Critical infrastructure saw increased cyber threats in 2023, backed by a surge in global tensions, where chaos often provides more opportunity and cover for cyber criminals. This is also not a one-off trend, as 2022 saw a huge increase compared to 2021, according to an annual report by Dragos, an industrial cybersecurity technology provider.
Global conflicts in Ukraine and the Middle East are breading grounds for malware, specifically targeting Ukrainian critical infrastructure, and pro-Israeli and pro-Hamas hacktivists have targeted infrastructure as well, according to Dragos. While malware and hacktivists still pose a significant threat, ransomware remains the primary concern for industrial organizations worldwide.
To track these threat groups and their cyber activity, Dragos released the OT Cybersecurity: the 2023 Year in Review. The report, started in 2017, is intended to provide insights for “leaders, defenders and operators on the OT cybersecurity landscape to help them secure our critical infrastructure,” says Markus Mueller, principal industrial consultant at Dragos. The 2023 report dove deeper into more up-to-date data and perspectives from the field.
“With the 2023 report, we were able to dig deeper into the data set from our service engagements, incident response cases, and our visibility from Neighborhood Keeper and OT Watch to provide more in-depth insights,” Mueller says. “For example, in the 2022 report, we stated that 50% of services engagements identified issues with network segmentation. In the 2023 report, we stated that Dragos issued findings on segmentation issues or improperly configured firewalls in 28% of our engagements in 2023, but we also provided per-sector insights showing this was the case in 58% of all manufacturing engagements.”
Neighborhood Keeper is a free, opt-in, anonymized information sharing network available to all Dragos Platform customers. It is led by Dragos in partnership with the Department of Energy, making industrial control system (ICS) visibility and cyber threat analytics accessible. Dragos OT Watch team identifies adversaries operating within its customer networks and provides actional guidance.
For its report, Dragos’ software platform gives the company visibility and insight into cybersecurity data, and its threat intelligence teams research vulnerabilities, track adversaries impacting operational technology and assess that along with data. “Dragos Intel uses tried-and-true threat intelligence hunting and analysis methods to identify adversary behavior, including initial intrusion and post-compromise techniques and procedures, and then pivot off those findings to build further context around the adversary and their assessed objectives,” says Paul Lukoskie, director of intel at Dragos.
Vulnerability reporting and advisories are on a sharp rise, but this is not an indication of increased vulnerabilities, but rather increased reporting. “New vendors are standing product CERT/PSIRT teams each year, meaning that more vendors provide security advisories. In addition, more researchers each year get involved in vulnerability research with an industrial impact. Additionally, vendors are under increasing pressure to provide advisories for their products when their products incorporate vulnerable third-party libraries. These factors all add up to increase the number of advisories,” says Reid Wightman, technical lead, vulnerability research at Dragos.
Threats, particularly to industrial infrastructure, are also increasing, due in part to global conflict and the development of advanced threat capabilities. “Kinetic events such as warfare introduce a tremendous amount of chaos into the global ecosystem, which provides a lot of top cover for adversaries to conduct cyberattack operations. Further, more advanced threats capable of deploying destructive malware can use the physical chaos from warfare to damage critical infrastructure in conflict areas. This is evident by the recent advanced cyber operations of Dragos-tracked threat groups ELECTRUM and KAMACITE in relation to the Russo-Ukraine conflict,” Lukoskie says.
Cybersecurity threats groups and ransomware
Overall, Dragos tracked 21 threat groups targeting industrial organizations, including 10 active groups and three new threat groups for 2023. Most adversaries do not publicly disclose their operations, capabilities or teams. “Hacktivists are the outlier, but Hacktivists are primarily interested in garnering public attention by conducting highly visible attacks, such as website defacements or denial of service, and then posting about it on social media outlets,” Lukoskie says. “Right now, the Dragos-tracked threat group most concerning to the United States and our way of life is VOLTZITE, which overlaps with the publicly-reported threat group Volt Typhoon. VOLTZITE is of great concern for the United States because it strategically targets critical infrastructure entities.”
Ransomware still poses the greatest threat to industrial organizations. 2023 saw a 50% increase in ransomware attacks, which Dragos says is part of a long-term trend. In 2022, Dragos reported an 87% increase from 2021.
“The convergence between IT and OT networks and digitization of the OT environment introduces several downstream operational impacts arising from ransomware attacks within the IT environment. Impacts on business-critical systems within the IT environment can cause industrial organizations to pull OT assets offline while the ransomware situation is addressed. It is plausible to suggest that ransomware adversaries know this and believe that industrial organizations are more likely to pay the ransom,” Lukoskie says.
Dragos observed 50 active ransomware groups impacting industrial organizations in 2023, a 23% increase over last year. The report also tracked 905 reported ransomware incidents for 2023. Hundreds of ransomware variants exist, including LockBit, ALPHV, Hunters International, Rhyside and NoEscape, just to name a few. According to the report, LockBit ransomware was the most used variant against industrial organizations last year, comprising 25% of the total attacks.
