Ransomware: attacks on industrial infrastructure nearly doubled in 2022

Ransomware attacks on industrial infrastructure nearly doubled in 2022, resulting in more risks to Operational Technology (OT)-based networks, particularly those with weak segmentation. The past year has also seen the escalation in sophistication of this type of threat because of a new modular malware kit called Pipedream, developed by the Chernovite group. The kit uses capabilities to impact devices that control infrastructure, such as power grids, oil and gas pipelines, water systems, and factories, and threaten entire supply chains.

Ransomware attacks on companies in the industrial segment tracked by Dragos in 2022 showed an 87% increase from the previous year. Since 2020, researchers have tracked groups attempting to break into OT/ICS ((Industrial Control System) networks. 35% more ransomware groups targeting OT/ ICS environments were identified last year.

There are several reasons for the increase in ransomware activities against industrial organizations, including geopolitical tensions, the introduction of Lockbit Builder and the continued growth of ransomware-as-a-service (RaaS).

In addition, vulnerabilities have seen a 27% increase in 2022, albeit with a lower growth rate and improvements in error rates and risk ratings. While IT’s approach to vulnerability mitigation is based on installing patches, the OT world often requires system and plant shutdowns and relies on alternative solutions to mitigate risk and maintain production, making the process very challenging.

During 2022, Dragos tracked 20 threat groups and discovered two new ones – Chernovite and Bentonite. Chernovite developed the Pipedream malware, the seventh, and latest targeted at ICS. Pipedream is the first reusable multisector threat affecting native industrial protocol functionality and a wide variety of devices. According to research, the malware is moving to leverage known and successful techniques used in ICS cyberattacks.

Dragos researchers say other tracked threats may evolve with more innovative and destructive capabilities in the future. It is expected that ransomware attacks will continue to affect industrial operations in 2023, whether by integrating counter OT processes into ransomware strains, through networks that facilitate the spread of ransomware through OT environments, or by fearful operators who end up preemptively disabling OT environments to prevent the spread of ransomware through OT systems. In addition, cybercriminals will show more interest in vendors due to interconnectivity with customers.

To protect against attacks, the recommendation is that industrial operators implement the five critical controls highlighted in the SANS Institute white paper, “The  Five Critical Controls for ICS/OT”.

1. ICS Incident Response Plan – OT incident response plans should be distinct from those for IT because they involve different types of devices, communications protocols, and types of tactics, techniques, and procedures (TTPs) specific to industrial environment threat groups. They require a different set of tools, languages, and points of contact.

2. Defensible architecture – OT security strategies usually start by closing off the environment, removing unnecessary access points to OT networks, maintaining tight policy control at IT/OT interface points, and mitigating high-risk vulnerabilities. However, a defensible architecture is more than that. It must also support people and processes involved and improve visibility and monitoring of the OT environment.

3. Visibility and monitoring – You only protect what you can see, so a successful OT security posture must maintain an inventory of assets, map vulnerabilities, develop respective mitigation plans and actively monitor network traffic for potential threats. Threat detection resulting from monitoring allows complex networks to be expanded and automated. Defence systems should focus on the behaviours identified in the response plan to avoid excessive noise and focus on the risks of most concern. In addition, monitoring can also help identify vulnerabilities.

4. Secure remote access – Secure remote access is critical in OT environments. Multifactor authentication (MFA) is a classic type of IT control that can be appropriately applied in OT environments. Where it is not possible to implement it, an alternative is jumphosts with focused monitoring, which should be placed on connections inside and outside OT networks and not on connections in the networks.

5. Risk-based vulnerability management – Knowing vulnerabilities and having the plan to manage them is essential in a defensible architecture. An effective vulnerability management tool in OT requires awareness of key weaknesses, correct information and risk ratings, and mitigation strategies to minimize exposure and keep operations running.

In addition, Dragos highlighted the key role of ICS vendors in ensuring OT networks are protected from Pipedream or other types of malware. They can help in two important ways: first, make vulnerability and risk management programs more transparent about the software stack of their products. In addition, they should feature a Software Bill of Materials (SBOM) list as part of the development cycle.

It is worth remembering that no industry player, security solution provider, or ICS vendor will be able to mitigate ransomware attacks alone. They must cooperate to face this common enemy together.