Professional Documents
Culture Documents
Anatomy of 100+
Cybersecurity Incidents
in Industrial Operations:
A Research Study With Recommendations
For Strengthening Defenses in OT/ICS
Sponsored by
Understanding OT Implications........................................................................ 10
Acknowledgements ........................................................................................ 33
The result was the most monumental non-nuclear explosion and fire ever seen from space.
Sources:
Thomas C. Reed, former secretary of the Air Force and special assistant to President Reagan, At the Abyss: An Insider’s History of the Cold War.
Additional news source: https://www.wired.com/2004/03/soviets-burned-by-cia-hackers/
Aiming to disrupt
Phishing
Most attacks on OT/ICS systems aim to disrupt operations using
a variety of tools and techniques, from phishing to ransomware to Phishing is the most popular attack technique.
lateral tool transfer and exploitation of remote services.
Key Findings
OT/ICS security incidents are increasing in frequency
2011-2020
69
Rockwell Automation finds:
In the U.S. and across Europe, there’s a rising regulatory
focus on OT cybersecurity, especially for industries
in Critical Infrastructure sectors. Greater regulatory 2021-2022*
oversight means that industrial organizations should
evaluate their current cybersecurity protections and
12
any potential gaps, to help them add more proactive
protections that will better secure their operations
against cyberattacks.
0 10 20 30 40 50 60 70 80
Source2: Reported Data Breaches in the US Reach Near Record Highs
RESEARCH REPORT ANATOMY OF CYBERSECURITY INCIDENTS IN OT 9
Figure 2 & 3
Key Findings
• 60% of the OT/ICS incidents analyzed resulted
in operational disruption.
60%
• Broader supply chains are also impacted
approximately 65% of the time. A Japanese
auto manufacturer suspended operations on
28 production lines across 14 plants, for at
least a day after a key supply chain partner,
a plastic parts and electronic components OT/ICS technologies hit
manufacturer, was hit by a suspected
cyberattack.4 Supervisory control and Data Acquisition (SCADA) 49
recommends:
Remote terminal unit (RTU) 10
In a world where it’s impossible to eliminate all
cybersecurity risks, a proactive approach to critical
infrastructure incident response is crucial to protect the
operational continuity of essential systems and services. Camera or surveillance system 4
Rapid, well-orchestrated incident response capabilities
are a must-have for bolstering resilience amidst today’s
most pressing threats.
Other (describe in detail) 3
Key Findings
• Within this data set, the Energy sector
recorded three times as many incidents as
the next closest vertical. As is well reported,
the potential for high impact creates greater
Critical Infrastructure Sectors Impacted
opportunities for both ransomware payouts
and for adversarial nation-state goals. OT/ICS industry sectors attacked
However power plants, substations and related
infrastructure are also aging, with many built 39%
Energy
up to 50 years ago. Older infrastructure wasn’t
built to leverage modern security controls. Critical Manufacturing* 11%
Key Findings
• More than 80% of events started with an
IT system compromise. This is attributed
to increasing interconnectivity; most OT
networks communicate with the outside
IT Dominates Initial Point of Entry
world via an IT network. In addition, attackers
increasingly leverage internet-facing systems Initial point of entry
such as human-machine interfaces (HMIs) and
engineering workstation applications, which “With stricter requirements
are prime targets.
for reporting OT
• This underscores the importance of proper cybersecurity incidents in
network architecture to support enterprise IT the future, we can expect to
security in this era of rising industrial 84% gain invaluable insight into
connectivity. If you don’t set up networks the number and severity
properly, keep OT networks segmented and
of attacks, as well as the
air-gapped, along with other best practices
such as ongoing employee security awareness tactics and defenses used.”
training - the potential for attack increases. - Mark Cristiano, Commercial Director, Global
Cybersecurity Services,
Rockwell Automation
OT
14%
Rockwell Automation
recommends:
As our understanding evolves, so too does the need
for stronger OT security protections. Putting in a
firewall between IT and OT environments is no longer
enough to properly separate IT from OT to protect Unsure
against attacks. Same goes for remote access. There 2%
are standard practices, such as passwords, that are
being thwarted regularly by attackers. Without greater
protection, endpoints will contribute to infiltration.