Overall, cyber criminals are also more agile, with access to more resources. This also means access for smaller players, and as-a-service business models have expanded access for cyber criminals. LockBit, like many ransomware groups, operates as a ransomware-as-a-service provider. In the as-a-service business model, ransomware purveyors rent access to their proprietary ransomware infrastructure, creating a low-barrier-of-entry option for less-skilled, smaller operations.
“Ransomware operations don't need to rely on command-and-control infrastructure as much as they did in the past. Ransomware-as-a-service operators often work with initial access brokers (IABs) to deploy ransomware opportunistically,” Lukoskie says. This ever-changing landscape means that established security measures may not always be enough for defending against ransomware attacks without constant updates.
“The best method is consistent training and ensuring employees are aware of phishing tactics and can identify them and notify security teams. Companies can use other techniques to better defend against ransomware attacks, including access controls, application allow listing, and applying the 5 Critical Controls for ICS/OT security [WT1] where appropriate,” Lukoskie says.
Ransomware is a global problem, but the Dragos report says the majority of attacks (44%) take place in North America, compared to just 32% in Europe. The most common sector impacted in 2023 was manufacturing (71%, 638 incidents). Industrial control system manufacturers and those that develop OT equipment and applications were the second most impacted sector (13%).
“Dragos observed a wide range of impacts from incidents in 2023, including loss of view and control of industrial systems, as well as operations being impacted by an IT system compromise,” Mueller says. The majority of industrial ransomware cases originated within the IT environment, indicating the importance of network segmentation. “The ability of organizations to segment their IT and OT environments indicates how vulnerable an organization is to this type of spread,” Mueller adds.
“Most industrial products, especially embedded industrial products (specialized controllers, programmable logic controllers, and other industrial-hardened networked equipment) should be considered insecure-by-design,” Wightman says.
Dragos sees many unpatched systems in their data, Wightman says, because patching is difficult for many end users. “However, even when a product is up to date and fully patched, it may have design flaws, which still put it at risk to attacks,” he adds. “These reasons both lend to why network segmentation is so important for OT systems.”
2023 Dragos report highlights: 5 actions to protect OT equipment
1. Assess external infrastructure for critical systems
This includes identifying your organizations’ internet routable netblocks and IP space, including those set up by contractors or vendors. Network scan public spaces and ensure critical assets and assets connected to a process environment are not discoverable from the internet. “Asset owners need to understand their attack surface and take steps to secure these devices. This means deploying technology to enable the secure and safe operation of these systems,” Mueller says.
2. Network segmentation
This means separating devices with network and host-based firewalls by function, not just systems from the internet, but systems from each other and critical processes. “Network segmentation is often the foundation of a defensible architecture, one of the Five ICS Cybersecurity Critical Controls. Understanding how systems and critical processes function and deploying network segmentation in line with this understanding results in a network that enables defenders. The first focus area should be to segment the IT and OT networks,” Mueller says. “The Five ICS Cybersecurity Critical Controls” was published by the SANS Institute, co-authored by Dragos CEO Robert M. Lee and Tim Conway from SANS.
3. Restricting and monitoring outbound communication
This includes evaluating default routes, gateways and firewall rules to external networks and proxy configurations. The Dragos report said that in 2023, several adversaries leveraged communication to external networks for command-and-control communication, allowing exfiltration of data and remote control of network assets.
“Often, traffic control is the next natural step once some level of segmentation is in place. Restricting traffic from and into an OT environment to only what is needed is recommended. Monitoring of traffic is often missed. Dwell times for adversaries within OT environments allow defenders to detect these activities and take remedial action,” Mueller says.
4. Assess standard guidance
As adversary techniques shift, so does an industrial organization’s defensive architecture. Understanding the attack surface is the only way to prioritize a response or identify adversaries within the network, but you can hunt for evidence.
“Standards can be a great guide for developing an OT cybersecurity program. Dragos recommends following standards during many of its engagements. Many teams struggle to pick which standards to follow, how to implement them, and how to structure a program to support the organization's overall goals,” Mueller says.
5. Reduce the risk of vulnerable equipment used in OT processes
It’s important to reduce risk in a systemic way. In 2023, Dragos wrote mitigation guidance for 531 OT-related advisories. Vulnerability advisories provide information on common hardware and software vulnerabilities and exposures (CVEs), which Dragos analyzes and prioritizes for asset owners. The report also noted the difference between IT and OT environments is pronounced for assessing vulnerabilities, driven by the type of devices, system and protocols used within OT environments, the network architecture of typical OT networks, and the impact vulnerabilities can have on normal operations. OT vulnerabilities should be mitigated different than IT vulnerabilities.
“Defenders should follow a risk-based approach to vulnerability management, which should result in focusing resources on addressing the risks most likely to cause the most impact. Dragos categorizes vulnerabilities using the Computer Emergency Response Coordination Center's (CERT/CC) Now, Next, Never methodology. Dragos found that only 3% of vulnerabilities analyzed in 2023 fell into the Now category. Addressing these vulnerabilities does not always mean patching. It often can be remedied by isolation, monitoring, and hardening,” Mueller says.