Industrial Cybersecurity: Building Resilience Now

In 2021, the industrial community attracted high-profile attention. Major cybersecurity incidents struck industrial organisations in a range of sectors, with international headlines detailing everything from a compromise of a water treatment facility with the intent to poison its community, to a ransomware attack against a pipeline operator that disrupted gas supplies to the southeastern United States.

These reports underscored the potentially devastating outcomes a security breach of critical infrastructure could have on communities and a country’s economy. They also elevated the discussion the ICS/OT community has been having for years on cyber readiness and brought them to the proverbial kitchen table—and the policymakers’ and regulators’ office desks, too.

As we think about cyber resilience, the recently released 2021 Dragos Year in Review provides industrial organisations with meaningful insights to help them more fully understand the cyber risks surrounding their most important assets—their ICS/OT environments.

It adds data-driven insights that add context to the sensational stories and evidence from the field of how industrial organisations are progressing in their cybersecurity readiness and where they need to continue their work to provide safe and reliable operations into 2022 and beyond.

New Activity Groups Discovered

Dragos discovered three new activity groups with the assessed motivation of targeting ICS/OT. Two of the groups have achieved Stage 2 of the ICS Cyber Kill Chain showing their ability to get access directly to ICS/OT networks.

In March 2021 KOSTOVITE compromised the perimeter of an energy operation and maintenance provider network, exploiting a zero-day vulnerability in the popular remote access solution, Ivanti Connect Secure. KOSTIVITE used dedicated operational relay infrastructure against this target to obfuscate the origin of its activities, then stole and used legitimate account credentials for its intrusion.

PETROVITE targets mining and energy operations in Kazakhstan. One targeted group has 16 business units that focus on mining and power generation throughout Kazakhstan. Dragos is aware of targeted operations that started during the third quarter of 2019 and have intermittently continued throughout 2021.

ERYTHRITE is an activity group that broadly targets organisations in the US and Canada with ongoing, iterative malware campaigns. Dragos has observed ERYTHRITE compromising the OT environments of a Fortune 500 company and the IT networks of a large electrical utility, food and beverage companies, auto manufacturers, IT service providers, and multiple Oil and Natural Gas service firms.

State of ICS/OT Vulnerabilities

In 2021, the number of reported ICS vulnerabilities continued to increase, which coincided with an increase in vendors providing patches for disclosed flaws in advisories. Dragos researchers analysed 1703 ICS/OT common vulnerabilities and exposures (CVEs), which is more than twice as many as 2020. For each CVE, Dragos independently assesses, confirms, and often corrects the advisories and describes any flaws in firmware or software.

Acting on ICS/OT Vulnerabilities

Dragos works with the community to help vendors provide more accurate, actionable, and easier-to-track advisories. In 2021, we significantly enhanced the vulnerability management features offered to customers through the Dragos Platform.

We assess vulnerabilities in our WorldView Intelligence reports in the Dragos Platform and categorise them by threat levels: Immediate Action, Limited Threat, Possible Threat, No Action, and Hype. Dragos also recommends four different responses to those threats: Remediate, Mitigate, Monitor, or Ignore.

The following summarises our analysis of how to respond to vulnerabilities seen in 2021.

Industrial Risk to Ransomware

Ransomware became the number one attack vector in the industrial sector:

• Dragos assessed that manufacturing accounted for 65% of all ransomware attacks.
• Two ransomware groups, Conti and Lockbit 2.0, caused 51% of attacks—with 70% of their malicious activity targeting manufacturing.

Lessons Learned from Customer Engagements

Following are four key findings discovered from customer service engagements:

• 86% of service engagements have a lack of visibility across OT networks—making detections, triage, and response incredibly difficult at scale.
• 77% of service engagements included a finding about improper network segmentation.
• 70% of service engagements included a finding of external connections from OEMs, IT networks, or the Internet to the OT network.
• 44% of service engagements included a finding about shared credentials in OT systems, the most common method of lateral movement & privilege escalation.

“While the industrial community has discussed the importance of OT cybersecurity for years, 2021 brought high-profile attacks that showed the real-world outcomes on local communities and global economies,” said Robert M. Lee, Chief Executive Officer and Co-Founder of Dragos.

“The cyber risk to industrial sectors is accelerating at a time of rising geo-political tensions, and digital transformation initiatives driving hyper connectivity. The real-world observations and data-backed insights can serve as practical, timely guidance as the industrial community strives to understand where they are exposed, what threat groups are doing, and how to build security and resiliency into their OT systems.”

You can download the Dragos 2021 Year In Review Report here.