Light Dark
June 26, 2023 By Jonathan Reed 4 min read
News

Prior to the pandemic, cyber-sabotage attacks on manufacturing plants were non-existent. Today, the situation has changed dramatically. As per a recent report, attacks that led to physical consequences in process manufacturing, discrete manufacturing and critical industrial infrastructures impacted over 150 industrial operations in 2022. In addition, the total number of attacks increased 2.4x over the previous year. At this rate of growth, cyberattacks may shut down up to 15,000 industrial sites within the next five years.

Growing threat to OT systems

In 2022, a 140% surge in cyberattacks against industrial operations resulted in more than 150 incidents, per a recent Waterfall Security report. In an ominous warning, the report says, “At this rate of growth, we expect cyberattacks to shut down 15,000 industrial sites in 2027, that is: in less than five years.”

The majority of these assaults were in the form of ransomware, encrypting critical computer systems and invaluable data across IT networks. However, the attacks impacted operational technology (OT) as well. Waterfall reported that most ransomware attacks only impaired the IT network, not the OT network.

The report states, “Nonetheless, in all ransomware attacks we track, there were physical consequences, either because physical operations relied on crippled IT systems for minute-by-minute operations, or because ransomware victims did not trust the strength of their OT security systems and so shut down operations ‘in an abundance of caution.’”

Real world damage

Attacks that impact OT can lead to real-world consequences beyond mere system delays. The Waterfall report highlighted some more notable events, such as:

  • Outages at widely known companies, including 14 of a top automobile manufacturing brand’s plants, 23 tire plants of a well-known brand and outages at a major food company and publishing company
  • Flight delays for tens of thousands of air travelers in four separate attacks
  • Physical operations were impacted in four attacks on metals and mining; One of the attacks resulted in a fire and material equipment damage
  • Malfunctions of loading and unloading of cargo containers, fuel and bulk oil for half a dozen seaports on three continents
  • Attacks contributed to the bankruptcy of two victim organizations.

As per the Waterfall researchers, public reports of cyberattacks with physical consequences in the industries studied have more than doubled annually since 2020. At the current rate, the number of attacks and the number of affected sites is increasing at a rate of 10x every 2.5 years. If this trend continues, a 100-fold increase in attacks and impacted sites may occur from 2022 to 2027.

These numbers may seem exaggerated to some. However, if we look at the explosion in ransomware attacks over the last several years, the Waterfall prediction may turn out to be an underestimate.

Examining attacker motives

While ransomware attacks clearly have financial motives at their core, attacks on the industrial sector attract hacktivists as well. In the report, 17% of 2022’s attacks had no identifiable motive. The majority of the attacks were ransomware (74%) and the remaining 9% were by hacktivists.

None of 2022’s hacktivist attacks included a ransom demand. Instead, hacktivist groups were motivated by political or ideological agendas. In every hacktivist incident, the sole motive was to disrupt critical infrastructure or services, per Waterfall.

Most of the hacktivist incidents went hand-in-hand with the ongoing conflict between Iran and Israel or the Russo-Ukrainian conflict. Of the six total hacktivist attacks, four incidents disrupted transportation operations (rails, public transportation or taxi services) and one targeted a steel mill which resulted in a fire and equipment damage. The last hacktivist attack targeted EV charging stations belonging to a power utility.

Ransomware impacts OT

In 2022, 42 identified ransomware attacks resulted in physical consequences in discrete manufacturing, process industries and industrial critical infrastructure. The total number of attacks with physical impact in 2022 nearly equals the total attacks (47) in all previous study years combined (2010-2021). Of the known ransomware attacks in 2022, 40% were attributed to known ransomware groups, including BlackCat, Conti, Lockbit, Hive, Black Basta, Black Byte, RansomEXX and LV.

Sophisticated attacks more common

Another trend highlighted in the report is the increased sophistication of attacks against the industrial sector. In the past, only state-sponsored actors had access to advanced TTPs. Now, advanced capabilities are at the disposal of more cyber groups than ever. The report quotes the US National Cybersecurity Strategy document:

“Once available only to a small number of well-resourced countries, offensive hacking tools and services, including foreign commercial spyware, are now widely accessible. These tools and services empower countries that previously lacked the ability to harm U.S. interests in cyberspace and enable a growing threat from organized criminal syndicates.”

The IT/OT overlap

As per the report, the TSA has rolled out new directives that explicitly address IT/OT interdependencies. In response to the Colonial Pipeline attack, the TSA’s cybersecurity response seems to be guiding mandates to other industries. As per Waterfall, the TSA directives start by defining network and system criticality in terms of the worst-case consequences of cyber compromise. Specific security measures are then required at the IT/OT criticality boundary.

Worst-case scenarios of compromise on OT networks are typically physical (e.g., production downtime, equipment damage or worse). Worst-case outcomes on IT networks tend to be business-related (e.g., clean-up costs, the theft of proprietary data and lawsuits related to PII). At the interface between IT and OT, the TSA requires very specific security measures. As per the Waterfall report, these measures include:

  • OT networks must continue operating at “necessary capacity,” even when IT networks are compromised
  • Owners and operators must eliminate all OT dependencies on IT services. If they cannot, they must document residual dependencies and compensating measures to the TSA
  • Owners and operators must eliminate all OT to IT domain trust relationships, and if they cannot, they must develop policies to manage the risks due to those dangerous trusts
  • OT networks must be designed so that they can be isolated from IT networks during incident response procedures.

Cybersecurity and the OT/IT convergence

The number of cyberattacks on manufacturing and critical infrastructure is increasing exponentially. From OT strategy development and vulnerability assessment to building and optimizing an OT SOC, there’s no time to waste. Learn more by reading The OT Security imperative — What is your strategy?

 |  |  |  |  |  |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from News
April 22, 2024

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role. “In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said…

April 15, 2024

CISA releases landmark cyber incident reporting proposal

2 min read - Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government. The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of…

April 8, 2024

Recent developments and updates in Biden cyber policy

3 min read - The White House recently released its budget for the 2025 fiscal year, which supports the government’s commitment to cybersecurity. The cybersecurity funding allocations line up with the FY 2025 cybersecurity spending priorities released last year that included the following pillars: Defend critical infrastructure Disrupt and dismantle threat actors Shape market forces to drive security and resilience Invest in a resilient future Forge international partnerships to pursue shared goals. In 2023, the White House released a 35-page document detailing the new…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature