The recently published IBM X-Force Threat Intelligence Index 2020 pointed out that over 8.5 billion records were compromised in 2019, a figure that’s more than 200 percent greater than the number of records lost in 2018. It also determined that scanning and exploitation of vulnerabilities have increased from just 8 percent of attacks in 2018 to nearly one-third, closing in on phishing as the most common attack vector.

So far, this seems to be business as usual with no real surprises for security professionals. But there is one point in the report that stands out: the dramatic increase in targeted attacks on industrial control systems (ICS).

Industrial Control Systems Systematically Targeted in 2019

Industrial control systems and similar operational technology (OT) are computing devices that control physical assets. For example, pipelines valves, milling machines, conveyor belts and even train, ship or airplane systems.

IBM X-Force data indicates that events in which threat actors targeted ICS and OT assets increased over 2,000 percent since 2018. In fact, the number of events targeting OT assets in 2019 was greater than the activity volume observed in the past three years combined. Most of the events observed used a combination of known vulnerabilities within supervisory control and data acquisition (SCADA) and ICS hardware components, as well as brute-force login tactics such as password-spraying attacks.

Converging Legacy Tech Attracts Attacks on Infrastructure

The convergence of IT and OT systems means the logical and physical connection between “classical” IT systems and computer controllers that operate physical assets. This connection has become important for automating processes, optimizing delivery chains and centralizing the control of complex processes. But, according to the report, this bridge between IT infrastructure and OT, such as programmable logic controllers (PLCs) and ICS, continued to present a risk to organizations that relied on such hybrid infrastructures in 2019.

This convergence allows IT breaches to target OT devices controlling physical assets, which can greatly increase the cost of recovery. One example of the potential impact of such an attack was a breach in early 2019 at a global manufacturing company. A ransomware infection starting from an IT system moved laterally into OT infrastructure and brought plant operations to a halt. The attack impacted not only the company’s own operations but also caused a ripple across global markets.

Security assessments performed by IBM X-Force through 2019 highlighted the vulnerability of OT systems, which often use legacy software and hardware. The continued use of old, unsupported production systems containing well-known vulnerabilities means that even if OT systems are not internet-facing, they may still be easy prey. In cases of lateral movement, after an attacker gains the first foothold, these systems can be accessed from inside the network and harmed by relatively simple exploitation techniques.

It’s no surprise that X-Force expects attacks against OT and ICS targets to continue to increase in 2020, as various threat actors plot and launch new campaigns against industrial networks across the globe. With more than 200 new ICS-related CVEs released in 2019, IBM X-Force’s vulnerability database shows that threats to ICS will likely continue to grow in 2020, according to the report.

Address the Risk of Converged IT/OT Environments With a New Approach

The first step in addressing the problem is to raise awareness of the presence of embedded systems in an organization and their associated risks. The biggest hurdle to addressing these risks is not managing the devices, but determining who is responsible for them and developing a maintenance and management plan accordingly.

In most organizations, the responsibility for the IT and OT world is separated — different people with different specializations and mindsets taking care of each world. Unfortunately, this means that duties straddling this organizational boundary, including monitoring for cyberthreats, are at risk of being overlooked. As IT and OT environments converge, industrial control systems security will need to be incorporated as seamlessly as possible into the big-picture security strategy.

Continuous Monitoring of ICS Environments Is Critical

If we set up a workplace computer with a state-of-the-art operating system, we estimate a lifespan of three years and expect that updates and fixes are delivered frequently. ICS and OT devices differ greatly from standard computers in that their life cycles can span 10, 15 or even 30 years, meaning they often rely on legacy operating systems with low resistance against common attack techniques.

Additionally, performing software updates on ICS and OT devices can be difficult, if not impossible. With that limitation on preventive measures, the detection of unusual or suspicious activities on such devices becomes even more important. Due to the proprietary nature of ICS and OT devices, active monitoring and detection is often the first line of defense. The resilience of these devices against cyberattacks will improve in the future, but this will likely take years considering their lifespan.

Mastering the threats against ICS and OT environments will become an increasingly critical topic on chief information security officers’ (CISO) agendas, and the solution to these threats lies not necessarily in new tools, but rather in a fresh mindset and new organizational approaches. Although the threat landscape will shift constantly, security will continue to be defined by the trinity of people, processes and technology.

Download the X-Force Threat Intelligence Index 2020

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…