Additional counter-measures must be considered, to
include a well-defined Incident Response plan that can
help your organization quickly respond and recover from 0 20 40 60 80 100
cybersecurity incidents.
Key Findings
• More than 80% of attackers come from
outside the organization.
Third Party 2%
1%
A Few Definitions: Ext+Int
Key Findings
• The percentage of attacks attributed to nation-
state affiliated groups is higher than in other
studies, at nearly 60% of all attacks in this
sample. In other research, the Cyentia Institute
Digging Deeper into Attack Personas
has found just over 1% of cyberattack events are
attributable to nation-state actors. Threat actor types
Activist group 4%
Countries of Origin:
Globally, the countries of origin included in Cyentia’s Employee or contractor 6%
Advisen OT research study are the following:
Australia, Belarus, Canada, China, Finland, France,
Germany, Great Britain, India, Iran, Iraq, Ireland, Israel,
Italy, Japan, Liberia, Lithuania, Luxembourg, Russia,
Saudi Arabia, Sweden, Switzerland, Taiwan, Türkiye, 3rd party firm (as direct threat actor) 4%
Ukraine, the United States.
0 10 20 30 40 50 60
Key Findings
• Phishing reigns as the easiest, most
successful initial access (attack) technique.
Phishing has grown to include email,
online, SMS/text messaging and voice/
Spear Phishing Tops Access Techniques
telephony, making it a powerful weapon for
cybercriminals. Initial access techniques for OT incidents
a target. The use of up to real-time network Remote Services 11% Remote services involves adversaries using
valid accounts to log into a service that accepts
asset inventories, 24/7 threat detection, and remote connections to perform actions as a
appropriate policies and procedures around Supply Chain Compromise 8% logged-in user.
removable media – among other best practices External remote services involves adversaries
- can help prevent an IT attack from migrating Internet Accessible Device 5% leveraging external remote services to access
your network and connect to internal network
to OT, with the potential to shut down an resources through VPNs, Citrix and other access
organization’s supply chain, processes, or even Exploitation of Remote Services 3% mechanisms.
Rockwell Automation
Exploitation of Public-Facing Application 2% execute adversary-controlled code.
Key Findings
• According to MITRE, “ATT&CK for ICS focuses
on adversaries who have a primary goal of
disrupting an industrial control process, Once Inside, OT Attackers Aim to Control & Disrupt
destroying property or causing temporary
or permanent harm or death to humans by
attacking industrial control systems.” Post-compromise MITRE ATT&CK techniques
• In OT, attackers most often attempt to directly Exploitation of Remote Services 58%
impact industrial processes. Many seek to
disrupt operations for monetary gains, such
as ransom payments, or for other outcomes Standard Application Layer Protocol 55%
involving economic or militaristic advantages.
The number of U.S.-based threat actors 52%
Remote System Information Discovery
attacking industrial organizations grew by 35%
in 2022, driving an 87% increase in breaches
over the same period.6 User Execution 48%
• Attackers use Lateral Tool Transfers,
Exploitation of Remote Services and Standard 45%
Default Credentials
Application Layer Protocols to manipulate
an operator’s view, and in many cases, take
control over specific OT processes. Native API 42%
0 10 20 30 40 50 60
Source6: ICS Cybersecurity Year in Review Executive Summary 2022
RESEARCH REPORT ANATOMY OF CYBERSECURITY INCIDENTS IN OT 25
Figure 10
Key Findings
Data exfiltration tops enterprise impacts
When attacks happen that disrupt business, Additional Attack Implications
the impacts are widely felt. It doesn’t take a
WannaCry-style incident for organizations to be Post-compromise MITRE ATT&CK techniques
negatively impacted.
