Op-Ed: ICS/OT threat landscape – 2022 Year in Review

Compounding on previous years, we saw the discovery of new ICS-specific malware, new threat groups targeting industrial organisations, and adaptive adversary campaigns leveraging weaknesses in the industrial community’s defences. As a result, heightened attention is required to safeguard against disruptions in electric grids, oil pipelines, water systems, and manufacturing plants that can place human populations at risk.

Dragos Threat Intelligence tracks threat groups attempting to gain access to ICS and OT environments or conduct activity that can be used to facilitate future threats to industrial infrastructure. Our adversary hunters are currently tracking 20 ICS/OT threat groups, up from five threat groups in 2017.

Our intelligence is focused on the threat groups exploiting OT networks and ICS devices and the industries they’re targeting for that purpose. A cyber attack in OT requires an understanding of the ICS/OT environment; adversaries need knowledge of devices and systems and how they communicate and need to be able to use that knowledge to manipulate physical processes and create an impact.

Several threat groups developed new malware capabilities designed to execute attacks on industrial and critical infrastructure.

PIPEDREAM malware – First cross-industry attack framework

In April 2022, Dragos and a partner announced the discovery of PIPEDREAM, a cross-industry ICS attack framework developed by the threat group CHERNOVITE explicitly to attack industrial infrastructure. In collaboration with various partners, we identified and analysed PIPEDREAM’s capabilities. It is the seventh known ICS-specific malware and the fifth malware specifically developed to disrupt industrial processes.

Given the right operational conditions, PIPEDREAM could be used for destructive effects, but it was found before it was employed. Initially developed to compromise devices used in the electricity industry and oil and gas, PIPEDREAM represents a new evolution in malware development as the first cross-industry scalable ICS malware with disruptive capabilities, and it could easily be adapted for other industries.

Industroyer2

VIEW ALL

Industroyer2 is the sixth known ICS-specific malware. It exploits the International Electrotechnical Commission (IEC) IEC-104 protocol to control and communicate with industrial equipment causing disruptive effects. A trimmed-down variant of the CrashOverride malware used in a 2016 incident, it is the first time an ICS-specific malware has been reconfigured and redeployed in an electric utility environment.

Industrial infrastructure recon, initial access, C2 activity in 2022

Executing an impact on ICS can require extensive research and development. Adversaries often conduct reconnaissance to gain information and initial access to networks to execute a future attack on their ICS/OT targets. That takes time. Moreover, attacks on ICS/OT also do not require intent, so OT networks may be targets of opportunity. Even when an adversary accidentally stumbles onto an OT environment, there is still a risk to that environment.

In 2022, Dragos observed activity from multiple threat groups targeting industrial organisations globally for reconnaissance, initial access, and long-term persistence leveraging signature techniques and developing new capabilities and attack patterns.

Ransomware risk to industrial organisations

Last year, ransomware continued to pose financial and operational risks to industrial organisations. Of all the industrial sectors, ransomware groups targeted the manufacturing industry more than any other, nearly twice as much as the other industrial groups combined, with 72 per cent of attacks impacting manufacturers.

The manufacturing sector accounted for 72 per cent of attacks (437 ransomware attacks), food and beverage 9 per cent (52 ransomware attacks), energy 5 per cent (29 ransomware attacks), pharmaceuticals 4 per cent (27 ransomware attacks) and oil and gas 3 per cent (21 ransomware attacks).

The manufacturing sector is not only the hardest hit by ransomware attacks, but manufacturers are also often the least mature in their OT security defences. From Dragos services engagements in 2022, when we look across the manufacturing industry, 89 per cent of manufacturers have limited visibility over their networks and assets and are not able to detect threats in their environment. A full 82 per cent of the manufacturing industry has poor network segmentation, making it easy for ransomware adversaries to pivot to OT.

Finally, 82 per cent do not have secure remote connections, and 73 per cent are still sharing passwords. This is concerning when a disruption of only a few days can have a significant impact on manufacturers and can affect their bottom line. Not only that, but it can also have an impact on the manufacturing supply chain. In February 2022, Kojima Industries Corp, a supplier of Toyota’s plastic parts and electronic components, was the victim of a ransomware attack. When Kojima suspended operations, the just-in-time and Kanban of Toyota production systems resulted in the suspension of Toyota operations as well when they were unable to source the parts needed to continue.

Moves and changes in the ransomware space

The demise of Conti and the introduction of a new version of LockbBit, LockBit 3.0, Black Basta and several other ransomware groups targeting ICS/OT restructured the ransomware industry in 2022. Despite leading with 58 attacks in the early part of 2022, Conti shut down operations in May after declaring alignment with the Russian Federation. LockBit quickly took up the mantle, with its activity accounting for 169 incidents or 28 per cent of ransomware attacks.

The launch of LockBit 3.0 encouraged growth in ransomware, reducing the barriers to entry for any adversary to participate in LockBit 3.0 affiliate enterprises. Making matters worse, the builder used to develop LockBit 3.0 was leaked online, making it easier for even unskilled adversaries to start up their own ransomware groups. Dragos observed activity targeting industrial organisations from 39 different ransomware groups in 2022, and there is the potential for the field to get even more crowded this year.

ICS/OT threat landscape takeaways

PIPEDREAM brings forward a new extensible and modular OT-focused malware framework that advances attack philosophies first showcased with CrashOverride and TRISIS. CHERNOVITE presents a concerning threat to all ICS organisations. Dragos-tracked threat groups continue to target ICS/OT entities with both existing and new capabilities. BENTONITE has exhibited stage-one capability and has shown evidence of OT data exfiltration from oil and gas and manufacturing targets.

Manufacturing is the standout sector bearing the burden of ransomware attacks, and all manufacturing organisations should factor in ransomware threats to their threat models. Dragos recommends five critical controls for OT cyber security identified by the SANS Institute for a baseline framework to help defend against adversary activity directed at ICS/OT environments.

One way to achieve organisational alignment on implementing the critical controls is to tie the effort back to real-world scenarios involving newly discovered ICS-specific malware and known OT threat group behaviours.

Seth Enoka is a senior principal incident response consultant at Dragos.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.