Cyber Threats

The Rising Threat in IIoT and OT Cybersecurity

Published January 17, 2024 by António Vasconcelos

Evolving Landscape of Cyber Attacks

The year 2023 showcased an alarming surge in cyber attacks, with cybercriminals demonstrating relentless innovation. These attacks increasingly targeted various sectors, including Operational Technology (OT) and Industrial Internet of Things (IIoT) systems. A notable shift was the rise of Ransomware-as-a-Service (RaaS), which lowered the entry barrier for aspiring cybercriminals and contributed to the proliferation of ransomware incidents. Supply chain attacks also emerged as a significant focus for cybercriminals, exploiting interconnected networks to compromise systems and data at various points in the production and distribution process.

Targeting of IIoT and OT Systems

OT systems, crucial for critical infrastructures, faced escalating threats from both nation-state actors and profit-driven cybercriminals. The complexity of defending these systems is compounded by the convergence of information technology (IT) and OT, insider attacks, and supply chain vulnerabilities. As reported by Ars Technica, even seemingly innocuous devices like network-connected wrenches, used in factories, can lead to sabotage or ransomware attacks.

Recent (and notable) Attacks on OT Environments

In recent years, there have been several notable cyber attacks on OT environments, underscoring the evolving sophistication of cyber threats targeting industrial and critical infrastructure systems.

A significant attack involved the deployment of Industroyer 2 within an Industrial Control System network, combined with the updated CaddyWiper malware. This attack showcased the destructive potential of these malwares in OT environments. CaddyWiper, a data wiper, was used to erase critical data in ICS networks, including overwriting files and obliterating information about the physical drive’s partitions. The malware also modified access control list entries to seize ownership of files and gather lists of currently running processes, highlighting its ability to take comprehensive control of a compromised system.

Another alarming instance is the CosmicEnergy malware, specifically designed to disrupt electrical grids, by interacting with the IEC-104 protocol, a standard in electrical grid operations, to manipulate power line switches and circuit breakers. Unlike some other malwares, CosmicEnergy does not have built-in functionality for autonomous reconnaissance, indicating a need for prior attacker reconnaissance like gathering IP addresses and credentials of critical systems. Once inside the network, attackers could move laterally, manipulate power infrastructure, potentially causing widespread disruptions.

The Broader Context of OT Cybersecurity

These attacks serve as a stark reminder of the unique challenges in securing OT environments. The specificity of the attacks, such as targeting industrial control protocols or system configurations, requires a nuanced understanding of both cybersecurity and the operational technologies involved. The increasing frequency and sophistication of these attacks highlight the urgent need for robust security measures, including micro-segmentation, to protect OT infrastructure from such threats.

Mitigation and Remediation Strategies

To counter these threats, organizations must adopt comprehensive cybersecurity strategies that include regular software updates and patching, risk assessments, network segmentation, security monitoring, intrusion detection systems, and employee training and awareness. In the event of an attack, containment, isolation, digital forensic investigation, and system restoration are crucial steps in the remediation process.

The specific attacks on OT environments like Industroyer 2 and CaddyWiper malware, and the broader threat landscape they represent, underscore the critical importance of advanced and tailored cybersecurity strategies in protecting critical infrastructure and industrial operations.

The Importance of a Comprehensive Approach

The escalating cyber threats in the IIoT and OT landscape necessitate a comprehensive and proactive approach to cybersecurity. Traditional models like the Purdue Enterprise Reference Architecture are evolving to accommodate modern IIoT and OT environments, with methodologies like Consequence-driven Cyber-informed Engineering (CCE) emerging to address these unique risks.

Implementing Zero Trust principles and focusing on reducing the attack surface is pivotal in achieving cyber resilience in this complex environment.

An Urgent Call for Action

The convergence of IT, OT, IoT, and IIoT into cyber-physical systems (CPS) has expanded the attack surface, introducing new vulnerabilities and advanced attack capabilities for adversaries. Attacks on CPS can potentially bring entire economies to a halt or cause immense damage, as observed in several high-profile incidents over the past years.

If you’re anxious to address your needs in this area – extending MFA to every asset in your network – Zero Networks can help. Request to meet with us here.