Attacks on OT systems are becoming more frequent

Sheila Zabeu -

June 10, 2021

Contrary to what one might imagine, OT systems are falling victim to unsophisticated attacks. This has made cybercriminals’ actions against critical infrastructure significantly more frequent in recent years, according to a survey conducted by Mandiant, FireEye’s intelligence unit that studies threats and incident response, recently acquired by Symphony Technology Group.

Unlike IT systems that deal with information, its flows, and processing, OT systems work with machines and their control processes. They are seen as more complex, requiring a lot of resources and time when their operations are interrupted for some reason. However, Mandiant Threat Intelligence has observed that attacks on these systems are being conducted by attackers with varying skill levels and widely used IT tools and techniques. 

The attackers seem to be driven by financial, ideological motivation or just to gain notoriety. They target a broad spectrum of supposedly vulnerable Internet-connected OT systems used in different solutions, such as solar power panels, water consumption control, building automation, and home security. What seems to be changing since Mandiant started monitoring this type of activity in 2012 is the significant growth in the frequency of incidents in recent years.

Some unsophisticated intrusions into OT systems between January 2020 to April 2021

The most common current activity involves extortion, but also sharing knowledge and expertise to exploit widely known tactics, techniques, and procedures and widely used tools to access, interact with or collect information from exposed assets on the Internet. This was seen very little in the past, the study said.

The breaches most frequently exploited by unsophisticated attacks are unsecured remote access services and also graphical human-machine interfaces, as they are a friendly representation that, when malicious, can lead the user to trigger the operations desired by the attackers.

According to Mandiant, protection against unsophisticated lures can be implemented from awareness of unsafe exposure of assets and data and good security practices such as:

  • Wherever possible, keep OT assets away from public networks. And if remote access is required, we recommend maintaining access controls and monitoring traffic for suspicious activity.
  • Apply common mapping techniques to edge and remotely accessible devices, such as disabling unused services, changing default credentials, reviewing asset settings, and creating access permission lists.
  • Check whether critical assets can be discovered using online scanners.
  • Promote awareness of threats and exploitation of vulnerabilities in OT systems.   
  • Configure human-machine interfaces and other elements of control systems to limit means of data input and mitigate risky conditions.