The recently published IBM X-Force Threat Intelligence Index 2020 pointed out that over 8.5 billion records were compromised in 2019, a figure that’s more than 200 percent greater than the number of records lost in 2018. It also determined that scanning and exploitation of vulnerabilities have increased from just 8 percent of attacks in 2018 to nearly one-third, closing in on phishing as the most common attack vector.

So far, this seems to be business as usual with no real surprises for security professionals. But there is one point in the report that stands out: the dramatic increase in targeted attacks on industrial control systems (ICS).

Industrial Control Systems Systematically Targeted in 2019

Industrial control systems and similar operational technology (OT) are computing devices that control physical assets. For example, pipelines valves, milling machines, conveyor belts and even train, ship or airplane systems.

IBM X-Force data indicates that events in which threat actors targeted ICS and OT assets increased over 2,000 percent since 2018. In fact, the number of events targeting OT assets in 2019 was greater than the activity volume observed in the past three years combined. Most of the events observed used a combination of known vulnerabilities within supervisory control and data acquisition (SCADA) and ICS hardware components, as well as brute-force login tactics such as password-spraying attacks.

Converging Legacy Tech Attracts Attacks on Infrastructure

The convergence of IT and OT systems means the logical and physical connection between “classical” IT systems and computer controllers that operate physical assets. This connection has become important for automating processes, optimizing delivery chains and centralizing the control of complex processes. But, according to the report, this bridge between IT infrastructure and OT, such as programmable logic controllers (PLCs) and ICS, continued to present a risk to organizations that relied on such hybrid infrastructures in 2019.

This convergence allows IT breaches to target OT devices controlling physical assets, which can greatly increase the cost of recovery. One example of the potential impact of such an attack was a breach in early 2019 at a global manufacturing company. A ransomware infection starting from an IT system moved laterally into OT infrastructure and brought plant operations to a halt. The attack impacted not only the company’s own operations but also caused a ripple across global markets.

Security assessments performed by IBM X-Force through 2019 highlighted the vulnerability of OT systems, which often use legacy software and hardware. The continued use of old, unsupported production systems containing well-known vulnerabilities means that even if OT systems are not internet-facing, they may still be easy prey. In cases of lateral movement, after an attacker gains the first foothold, these systems can be accessed from inside the network and harmed by relatively simple exploitation techniques.

It’s no surprise that X-Force expects attacks against OT and ICS targets to continue to increase in 2020, as various threat actors plot and launch new campaigns against industrial networks across the globe. With more than 200 new ICS-related CVEs released in 2019, IBM X-Force’s vulnerability database shows that threats to ICS will likely continue to grow in 2020, according to the report.

Address the Risk of Converged IT/OT Environments With a New Approach

The first step in addressing the problem is to raise awareness of the presence of embedded systems in an organization and their associated risks. The biggest hurdle to addressing these risks is not managing the devices, but determining who is responsible for them and developing a maintenance and management plan accordingly.

In most organizations, the responsibility for the IT and OT world is separated — different people with different specializations and mindsets taking care of each world. Unfortunately, this means that duties straddling this organizational boundary, including monitoring for cyberthreats, are at risk of being overlooked. As IT and OT environments converge, industrial control systems security will need to be incorporated as seamlessly as possible into the big-picture security strategy.

Continuous Monitoring of ICS Environments Is Critical

If we set up a workplace computer with a state-of-the-art operating system, we estimate a lifespan of three years and expect that updates and fixes are delivered frequently. ICS and OT devices differ greatly from standard computers in that their life cycles can span 10, 15 or even 30 years, meaning they often rely on legacy operating systems with low resistance against common attack techniques.

Additionally, performing software updates on ICS and OT devices can be difficult, if not impossible. With that limitation on preventive measures, the detection of unusual or suspicious activities on such devices becomes even more important. Due to the proprietary nature of ICS and OT devices, active monitoring and detection is often the first line of defense. The resilience of these devices against cyberattacks will improve in the future, but this will likely take years considering their lifespan.

Mastering the threats against ICS and OT environments will become an increasingly critical topic on chief information security officers’ (CISO) agendas, and the solution to these threats lies not necessarily in new tools, but rather in a fresh mindset and new organizational approaches. Although the threat landscape will shift constantly, security will continue to be defined by the trinity of people, processes and technology.

Download the X-Force Threat Intelligence Index 2020

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today