In 2022, breakthrough evolution in the development of malware targeting industrial control systems (ICS), scaled ransomware attacks against manufacturing, and geopolitical tensions brought increased attention to the industrial cyber threat landscape, according to the 2022 Dragos ICS/OT Cybersecurity Year in Review.
As in previous years, the ICS/OT community have managed a growing number of vulnerabilities, many without the right mitigations needed to reduce risk and maintain operations. Meanwhile electric grids, oil and gas pipelines, water systems, and manufacturing plants continued to struggle with more complex regulatory environments that demand marked progress in shoring up defences.
The sixth edition of Dragos’s report, which provides an ‘on-the-ground’ understanding of what is happening in the industrial space contains the latest threat intelligence on adversary activity targeting operational technology (OT) and recent ICS-specific malware discoveries, data to inform vulnerability management practices, and cybersecurity benchmarks for industries.
PIPEDREAM –7th ICS-Specific Malware
PIPEDREAM is the seventh known ICS-specific malware, following STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, TRISIS, and Industroyer2. It has the potential for disruptive and destructive cyber-attacks. Dragos and our third-party partners discovered and analysed its capabilities before it was employed. In present form, adversaries could leverage PIPEDREAM to target equipment in multiple sectors and industries. Given the modular nature of PIPEDREAM, adversaries could adapt the malware capabilities to compromise and disrupt a broader set of targets in the future.
PIPEDREAM is the first scalable, cross-industry ICS attack framework. It targets three ubiquitous software components and demonstrates the risks of modern component-based software supply chains where single exploits and vulnerabilities have the potential for sweeping cross industry impact.
Maintaining an accurate asset inventory and threat detections based on knowledge of real industrial adversary behaviours as part of an ICS Network Visibility program makes it easier to spot destructive threats like PIPEDREAM. It is therefore concerning that a full 80% of Dragos service engagements still lack visibility across OT networks – making detections, triage, and response incredibly difficult at scale. Monitoring East-West ICS networks with ICS protocol aware technologies is necessary to spot PIPEDREAM in your ICS/OT environments.
Two New Threat Groups Discovered
Dragos identified two new ICS Threat Groups targeting industrial control systems and operational technology in 2022: CHERNOVITE and BENTONITE. Both threat groups demonstrate sophistication and adaptability, and one group is the developer of malware capabilities that achieve Stage 2 of the ICS Cyber Kill Chain and execute an ICS attack.
The CHERNOVITE Threat Group is the developer of PIPEDREAM, the seventh ICS-specific malware and a modular cross-industry toolkit. To develop PIPEDREAM, CHERNOVITE demonstrated a not yet seen before breadth of knowledge of ICS protocols and intrusion techniques available to produce an effect in OT environments. Dragos assesses with high confidence that CHERNOVITE is highly motivated, well-funded, and skilled in software development methods. CHERNOVITE has developed the capabilities to achieve Stage 2 of the ICS Cyber Kill Chain and execute an ICS attack.
BENTONITE
BENTONITE is a new threat group increasingly and opportunistically targeting maritime oil and gas (ONG); state, local, tribal, and territorial (SLTT) governments; and manufacturing sectors since 2021. BENTONITE conducts offensive operations for espionage and disruptive purposes, targeting vulnerabilities in internet-exposed assets to facilitate access.
Threat Group Updates
The 2022 Dragos ICS/OT Cybersecurity Year in Review includes findings from Dragos threat hunters on the activity of six known ICS Threat Groups targeting industrial organisations. The techniques used by threat groups to gain initial access signal the importance of having Secure Remote Access in ICS/OT environments, and yet 44 percent of service engagements included a finding about shared credentials in OT systems, the most common method of lateral movement and privilege escalations. Where multi-factor authentication (MFA) is not possible, consider alternate controls such as jumphosts with focused monitoring on connections in and out of OT networks.
Industrial Risk of Ransomware
Ransomware is cited as the top financial and operational risks to industrial organisations. Out of the 57 ransomware groups targeting industrial organisations and infrastructures, Dragos observed, through public incidents, network telemetry, and dark web resources, that only 39 groups were active in 2022. Dragos identified 605 ransomware attacks against industrial organisations in 2022, an increase of 87 percent over last year. Manufacturing claimed the highest share, a staggering 72 percent, but ransomware attacks spanned many industries, including food and beverage, energy, pharmaceuticals, oil and gas, water, mining, and metals.
Ransomware represents a top cyber risk to industrial organisations, particularly those without a Defensible Architecture. OT security strategies often start with hardening the environment— removing extraneous OT network access points and maintaining strong policy control at IT/OT interface points. Dragos service engagements included a finding about improper network segmentation in 50 percent of cases and a finding of external connections from OEMs, IT networks, or the Internet to the OT network in 53 percent, showing there is still a long way to go to defend against ransomware risks.
The State of ICS/OT Vulnerabilities
In 2022, the number of reported ICS/OT vulnerabilities showed a material increase of 27 percent, which demonstrates the increased attention and focus on the risks to industrial infrastructure by security researchers. The Dragos Threat Intelligence team analysed 2170 common vulnerabilities and exposures (CVEs) during 2022, up from 1703 CVEs in 2021.
While patching an IT system like a worker’s laptop is relatively easy, shutting down a plant has huge costs. Knowing what to do and when to do with vulnerabilities is a critical component of an effective Risk-Based Vulnerability Management program. For each CVE, Dragos independently assesses, confirms, and provides corrections to help with prioritizing vulnerabilities and implementing mitigations that reduce risk and maintain operations in ICS/OT environments.
Acting Now, Next, Never
Dragos researchers assess vulnerabilities to account for how easily and frequently they are exploited by adversaries and how impactful a compromise could be in the context of ICS/OT environments. Dragos categorises them by Now, Next, and Never to help avoid wasting resources on unnecessary remediation and focus OT asset owners and defenders toward their most critical risks.
Be proactive about having a well-thought-out ICS-Specific Incident Response plan (IRP) that is distinct from IT’s. OT involves different devices, communication protocols, adversary behaviours, and vulnerability management practices. Cyber-attacks can result in physical impacts and investigations require a different set of tools. Create a dedicated plan that includes the right points of contact and next steps for specific scenarios at specific locations.
You can read the full report here.