Critical infrastructure
Manufacturing
Mining, Oil & Gas
News
Reports
Transportation
Utilities: Energy & Power, Water, Waste

As OT infrastructure comes into its own, attacks increase, FortiGuard Labs says

August 25, 2021
FortiGuard Labs

FortiGuard Labs has identified a significant increase in the volume and sophistication of attacks targeting individuals, organizations, and increasingly critical infrastructure. It also revealed that operational technology (OT) environments may not get the same attention as IT, but its connection to the physical world means it can impact lives, reflecting the significance of the role that OT plays in organizational frameworks. 

The report, titled, ‘2021 mid-year Global Threat Landscape Report’ gathers threat intelligence from the initial six months of this year, indicating a noticeable increase in the volume and sophistication of attacks targeting individuals, organizations, and increasingly critical infrastructure. The expanding attack surface of hybrid workers and learners, in and out of the traditional network, continues to be a target. 

FortiGuard Labs has documented steady interest from threat actors in identifying OT vulnerabilities and then building them into various exploit tools that lower the cost of attack. The result is that ‘script kiddies’ are at least as likely to find exposed OT devices, as APT (advanced persistent threat) groups focused explicitly on exploiting unprotected and unpatched ICS (industrial control systems). FortiGuard Labs is the threat intelligence and research organization at Fortinet.

Until recently, OT networks functioned as isolated, air-gapped environments, meaning cybersecurity was not a top priority. Exploits against SCADA (supervisory control and data acquisition) or ICS environments were viewed by many as a rare subset of highly-targeted attacks that most organizations needn’t concern themselves with, the report highlighted. 

In the light of the modern threats, FortiGuard Labs plotted IPS (intrusion detection system) detections according to their prevalence and volume. Data shows that while IT-related exploits are more numerous and exhibit greater prevalence and volume, the relatively high level of exploitation targeting OT may surprise many, even shattering the perception that ICS exploits are an obscure niche of the cyber threat landscape. 

This recalibration of perception is critical, given how new business demands and aging infrastructure are chipping away at the historical partitions separating OT and IT and leading to increased convergence of these networks, FortiGuard Labs said. 

“We are seeing an increase in effective and destructive cyberattacks affecting thousands of organizations in a single incident creating an important inflection point for the war on cybercrime,” Derek Manky, Chief, Security Insights & Global Threat Alliances at FortiGuard Labs, said in a press statement. “Now more than ever, everyone has an important role in strengthening the kill chain. Aligning forces through collaboration must be prioritized to disrupt cybercriminal supply chains,” he added.

“We’ve had numerous reminders of that connection so far in 2021 through ransomware and other attacks aimed at industrial environments. We analyze detected exploits targeting industrial control systems (ICS) and demonstrate that OT sits higher on the attacker radar than you might think,” according to the FortiGuard Labs report.

ICS detections during the first half of the year saw an increasing prevalence and volume of exploits targeting WindRiver VxWorks systems. Deployed in ICS-related devices and deployed across several sectors, including communications, critical manufacturing, energy, healthcare and public health, transportation systems, and water and wastewater systems, the real-time operating system (RTOS) platform has a history of high-profile vulnerabilities, including a slew of them identified by Rapid7 in 2010 and the more recent ‘Urgent/11’ disclosed by Armis Labs in 2019.

Armis published an update to the Urgent/11 last December, claiming that 97 percent of the OT devices impacted by URGENT/11 had not been patched. It’s possible that this served to grab the attention of would-be attackers, resulting in a surge of reconnaissance activity probing for those vulnerabilities, the FortiGuard Labs report said. 

“That theory is supported by the fact that one of the most prevalent detections indicates attempted scans to ascertain the version number of VxWorks. While not particularly threatening in and of itself, that reconnaissance likely targets additional known flaws in the VxWorks TCP/IP stack, several of which have RCE potential,” it added.

Timely collaboration and partnership momentum across law enforcement, as well as public and private sectors, will help to disrupt the cybercriminal ecosystem going into the second half of 2021, the report said. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience