Get in Touch!

Need more information? Contact us at [email protected]

When controls for physical equipment connect to broader computer networks, the digital attack surface expands, allowing cyberattackers to penetrate industrial organizations in new ways. As a result, breaches are more frequent.

Nearly 9 in 10 organizations using ICS indicate they have experienced a breach in those systems, with nearly 6 in 10 breached in the past year.

Many of those organizations are adding to their risk by allowing partners as well as IT networks a high level of access into their OT systems.

The following are representative examples of how OT environments are attacked and the ensuing damage:

  • German Steel Mill Suffers Massive Damage to Equipment

    According to a German government report, a 2014 cyberattack in a German steel mill began when an employee opened a spearphishing email and clicked on a link. Malware downloaded and allowed an attacker to enter the plant’s business network and eventually move to the OT systems controlling the plant. Details about tactics used were not specified. Once in the OT environment, the attacker compromised a “multitude” of systems, showing expertise in industrial controls. “Failures accumulated in individual control components or entire systems,” the report notes. As a result, the plant was “unable to shut down a blast furnace in a regulated manner,” resulting in “massive damage to the system.” Neither attacker nor motive has been discovered to date.

    Malware Shuts Down Operations in Major Businesses Globally

    In June of 2017, allegedly state-sponsored malware known as NotPetya appeared in Ukraine and raced within hours to countless machines around the world, destroying master boot records in IT systems. It used a Windows vulnerability that many firms had not patched and combined that exploit with one that retrieved credentials out of system memory to break into other, adjacent systems. Together, the two techniques created “the fastest propagating piece of malware we’ve ever seen,” a security researcher told WIRED magazine.19 Before NotPetya was done, it had caused OT shutdowns in a prominent global shipping firm and pharma firm, among others, and triggered an estimated $10 billion in total damage.

  • Trail of Vulnerabilities Leads Attackers to Water Company’s Controls

    Administrators at an unnamed water utility noticed there had been unexplained valve and duct movements in its OT environment over the previous 60 days. A Verizon Breach Digest Report called the organization the “Kemuri Water Company” (KWC), and a Verizon team began an investigation.

    KWC supplies water to several counties, and some of its PLCs regulate chemicals that make the water safe to drink. They had been manipulated, disrupting flow rate and water service. What exactly had happened? Verizon researchers found a trail of vulnerabilities providing clues: There were IP addresses in KWC’s web application server log that had previously been involved in attacks on other organizations investigated by the Verizon team. KWC had a web-based payment application that did not require two-factor authentication. And from the web application server, a cable ran to an AS400 system that managed the OT environment. On the web server, investigators found an initialization (INI) file in KWC’s payment application that contained the internal IP address and administrative credentials for the AS400 system in clear text. That meant unauthorized access to the payment application could lead directly to sensitive information on the AS400.

Table: Example of Disclosed CyberAttacks | Source: A Solution Guide to Operational Cybersecurity

Key Takeaways from OT Cyberattacks:

  • Because OT has been traditionally isolated, security is not top of mind, thus basic security hygiene is not implemented within many OT environments. Safety and security must be systemic within an organization to help best-practice adoption.
  • The cultural gap between IT and OT generates safety and security risks within organizations. In particular, organizations where OT and IT are divided are more susceptible to successful cyberattacks.
  • Segmentation is not commonplace within OT environments and thus the lack of segmentation is the most exploited vulnerability, in particular inadequate segmentation between IT and OT networks. In addition, IT malware (e.g., ransomware and worms) are making their way into OT systems and are traversing laterally, as no real segmentation is in place to slow their spread.
  • Attackers are gaining expertise in OT sabotage. They are developing, selling, and buying specialized toolsets designed to penetrate OT protocols and equipment.
  • Nation-states are the biggest threat actors and have demonstrated an ability to inflict global damage.
  • Spear phishing, compromised endpoints, and stolen credentials are a common attack vector. This underlines the value of two-factor authentication, employee security education, and continuous system monitoring for indicators of compromise (IOCs).
Need Help Securing Your OT Environment?

Let’s get in Touch! Contact us now