The recently published IBM X-Force Threat Intelligence Index 2020 pointed out that over 8.5 billion records were compromised in 2019, a figure that’s more than 200 percent greater than the number of records lost in 2018. It also determined that scanning and exploitation of vulnerabilities have increased from just 8 percent of attacks in 2018 to nearly one-third, closing in on phishing as the most common attack vector.

So far, this seems to be business as usual with no real surprises for security professionals. But there is one point in the report that stands out: the dramatic increase in targeted attacks on industrial control systems (ICS).

Industrial Control Systems Systematically Targeted in 2019

Industrial control systems and similar operational technology (OT) are computing devices that control physical assets. For example, pipelines valves, milling machines, conveyor belts and even train, ship or airplane systems.

IBM X-Force data indicates that events in which threat actors targeted ICS and OT assets increased over 2,000 percent since 2018. In fact, the number of events targeting OT assets in 2019 was greater than the activity volume observed in the past three years combined. Most of the events observed used a combination of known vulnerabilities within supervisory control and data acquisition (SCADA) and ICS hardware components, as well as brute-force login tactics such as password-spraying attacks.

Converging Legacy Tech Attracts Attacks on Infrastructure

The convergence of IT and OT systems means the logical and physical connection between “classical” IT systems and computer controllers that operate physical assets. This connection has become important for automating processes, optimizing delivery chains and centralizing the control of complex processes. But, according to the report, this bridge between IT infrastructure and OT, such as programmable logic controllers (PLCs) and ICS, continued to present a risk to organizations that relied on such hybrid infrastructures in 2019.

This convergence allows IT breaches to target OT devices controlling physical assets, which can greatly increase the cost of recovery. One example of the potential impact of such an attack was a breach in early 2019 at a global manufacturing company. A ransomware infection starting from an IT system moved laterally into OT infrastructure and brought plant operations to a halt. The attack impacted not only the company’s own operations but also caused a ripple across global markets.

Security assessments performed by IBM X-Force through 2019 highlighted the vulnerability of OT systems, which often use legacy software and hardware. The continued use of old, unsupported production systems containing well-known vulnerabilities means that even if OT systems are not internet-facing, they may still be easy prey. In cases of lateral movement, after an attacker gains the first foothold, these systems can be accessed from inside the network and harmed by relatively simple exploitation techniques.

It’s no surprise that X-Force expects attacks against OT and ICS targets to continue to increase in 2020, as various threat actors plot and launch new campaigns against industrial networks across the globe. With more than 200 new ICS-related CVEs released in 2019, IBM X-Force’s vulnerability database shows that threats to ICS will likely continue to grow in 2020, according to the report.

Address the Risk of Converged IT/OT Environments With a New Approach

The first step in addressing the problem is to raise awareness of the presence of embedded systems in an organization and their associated risks. The biggest hurdle to addressing these risks is not managing the devices, but determining who is responsible for them and developing a maintenance and management plan accordingly.

In most organizations, the responsibility for the IT and OT world is separated — different people with different specializations and mindsets taking care of each world. Unfortunately, this means that duties straddling this organizational boundary, including monitoring for cyberthreats, are at risk of being overlooked. As IT and OT environments converge, industrial control systems security will need to be incorporated as seamlessly as possible into the big-picture security strategy.

Continuous Monitoring of ICS Environments Is Critical

If we set up a workplace computer with a state-of-the-art operating system, we estimate a lifespan of three years and expect that updates and fixes are delivered frequently. ICS and OT devices differ greatly from standard computers in that their life cycles can span 10, 15 or even 30 years, meaning they often rely on legacy operating systems with low resistance against common attack techniques.

Additionally, performing software updates on ICS and OT devices can be difficult, if not impossible. With that limitation on preventive measures, the detection of unusual or suspicious activities on such devices becomes even more important. Due to the proprietary nature of ICS and OT devices, active monitoring and detection is often the first line of defense. The resilience of these devices against cyberattacks will improve in the future, but this will likely take years considering their lifespan.

Mastering the threats against ICS and OT environments will become an increasingly critical topic on chief information security officers’ (CISO) agendas, and the solution to these threats lies not necessarily in new tools, but rather in a fresh mindset and new organizational approaches. Although the threat landscape will shift constantly, security will continue to be defined by the trinity of people, processes and technology.

Download the X-Force Threat Intelligence Index 2020

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…