Two other attack types, ‘Data Encrypted for Service Stop 11%
Impact’ and ‘Data Destruction Techniques,’ round
out the top three ways that cyberattacks impact
enterprises. Taken together, the top three MITRE Inhibit System Recovery 11%
ATT&CK techniques shown in the chart are most
commonly associated with ransomware attacks. System Shutdown/Reboot 8%
This becomes clearer when looking at the impact
on ICS designations. Endpoint Denial of Service 3%
Scheduled Transfer 2%
Automated Exfiltration 2%
0 5 10 15 20 25
Key Findings
ICS impacts: control, then disrupt
Denial of View 3%
Denial of Control 3%
0 10 20 30 40 50
Recommendations Requirements
Governments around the globe are
compelling public and private sector entities
to disclose cybersecurity incidents, data
This report has examined a selection of Advisen’s Cybersecurity Industrial organizations must prioritize safety and reliability to
Loss Database to better understand patterns around historical protect against cyberattacks - and do so quickly. With risks and theft, and ransom payments to reverse
OT/ICS cybersecurity incidents. Our goal has been to gain a better reporting mandates growing, a paradigm shift must occur. For chronic underreporting of cybercrimes, and
understanding of where we’ve been, and more importantly, to example, many industrial organizations are often reluctant to to help mitigate risks.
better forecast where attacks in this category are headed and the update firmware when there are announcements of a critical
level of defenses that will be needed in the years ahead. vulnerability. They may even be told not to patch, as updates take U.S. companies operating in Critical
systems offline and have the potential to disrupt supply chains. Yet Infrastructure sectors must now report
With more systems, networks and devices being connected in the risk to OT infrastructure can be so much worse. breaches, under the Cyber Incident
OT/ICS environments, as well as the legacy equipment housed in Reporting for Critical Infrastructure Act of
most industrial environments, many organizations are exposing Today, relatively efficient solutions are possible for OT/ICS 2022 (CIRCIA), instead of being encouraged
new vulnerabilities to sophisticated adversaries. Having a strong, cybersecurity. Minutes matter and seconds count, so start today. to do so voluntarily.
modern OT/ICS security program in place must be a part of every Rockwell Automation and our network of world-class partners
industrial organization’s responsibility to maintain safe, secure are ready to advise you. This strengthening of reporting
operations and ongoing availability. requirements is a global trend. In the
E.U., the Directive on Security Network
and Information Systems – along with a
host of other regulations – mandate that
Critical Infrastructure providers report
breaches. On a global scale, the United
Tips and advice Nations is discussing the parameters of an
international treaty focused on individual
To get started strengthening OT cybersecurity: data protection as well as cyber resilience.
• Focus on defense-in-depth, including pulling from structures • Segment IT and OT to make the most of firewall configurations
that will help you keep IT attacks from bleeding into OT As threats increase, we expect to see
such as Zero Trust and the NIST Cybersecurity Framework.
environments. increasing pressure on regulators to issue
• Secure remote access, through stronger passwords and more rules about disclosure and cyber risk
multifactor authentication. • Continuously train your internal staff to keep up with the latest mitigation.
phishing scams and how to avoid them.
• Monitor for threats 24/7. Sources:
CIRCIA https://www.cisa.gov/circia
E.U. regulation, https://digital-strategy.ec.europa.eu/en/policies/
nis2-directive
Additional regulations: https://www.enisa.europa.eu/topics/
incident-reporting
U.N., https://unric.org/en/a-un-treaty-on-cybercrime-en-route/
REACH OUT TO TALK TO AN EXPERT TODAY WATCH OUR WEBINAR TO LEARN MORE ABOUT THIS RESEARCH STUDY
RESEARCH REPORT
RESEARCH REPORT ANATOMY OF CYBERSECURITY INCIDENTS IN OT 33
In partnership with
RESEARCH REPORT