Light Dark
June 26, 2023 By Jonathan Reed 4 min read
News

Prior to the pandemic, cyber-sabotage attacks on manufacturing plants were non-existent. Today, the situation has changed dramatically. As per a recent report, attacks that led to physical consequences in process manufacturing, discrete manufacturing and critical industrial infrastructures impacted over 150 industrial operations in 2022. In addition, the total number of attacks increased 2.4x over the previous year. At this rate of growth, cyberattacks may shut down up to 15,000 industrial sites within the next five years.

Growing threat to OT systems

In 2022, a 140% surge in cyberattacks against industrial operations resulted in more than 150 incidents, per a recent Waterfall Security report. In an ominous warning, the report says, “At this rate of growth, we expect cyberattacks to shut down 15,000 industrial sites in 2027, that is: in less than five years.”

The majority of these assaults were in the form of ransomware, encrypting critical computer systems and invaluable data across IT networks. However, the attacks impacted operational technology (OT) as well. Waterfall reported that most ransomware attacks only impaired the IT network, not the OT network.

The report states, “Nonetheless, in all ransomware attacks we track, there were physical consequences, either because physical operations relied on crippled IT systems for minute-by-minute operations, or because ransomware victims did not trust the strength of their OT security systems and so shut down operations ‘in an abundance of caution.’”

Real world damage

Attacks that impact OT can lead to real-world consequences beyond mere system delays. The Waterfall report highlighted some more notable events, such as:

  • Outages at widely known companies, including 14 of a top automobile manufacturing brand’s plants, 23 tire plants of a well-known brand and outages at a major food company and publishing company
  • Flight delays for tens of thousands of air travelers in four separate attacks
  • Physical operations were impacted in four attacks on metals and mining; One of the attacks resulted in a fire and material equipment damage
  • Malfunctions of loading and unloading of cargo containers, fuel and bulk oil for half a dozen seaports on three continents
  • Attacks contributed to the bankruptcy of two victim organizations.

As per the Waterfall researchers, public reports of cyberattacks with physical consequences in the industries studied have more than doubled annually since 2020. At the current rate, the number of attacks and the number of affected sites is increasing at a rate of 10x every 2.5 years. If this trend continues, a 100-fold increase in attacks and impacted sites may occur from 2022 to 2027.

These numbers may seem exaggerated to some. However, if we look at the explosion in ransomware attacks over the last several years, the Waterfall prediction may turn out to be an underestimate.

Examining attacker motives

While ransomware attacks clearly have financial motives at their core, attacks on the industrial sector attract hacktivists as well. In the report, 17% of 2022’s attacks had no identifiable motive. The majority of the attacks were ransomware (74%) and the remaining 9% were by hacktivists.

None of 2022’s hacktivist attacks included a ransom demand. Instead, hacktivist groups were motivated by political or ideological agendas. In every hacktivist incident, the sole motive was to disrupt critical infrastructure or services, per Waterfall.

Most of the hacktivist incidents went hand-in-hand with the ongoing conflict between Iran and Israel or the Russo-Ukrainian conflict. Of the six total hacktivist attacks, four incidents disrupted transportation operations (rails, public transportation or taxi services) and one targeted a steel mill which resulted in a fire and equipment damage. The last hacktivist attack targeted EV charging stations belonging to a power utility.

Ransomware impacts OT

In 2022, 42 identified ransomware attacks resulted in physical consequences in discrete manufacturing, process industries and industrial critical infrastructure. The total number of attacks with physical impact in 2022 nearly equals the total attacks (47) in all previous study years combined (2010-2021). Of the known ransomware attacks in 2022, 40% were attributed to known ransomware groups, including BlackCat, Conti, Lockbit, Hive, Black Basta, Black Byte, RansomEXX and LV.

Sophisticated attacks more common

Another trend highlighted in the report is the increased sophistication of attacks against the industrial sector. In the past, only state-sponsored actors had access to advanced TTPs. Now, advanced capabilities are at the disposal of more cyber groups than ever. The report quotes the US National Cybersecurity Strategy document:

“Once available only to a small number of well-resourced countries, offensive hacking tools and services, including foreign commercial spyware, are now widely accessible. These tools and services empower countries that previously lacked the ability to harm U.S. interests in cyberspace and enable a growing threat from organized criminal syndicates.”

The IT/OT overlap

As per the report, the TSA has rolled out new directives that explicitly address IT/OT interdependencies. In response to the Colonial Pipeline attack, the TSA’s cybersecurity response seems to be guiding mandates to other industries. As per Waterfall, the TSA directives start by defining network and system criticality in terms of the worst-case consequences of cyber compromise. Specific security measures are then required at the IT/OT criticality boundary.

Worst-case scenarios of compromise on OT networks are typically physical (e.g., production downtime, equipment damage or worse). Worst-case outcomes on IT networks tend to be business-related (e.g., clean-up costs, the theft of proprietary data and lawsuits related to PII). At the interface between IT and OT, the TSA requires very specific security measures. As per the Waterfall report, these measures include:

  • OT networks must continue operating at “necessary capacity,” even when IT networks are compromised
  • Owners and operators must eliminate all OT dependencies on IT services. If they cannot, they must document residual dependencies and compensating measures to the TSA
  • Owners and operators must eliminate all OT to IT domain trust relationships, and if they cannot, they must develop policies to manage the risks due to those dangerous trusts
  • OT networks must be designed so that they can be isolated from IT networks during incident response procedures.

Cybersecurity and the OT/IT convergence

The number of cyberattacks on manufacturing and critical infrastructure is increasing exponentially. From OT strategy development and vulnerability assessment to building and optimizing an OT SOC, there’s no time to waste. Learn more by reading The OT Security imperative — What is your strategy?

 |  |  |  |  |  |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from News
July 23, 2024

Recent CrowdStrike outage: What you should know

3 min read - On Friday, July 19, 2024, nearly 8.5 million Microsoft devices were affected by a faulty system update, causing a major outage of businesses and services worldwide. This equates to nearly 1% of all Microsoft systems globally and has led to significant disruptions to airlines, police departments, banks, hospitals, emergency call centers and hundreds of thousands of other private and public businesses. What caused this outage in Microsoft systems? The global outage of specific Microsoft-enabled systems and servers was isolated to…

July 22, 2024

White House mandates stricter cybersecurity for R&D institutions

2 min read - Federal cyber regulation is edging further into research and development (R&D) and higher education. A recent memo from the Office of Science and Technology Policy (OSTP) states that certain covered institutions will be required to implement cybersecurity programs for R&D security. These mandates will also apply to institutions of higher education that support R&D. Beyond strengthening the overall U.S. security posture, this move is also in direct response to growing threats posed by the People's Republic of China (PRC), as…

July 19, 2024

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature