Ransomware was the number one attack vector on critical infrastructure in 2021, according to a report by Dragos, a leading company in industrial cybersecurity. Nearly two-thirds of those attacks (65%), were aimed at the manufacturing sector, the company revealed in its annual review of cyber threats facing industrial organizations released Wednesday.
“You can combine all the other sectors together and not get to where manufacturing is getting hit,” Dragos CEO Robert M. Lee said at an information session held prior to the report’s release.
“It is our assessment that ransomware authors and groups have found that targeting industrial organizations is very beneficial,” he observed. “You not only get people to pay out faster because you’re bringing down operations, but you also get them to pay out more because it’s the crown jewels of the business.”
More than half of industrial ransomware attacks (51%) were launched by two threat groups—Conti and Lockbit 2.0—and 70% of those sorties were aimed at manufacturing targets, according to the report, which aspires to do for industrial cybersecurity what Verizon does annually for data breaches.
Lee discounted reports that ransomware attacks are on the decline. “There’s a decrease in people reporting it to the government, but there’s not a decrease in actual cases,” he said.
Critical infrastructure operators still unprepared for ransomware
The report identified areas where cybersecurity improvements by critical infrastructure operators are needed.
- Better visibility into operations networks. Eighty-six percent of companies had limited to no visibility into their industrial control system environments. That can make detections, triage and response difficult at scale. Lee cautioned that the report only includes companies serviced by Dragos. “The number across the community would be much higher,” he said.
- Better perimeter security. Seventy-seven percent of the companies serviced by Dragos had network segmentation problems. “The mature clients that are coming forward have a very porous infrastructure where it’s almost trivial to move from an IT network—whether it’s theirs or a service provider’s—into their operations network,” Lee noted.
- Better control of external connections to ICS environments. Seventy percent of organizations had external connections from OEMs, IT networks, or the internet to their OT networks—more than double the amount from 2020.
- Better separation of IT and OT user management. Forty-four percent of the organizations have shared credentials between their IT and OT networks. “In a lot of the ransomware cases we deal with, somebody will compromise the IT network, use the shared credentials, and end up in the operations network, whether they meant to or not, and then cause destruction in those operations environments,” Lee explained.
Threat actors persist in systems
Lee also noted that an executive order on cybersecurity implemented by the Biden Administration in May 2021 had a beneficial impact on industrial cybersecurity, especially in the electricity sector where some 100 companies started deploying technologies to improve visibility into their operations environments.
“Most of the world’s infrastructure is in no way monitored, so when adversaries get into operations environments, it is very challenging to find them and very challenging to remediate them,” Lee said. “Very often the threats we come across are laying in environments for months, if not years, undetected.”
Lee added that more regulation on cybersecurity is in the industrial sector’s future if it doesn’t improve its performance. “There’s probably a year or two window for people to get their stuff together,” he said. “Otherwise governments are just going to regulate it. They can’t afford to have national security to be left up to a private sector that is ignoring the problem.”
Copyright © 2022 IDG Communications, Inc.