top automobile manufacturing brand’s plants, 23 tire plants of a well-known brand and outages at a major food company and publishing company
  • Flight delays for tens of thousands of air travelers in four separate attacks
  • Physical operations were impacted in four attacks on metals and mining; One of the attacks resulted in a fire and material equipment damage
  • Malfunctions of loading and unloading of cargo containers, fuel and bulk oil for half a dozen seaports on three continents
  • Attacks contributed to the bankruptcy of two victim organizations.

As per the Waterfall researchers, public reports of cyberattacks with physical consequences in the industries studied have more than doubled annually since 2020. At the current rate, the number of attacks and the number of affected sites is increasing at a rate of 10x every 2.5 years. If this trend continues, a 100-fold increase in attacks and impacted sites may occur from 2022 to 2027.

These numbers may seem exaggerated to some. However, if we look at the explosion in ransomware attacks over the last several years, the Waterfall prediction may turn out to be an underestimate.

Examining attacker motives

While ransomware attacks clearly have financial motives at their core, attacks on the industrial sector attract hacktivists as well. In the report, 17% of 2022’s attacks had no identifiable motive. The majority of the attacks were ransomware (74%) and the remaining 9% were by hacktivists.

None of 2022’s hacktivist attacks included a ransom demand. Instead, hacktivist groups were motivated by political or ideological agendas. In every hacktivist incident, the sole motive was to disrupt critical infrastructure or services, per Waterfall.

Most of the hacktivist incidents went hand-in-hand with the ongoing conflict between Iran and Israel or the Russo-Ukrainian conflict. Of the six total hacktivist attacks, four incidents disrupted transportation operations (rails, public transportation or taxi services) and one targeted a steel mill which resulted in a fire and equipment damage. The last hacktivist attack targeted EV charging stations belonging to a power utility.

Ransomware impacts OT

In 2022, 42 identified ransomware attacks resulted in physical consequences in discrete manufacturing, process industries and industrial critical infrastructure. The total number of attacks with physical impact in 2022 nearly equals the total attacks (47) in all previous study years combined (2010-2021). Of the known ransomware attacks in 2022, 40% were attributed to known ransomware groups, including BlackCat, Conti, Lockbit, Hive, Black Basta, Black Byte, RansomEXX and LV.

Sophisticated attacks more common

Another trend highlighted in the report is the increased sophistication of attacks against the industrial sector. In the past, only state-sponsored actors had access to advanced TTPs. Now, advanced capabilities are at the disposal of more cyber groups than ever. The report quotes the US National Cybersecurity Strategy document:

“Once available only to a small number of well-resourced countries, offensive hacking tools and services, including foreign commercial spyware, are now widely accessible. These tools and services empower countries that previously lacked the ability to harm U.S. interests in cyberspace and enable a growing threat from organized criminal syndicates.”

The IT/OT overlap

As per the report, the TSA has rolled out new directives that explicitly address IT/OT interdependencies. In response to the Colonial Pipeline attack, the TSA’s cybersecurity response seems to be guiding mandates to other industries. As per Waterfall, the TSA directives start by defining network and system criticality in terms of the worst-case consequences of cyber compromise. Specific security measures are then required at the IT/OT criticality boundary.

Worst-case scenarios of compromise on OT networks are typically physical (e.g., production downtime, equipment damage or worse). Worst-case outcomes on IT networks tend to be business-related (e.g., clean-up costs, the theft of proprietary data and lawsuits related to PII). At the interface between IT and OT, the TSA requires very specific security measures. As per the Waterfall report, these measures include:

  • OT networks must continue operating at “necessary capacity,” even when IT networks are compromised
  • Owners and operators must eliminate all OT dependencies on IT services. If they cannot, they must document residual dependencies and compensating measures to the TSA
  • Owners and operators must eliminate all OT to IT domain trust relationships, and if they cannot, they must develop policies to manage the risks due to those dangerous trusts
  • OT networks must be designed so that they can be isolated from IT networks during incident response procedures.

Cybersecurity and the OT/IT convergence

The number of cyberattacks on manufacturing and critical infrastructure is increasing exponentially. From OT strategy development and vulnerability assessment to building and optimizing an OT SOC, there’s no time to waste. Learn more by reading The OT Security imperative — What is your strategy?

More from News

What is the Open-Source Software Security Initiative (OS3I)?

3 min read - The Open-Source Software Security Initiative (OS3I) recently released Securing the Open-Source Software Ecosystem report, which details the members’ current priorities and recommended cybersecurity solutions. The accompanying fact sheet also provides the highlights of the report. The OS3I includes both federal departments and agencies working together to deliver policy solutions to secure and defend the ecosystem. The new initiative is part of the overall National Cybersecurity Strategy. After the Log4Shell vulnerability in 2021, the Biden-Harris administration committed to improving the security…

Europe’s Cyber Resilience Act: Redefining open source

3 min read - Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents. While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new…

Feds release urgent guidance for U.S. water sector

3 min read - The water and wastewater sector (WWS) faces cybersecurity challenges that leave it wide open to attacks. In response, the CISA, EPA and FBI recently released joint guidance to the sector, citing variable cyber maturity levels and potential cybersecurity solutions. The new Incident Response Guide (IRG) provides the water sector with information about the federal roles, resources and responsibilities for each stage of the cyber incident response lifecycle. Sector owners and operators can use this information to augment their incident response…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today