The recently published IBM X-Force Threat Intelligence Index 2020 pointed out that over 8.5 billion records were compromised in 2019, a figure that’s more than 200 percent greater than the number of records lost in 2018. It also determined that scanning and exploitation of vulnerabilities have increased from just 8 percent of attacks in 2018 to nearly one-third, closing in on phishing as the most common attack vector.

So far, this seems to be business as usual with no real surprises for security professionals. But there is one point in the report that stands out: the dramatic increase in targeted attacks on industrial control systems (ICS).

Industrial Control Systems Systematically Targeted in 2019

Industrial control systems and similar operational technology (OT) are computing devices that control physical assets. For example, pipelines valves, milling machines, conveyor belts and even train, ship or airplane systems.

IBM X-Force data indicates that events in which threat actors targeted ICS and OT assets increased over 2,000 percent since 2018. In fact, the number of events targeting OT assets in 2019 was greater than the activity volume observed in the past three years combined. Most of the events observed used a combination of known vulnerabilities within supervisory control and data acquisition (SCADA) and ICS hardware components, as well as brute-force login tactics such as password-spraying attacks.

Converging Legacy Tech Attracts Attacks on Infrastructure

The convergence of IT and OT systems means the logical and physical connection between “classical” IT systems and computer controllers that operate physical assets. This connection has become important for automating processes, optimizing delivery chains and centralizing the control of complex processes. But, according to the report, this bridge between IT infrastructure and OT, such as programmable logic controllers (PLCs) and ICS, continued to present a risk to organizations that relied on such hybrid infrastructures in 2019.

This convergence allows IT breaches to target OT devices controlling physical assets, which can greatly increase the cost of recovery. One example of the potential impact of such an attack was a breach in early 2019 at a global manufacturing company. A ransomware infection starting from an IT system moved laterally into OT infrastructure and brought plant operations to a halt. The attack impacted not only the company’s own operations but also caused a ripple across global markets.

Security assessments performed by IBM X-Force through 2019 highlighted the vulnerability of OT systems, which often use legacy software and hardware. The continued use of old, unsupported production systems containing well-known vulnerabilities means that even if OT systems are not internet-facing, they may still be easy prey. In cases of lateral movement, after an attacker gains the first foothold, these systems can be accessed from inside the network and harmed by relatively simple exploitation techniques.

It’s no surprise that X-Force expects attacks against OT and ICS targets to continue to increase in 2020, as various threat actors plot and launch new campaigns against industrial networks across the globe. With more than 200 new ICS-related CVEs released in 2019, IBM X-Force’s vulnerability database shows that threats to ICS will likely continue to grow in 2020, according to the report.

Address the Risk of Converged IT/OT Environments With a New Approach

The first step in addressing the problem is to raise awareness of the presence of embedded systems in an organization and their associated risks. The biggest hurdle to addressing these risks is not managing the devices, but determining who is responsible for them and developing a maintenance and management plan accordingly.

In most organizations, the responsibility for the IT and OT world is separated — different people with different specializations and mindsets taking care of each world. Unfortunately, this means that duties straddling this organizational boundary, including monitoring for cyberthreats, are at risk of being overlooked. As IT and OT environments converge, industrial control systems security will need to be incorporated as seamlessly as possible into the big-picture security strategy.

Continuous Monitoring of ICS Environments Is Critical

If we set up a workplace computer with a state-of-the-art operating system, we estimate a lifespan of three years and expect that updates and fixes are delivered frequently. ICS and OT devices differ greatly from standard computers in that their life cycles can span 10, 15 or even 30 years, meaning they often rely on legacy operating systems with low resistance against common attack techniques.

Additionally, performing software updates on ICS and OT devices can be difficult, if not impossible. With that limitation on preventive measures, the detection of unusual or suspicious activities on such devices becomes even more important. Due to the proprietary nature of ICS and OT devices, active monitoring and detection is often the first line of defense. The resilience of these devices against cyberattacks will improve in the future, but this will likely take years considering their lifespan.

Mastering the threats against ICS and OT environments will become an increasingly critical topic on chief information security officers’ (CISO) agendas, and the solution to these threats lies not necessarily in new tools, but rather in a fresh mindset and new organizational approaches. Although the threat landscape will shift constantly, security will continue to be defined by the trinity of people, processes and technology.

Download the X-Force Threat Intelligence Index 2020

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…