Among the cyber-related stories that made the airwaves in 2021 were significant examples of cyber insecurity within the industrial community. There was an attack against a city’s water treatment facility that aimed to poison drinking water. There was a ransomware offensive against a large pipeline operator that tangled gas supplies in the southeastern U.S. for days. And among other events — many the public never learned — there was a Bitcoin ransomware plot against one of the world’s largest beef suppliers, which has facilities in this country.
For all of the industrial community’s many achievements, its cybersecurity challenges raise considerable concerns not just for a single company or market, but for daily life in the U.S. And so with that in mind Dragos, which helps industrial firms protect their cyber infrastructure, has released its fifth annual Year in Review.
The report offers observations on cyber threats, vulnerabilities, assessments, and incident responses related to Industrial Control Systems (ICS) and Operational Technology (OT). The purpose of the report is to offer context (what the study calls “ground-truth reality”) around the sensational stories, so the industry can better understand and respond to threats.
Four Key Findings
We can start with a few statistics on what 2021 looked like across the industrial sectors Dragos examined. Those included electric, oil and gas, food and agriculture, manufacturing, chemical, transportation, nuclear, water and wastewater, technology (i.e., data center building automation equipment), and mining entities.
According to the report, there is room to improve cybersecurity readiness. Dragos broke the problems down into four main categories.
- Limited or No Network Visibility: 86% of organizations (including 90% in the manufacturing sector) had limited or no visibility into their networks, making it tough to notice and remediate cyber threats.
- Poor Security Perimeters: 77% of Dragos service engagements involved problems with network segmentation, meaning that OT infrastructure wasn’t kept isolated the way it should be.
- External Connections to the ICS Environment: 70% of organizations (including 100% of food and beverage and 77% of oil and gas entities) remotely connected their OTs to external information technology (IT) networks, the internet, or original equipment manufacturers (OEMs) — a more than two-fold increase from 2020.
- Same IT & OT User Management: 44% of Dragos service engagements found shared security credentials between an organization’s IT and OT networks, which makes it easier for hackers to gain a foothold into both systems.
There were twice as many common vulnerabilities and exposures (CVEs) published last year than in 2020, and Dragos reported three new “threat activity groups” actively targeting the ICS/OT space: KOSTOVITE, PETROVITE and ERYTHRITE.
“In many industrial sector compromises,” the report explained, “weak boundaries between OT and IT, and poorly understood interactions between these systems, coupled with the rise in remote access (as more organizations rely on their work-from-home staff), have increased the overall risk.”
Ransomware was the single largest cause for concern. The manufacturing sector accounted for 65% of industrial ransomware attacks — and that’s an especially troubling trend, according to the study, because the manufacturing sector is “often the least mature in their OT security defenses.”
5 Security Controls Recommended
The new edition of Year in Review offers five specific recommendations for organizations that need to harden the security of their industrial OT, carefully chosen to offer maximum impact.
- ONE: A Defensible Architecture — Leverage traditional tools and concepts (e.g., strong segmentation, firewalls, or software-defined networks), and allow humans to step in and defend the system as needed.
- TWO: ICS Network Monitoring — Ensure that the organization can monitor lateral traffic inside its ICS network, and understand the network’s protocols and how they’re affected.
- THREE: Remote Access Authentication — Require multi-factor authentication (MFA) or similar security approaches, and focus on the network’s connections to the external world (not connections within the system itself).
- FOUR: Key Vulnerability Management — Prioritize vulnerabilities that bridge IT and OT systems (rather than vulnerabilities that lie deep in the OT network itself), and focus remediation efforts on those concerns.
- FIVE: ICS Incident Response Plan (IRP) — Have a dedicated incident response plan (IRP) for the company’s ICS/OT environments, and regularly exercise the plan with cross-disciplinary teams (e.g., IT, OT, and executives).
Because not all vulnerabilities are created equal, the Year in Review assesses their various impacts, weighs the effectiveness of current assessment tools, and offers suggestions for tackling 2022 vulnerabilities — among other guidance and statistics.