2021 was the year that marked a major cyber-attack against a critical national infrastructure organization whose impact was felt by millions of Americans on the East Coast. However, the attack against the Colonial Pipeline Company was not the only incident that affected the Operational Technology (OT) systems of a critical sector for the U.S. national economy. In response to a growing number of attacks, President Biden signed an Executive Order in May 2021 with the aim of strengthening the cybersecurity of the U.S. government and critical infrastructure.
The same level of concern is also shared across many developed countries in the world. The digitization of critical OT systems and the connection of previously isolated Industrial Control Systems (ICS) to the internet has brought endless possibilities as well as risks. Because of the IT-OT convergence, threats that originate in the IT environment are extending into the OT domain, harming the safety and reliability of critical processes. Since these OT processes affect the physical world, such disruptions may have ripple effects and may even lead to loss of life.
To better understand the extend of the issue, it would be beneficial to take a tour around the world and read what various state cybersecurity reports say about OT cybersecurity.
Franco-German Common Situational Picture
The French cybersecurity agency (ANSSI) and its German counterpart (BSI) have been issuing for the last years common situational reports to promote threat intelligence sharing. In the third edition of the report in 2020, the two agencies note the following:
The digitalization of production processes underpinning the core activity of an entity, through the connection of operational technology (OT), will carry risks for the near future. Those OT systems have usually a long lifecycle and are expensive. Hence, they are not changed or upgraded on a regular basis. Therefore, ANSSI and BSI must assume that most of the currently working OT systems were installed at a time when IT security was not recognized as a vital factor for the operation of OT systems.
In the 2021 edition, ANSSI and BSI goes on to highlight that “At the beginning, ransomware was widely used against individual users with relatively low ransom demands. Over time, particularly in recent years, ransomware became a major threat to networks of large organizations in so-called Big Game Hunting (BGH) attacks.”
Cybercriminal groups are now focused on targeting companies and institutions whose business interruption may lead to important economic, industrial, or social consequences. Targets include local governments, the education sector, hospitals, and digital service providers. All these institutions are covered by the EU NIS Directive that provides strict requirements on the security of critical infrastructure in Europe.
Europol Internet Organized Crime Threat Assessment 2021
The same trends are highlighted in Europol’s flag report, IOCTA 2021. Europe’s law enforcement agency noted that “ransomware reports had increased during the reporting period. The trends of focusing on large corporations and public institutions, utilizing vulnerabilities in the digital supply chain, and multi-layered extortion is an indication of the increased sophistication and maturation of the ransomware affiliate programs involved.”
The agency also explains the trend that ransomware gangs are going after "big fish" and that mass-distributed ransomware involving spray-and-pray tactics are on the decline.
Perpetrators are moving towards human-operated ransomware targeted at private companies, the healthcare and education sectors, critical infrastructure and governmental institutions. The shift in the attack paradigm indicates that ransomware operators choose their targets based on their financial capability to comply with higher ransom demands and their need to be able to resume their operations as quickly as possible.
Canada’s National Cyber Threat Assessment
In 2020, the Canadian Center for Cyber Security released its first National Cyber Threat Assessment where it assessed that the physical safety of Canadians is being put at risk because of growing OT attacks against the nation’s critical infrastructure.
The report states: “Since January 2019, at least seven ransomware variants have contained instructions to terminate ICS processes. The impact of these attacks on ICS varies according to the specific circumstances of the industrial process and the reaction of the site staff. In June 2020, a car manufacturer halted production at most of its North American plants, including one in Canada, 'to ensure safety' after very likely being hit by one of these ransomware variants.”
The Canadian cybersecurity agency also writes that ransomware operatives are engaged in big game hunting, focusing their activities on institutions like critical infrastructure organizations “that will not tolerate sustained disruptions to their networks and are willing to pay large ransoms to quickly restore their operations.”
A year later, the agency released a bulletin where it reasoned that “cybercriminals are almost certainly improving their capabilities, and are very likely to attempt to target high-value Canadian organizations with large OT assets, including those in CI, in search of larger ransom payments and valuable data.”
CISA, FBI, and NSA Issue a Joint Cybersecurity Advisory
In the beginning of 2022, CISA, FBI, and NSA released a joint cybersecurity advisory where they called on all U.S. critical infrastructure organizations to pay extra attention to risks posed by Russian state-sponsored cyber operations. Per the advisory, “Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware.”
The advisory provides an extensive inventory of the tactics and techniques employed by these Russian state-sponsored actors. Finally, the three agencies encourage all critical infrastructure organizations to implement certain recommendations to mitigate the threat. These recommendations include:
- Being prepared by confirming reporting processes and reviewing one's incident response plans.
- Enhancing one's security posture by implementing best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
- Increasing vigilance.
Critical infrastructure organizations can protect their OT systems by focusing on the security fundamentals. They can achieve that by investing in a security solution that empowers them to discover and profile all their industrial assets, monitor the status of their network and systems, harden those assets against plant disruptions, and conduct granular vulnerability assessments to gauge their OT cybersecurity on an ongoing basis. Learn how Tripwire can help.