Operational Technology Systems Face Rising Cyber Risks


A new report by Dragos Inc. has highlighted that sophisticated threat groups and hacktivists have demonstrated a capacity to breach critical infrastructure networks and disrupt operational technology (OT) systems. Dragos says this marks a pivotal shift for Australian organisations.

The report, Australian 2023 OT Cybersecurity Year in Review, provides an overview of the significant cybersecurity trends impacting industrial infrastructure organisations.

Of the 905 global ransomware incidents that affected industrial organisations last year, 13 involved Australian organisations. Several incidents, such as DP World Australia, reinforced the cascading effects of ransomware on industrial operations, supply chains, and consumers.

“With each passing year, the number of ransomware incidents globally climbs even higher, leading to cascading impacts for virtually every industrial sector, particularly manufacturing,” said Area Vice President of Dragos Asia Pacific, Hayley Turner. “Meanwhile, the number of vulnerabilities present in industrial control systems (ICS) continues to grow exponentially, along with the adversaries’ appetite to exploit them.”

In 2023, Dragos saw the emergence of three new threat groups, including VOLTZITE linked to Volt Typhoon, and found that ransomware continued to be the most reported cyber threat among industrial organisations, with a nearly 50% increase in reported incidents. Globally, Dragos now tracks 21 threat groups engaged in OT operations in 2023.

Of the three new groups, VOLTZITE targets electric power generation, transmission, and distribution. It has also been observed targeting research, technology, defence industrial bases, satellite services, telecommunications, and educational organisations. The group overlaps with Volt Typhoon, a group that the US Government publicly linked to the People’s Republic of China.

The group’s threat activities include living off the land techniques, prolonged surveillance, and data gathering aligned with Volt Typhoon’s assessed reconnaissance objectives and gaining geopolitical advantage in the Asia Pacific region. They have traditionally targeted US-based facilities but have been seen targeting organisations in Africa and Southeast Asia.

Additional global findings include that 80% of vulnerabilities reside deep within the ICS network; 16% of advisories were network exploitable and perimeter facings; 53% of the advisories analysed could cause both a loss of view and loss of control (up from 51% in 2022); and 31% of advisories contained errors, with Dragos providing mitigations for 49% of the advisories that had none.

Ransomware remains the number one attack vector globally in the industrial sector, increasing 50% from 2022. Globally, Lockbit caused 25% of total industrial ransomware attacks, with ALPHV and BlackBasta accounting for 9% each. The manufacturing sector continues to be the primary target of ransomware, accounting for 71% of all ransomware attacks. Ransomware groups do not explicitly target ICS and OT, but risks to these environments are introduced by precautionary operations shutdowns to limit the impact of an attack, flattened industrial networks, and the integration of ICS/OT kill processes into ransomware strains.

The Lockbit 3.0 compromise of DP World Australia in November, which handles 40% of goods coming in and out of Australia, led to the shutdown of land-side port operations for three days while the incident was contained. Though ransomware was not deployed in this case, it was not until ten days after first detecting the incident that DP World Australia was able to clear 100% of the backlog, comprising 30,137 containers.

Australia’s Cyber and Infrastructure Security Centre (CISC) and a joint effort by agencies from the Five Eyes Intelligence Alliance shed light on the intensifying OT cyber threat landscape, with a sharp focus on foreign espionage and interference as prime threats to critical infrastructure.

The Australian Signals Directorate’s Annual Cyber Threat Report revealed a 50% jump in cyber incidents targeting such infrastructure, highlighting the alarming trend that these sectors are increasingly preyed upon out of motivation to gain geopolitical advantages. The involvement of sophisticated threat groups underscores the critical necessity for robust cybersecurity measures and the importance of private and public partnerships in Australia and internationally. Reinforcing cybersecurity defences and forging strong international alliances are paramount for safeguarding national interests and ensuring the resilience of critical infrastructure in the face of complex escalating threats.

In 2023, the CISC has advanced its efforts to bolster national cybersecurity and resilience, particularly in ICS/OT environments where the challenge of detecting sophisticated threats is increasingly paramount.

Key initiatives include publishing critical infrastructure asset class definition guidance on May 12, 2023. This was aimed at enhancing operational resilience across 22 sectors and activating the Critical Infrastructure Risk Management Program. The program, part of a trio of security obligations introduced by recent amendments to the Security of Critical Infrastructure Act 2018, alongside Mandatory Cyber Incident Reporting and the Critical Infrastructure Asset Register, marks a strategic endeavour to elevate Australia’s critical infrastructure security.

“These steps signal the urgency and importance of robust asset monitoring, intelligence-based detections for sophisticated threats, and a coordinated response to safeguard essential services that Australians rely upon,” said Turner.

As ICS/OT cybersecurity becomes a top priority, from boardrooms to the manufacturing floor, the report says leaders and their teams must work together to implement programs and critical safeguards.

The Australian 2023 Dragos OT Cybersecurity Year in Review report, and the accompanying executive summary, can be downloaded here.