With ransomware attacks affecting more industrial organisations, asset owners must take necessary precautions to address these threats or fall victim to them, a global cybersecurity report has warned

In 2023, a surge in global tension resulted in an increase in cyber threat activity and disruptions in critical infrastructure worldwide.

Escalating conflicts, including those between Ukraine and Russia, Israel and Hamas, and countries in the South China Sea, emboldened adversaries and hacktivists to develop new capabilities and reuse old techniques.

Simultaneously, ransomware attacks affected more industrial organisations, with a nearly 50 per cent increase in reported incidents.

Asset owners have been advised take necessary precautions to address these threats or fall victim to them.

These concerns were noted by Dragos, an industrial cybersecurity company, in its Year in Review report.

Ther report cited the capabilities developed in conflict areas among the threats that organisations must consider.

A year after Russia’s invasion of Ukraine, cyber threat activity in the region continues to escalate.

Dragos and the community became aware of new destructive malware capabilities as ELECTRUM conducted targeted cyber operations against Ukrainian critical infrastructure.

The mixture of traditional kinetic warfare with cyber-focused capabilities has created a new testbed for increased threat capabilities worldwide.

Similarly, the conflict that erupted in the Middle East included cyber attacks on critical infrastructure.

Pro-Israeli hacktivists claimed responsibility for the attacks that claimed to disrupt over 70 per cent of the gas stations in Iran, while pro-Hamas hacktivists targeted Israeli-manufactured operational technology (OT) hardware and software.

The impact of these attacks on industrial equipment spread beyond the conflict zone and affected various sectors, such as water and manufacturing, around the globe.

Throughout the year, Dragos continued to track threat groups as they developed capabilities and gained access.

Mounting tensions between China and Taiwan contributed to the environment where Dragos observed VOLTZITE target several industrial organisations in the Asia-Pacific region, Africa, and North America – including entities in electric, satellite communications, telecommunications, emergency management, and defense industrial base sectors – with cyber attack campaigns assessed to be aimed at long-term espionage objectives.

VOLTZITE’s wactions towards US electric entities, telecommunications, and GIS systems signify clear objectives to identify vulnerabilities within the country’s critical infrastructure that can be exploited in the future with destructive or disruptive cyber attacks.

Dragos tracked 21 threat groups targeting industrial organisations including three new threat groups.

INCREASING RANSOMWARE ATTACKS

Although threat groups and hacktivists posed significant risks in 2023, ransomware was the primary concern for many organisations globally.

This concern is well founded, considering the rise in ransomware attacks and the industrial impact observed by Dragos during incidents this year.

Dragos observed 50 active ransomware groups impacting industrial organisations in 2023 out of 77 groups that have historically attacked industrial organisations and infrastructure.

This represents a 28 per cent increase over last year.

Dragos tracked 905 reported ransomware incidents impacting industrial organisations in 2023, a 49.5 per cent increase from 2022.

Industrial organisations have much to lose because operational disruptions can carry significant financial and reputational costs.

Further, there can be numerous cascading impacts on downstream businesses and outputs. This leads to high-leverage situations.

These trends, along with new reporting requirements, saw an increased focus on response from many organisations.

Regulatory changes in the US, Europe, Australia, Asia, and the Middle East required organisations to develop capabilities to meet reporting obligations.

VULNERABILITY RISK MITIGATION

Another major focus area for organisations this year was understanding what risks vulnerabilities posed and how best to respond to them.

There was a 14 per cent increase in vulnerabilities advisories in 2023, with 31 per cent of advisories that Dragos analysed having incorrect data.

Patching every vulnerability is difficult in OT environments and may not improve OT network security.

In fact, patching unnecessarily may bring its own risk – unsuccessful patch application may cause unwanted downtime.

In addition, many OT devices and software have ‘forever-day’ vulnerabilities and are insecure by design.

This means patching a system to close a vulnerability may do nothing to improve the security of affected components, as underlying design flaws are still present.

A far better approach is to focus remediation and mitigation on items that positively impact the overall hygiene of the industrial process.

Addressing vulnerabilities generally means deploying updates or applying security controls that do not already exist.

Patching within an OT environment must be done in a way that ensures that normal, safe operations are maintained.

Often, this results in patches being delayed until a maintenance window. For this reason, it is important to have alternate methods to mitigate vulnerabilities in an advisory.

The year also saw the discovery of a major vulnerability impacting Rockwell Automation’s ControlLogix communication modules, reminiscent of the zero-day that XENOTIME exploited in the TRISIS attack.

However, this event exemplified how vendors, governments, and our community leverage communication and visibility to enable a unified, risk-based response.

PRIORITISING VULNERABILITIES

Prioritising vulnerabilities into actionable categories saves asset owners and operators from wasting time and resources on vulnerabilities with little or no impact on their operations.

In this regard, Dragos follows the Computer Emergency Response Coordination Center’s (CERT/CC) ‘Now, Next, Never’ methodology.

This methodology prioritises the vulnerabilities that defenders should mitigate immediately and places them in the Now category.

Vulnerabilities in the Next category can be mitigated through firewall rules and good network hygiene.

This second group could be patched on the next maintenance cycle but should be monitored for abnormal network activity or exploitation.

Lastly, vulnerabilities that do not increase the inherent risk of the device fall into the Never category.

ASSESSING CYBER READINESS

In 2023, major regulatory shifts were seen for critical infrastructure asset owners, resulting in organizations devoting more time and resources to preparing for a cybersecurity event.

This included updates for US pipeline operators in North America with TSA Pipeline-2021-02D (SD-02D).

In Europe, it was the Network and Information Systems Directive (NIS2); in Australia, the Security of Critical Infrastructure SOCI Act; and, the Essential Cybersecurity Controls (ECC) ECC in the Kingdom of Saudi Arabia.

By Abdulaziz Khattak