Attacks and Vulnerabilities
Control device security
Critical infrastructure
Features
Industrial Cyber Attacks
IT/OT Collaboration
Malware, Phishing & Ransomware
Threat Landscape
Vulnerabilities

Growing convergence of geopolitics and cyber warfare continue to threaten OT and ICS environments in 2024

February 18, 2024
2024.02.18 Growing convergence of geopolitics and cyber warfare continue to threaten OT and ICS environments in 2024

As we move into 2024, the influence of geopolitics on cyber warfare has become increasingly pronounced, with rising instances of impacts on OT (operational technology) and ICS (industrial control systems) environments. Geopolitical tensions between major powers have escalated into a new domain of warfare, where cyberattacks serve as both a tool for espionage and a weapon of disruption. Such attacks threaten national security while having profound implications for critical infrastructure and industrial sectors worldwide.

The strategic targeting of OT/ICS by state-sponsored actors or politically motivated groups aims to disrupt essential services such as power, water, and transportation. These systems, traditionally isolated from the internet, have become more interconnected with IT networks, exposing vulnerabilities that can be exploited. The convergence of IT and OT environments has expanded the attack surface, making it imperative for nations and corporations to bolster their cyber defenses.

With increased sophistication in attacks targeting OT/ICS environments, cyber adversaries are leveraging advanced techniques such as supply chain compromises, living-off-the-land (LotL) techniques, and zero-day exploits to bypass traditional security measures. The repercussions of these attacks extend beyond immediate operational disruptions, posing risks to public safety and economic stability.

The geopolitical landscape has necessitated a shift in how nations and industries approach cybersecurity. There is a growing emphasis on developing resilient OT/ICS infrastructures, implementing stringent cybersecurity protocols, and fostering international cooperation to mitigate the threats posed by cyber warfare. As geopolitical tensions continue to shape the cyber domain, the need for robust cybersecurity strategies and collaborative efforts to protect critical infrastructure has never been more critical.

Impact of geopolitical events on OT and ICS systems in 2024

Industrial Cyber reached out to industry experts to identify specific geopolitical events that have significantly influenced the frequency and intensity of cyber attacks targeting OT and ICS environments. Additionally, they analyzed how the changing geopolitical landscape has shaped the strategies and tactics used in cyber warfare throughout 2024.

Paul Veeneman, an IT OT ICS cybersecurity and risk management professional
Paul Veeneman, an IT OT ICS cybersecurity and risk management professional

Cyber operations and tactics are now a critical element to military strategy or influencing global affairs, Paul Veeneman, an IT|OT|ICS|cybersecurity and risk management professional, told Industrial Cyber, adding that whether creating fear, uncertainty, and doubt, distributing false information, or simply gathering intelligence, these activities highlight the expanded role of cyber in geopolitical conflicts. “This demands sophisticated defensive and offensive capabilities.” 

Venneman said that the Russian-Ukrainian war has seen significant cyber-attacks on Ukraine’s critical infrastructure. “US-Iran tensions have spurred increased cyber activities, with Iranian actors targeting critical sectors in retaliation to geopolitical moves, reflecting the intricate nexus between geopolitics and cyber warfare.”

He added that threat actors have increasingly targeted supply chain vulnerabilities more than ever, ransomware has evolved to include information exfiltration and extortion methods, and emerging AI and machine learning have increased the sophistication of attacks targeting critical infrastructure for political leverage.

John Livingston, CEO of Verve Industrial
John Livingston, CEO of Verve Industrial

Providing a counterintuitive view, John Livingston, CEO of Verve Industrial, a Rockwell Automation company, said that he believes that the war in Ukraine and Israel has had a beneficial effect on the cyber attacks in areas outside those conflict zones such as the US. “My hypothesis is that a significant focus has shifted from the ‘for profit’ ransomware efforts toward a greater energy to impact the relevant enemy nation states and the private industry in those geographies,” he added.  

Ed Suhler, co-founder and chief operating officer at Mission Secure
Ed Suhler, co-founder and chief operating officer at Mission Secure

Russia has been launching cyber attacks against Ukraine’s power grid since at least 2015, and those attacks have intensified in the last two years as part of Russia’s invasion, Ed Suhler, co-founder and chief operating officer at Mission Secure, told Industrial Cyber. “Heightened tensions across the Middle East due to the Hamas war with Israel has provided ample opportunity for cyber attacks from Iranian-backed groups to attack Israeli and the West.” 

“We’ve also seen attacks against U.S. water systems by Iran-backed groups who are targeting industrial components from manufacturers in Israel,” according to Suhler. “But as FBI Director Wray said in his statements to Congress in January, China remains the biggest threat to critical infrastructure systems.”

Nir Ayalon, CEO of Cydome
Nir Ayalon, CEO of Cydome

Nir Ayalon, CEO of Cydome, told Industrial Cyber that in the past year, “we’ve seen the geopolitical situations in Ukraine and the Middle East escalate, expanding to have a regional and global impact.” 

“Every military conflict in recent years is accompanied by increased cyber attacks on civilian targets, from critical infrastructure and private businesses and SMBs, and those attacks tend to shift focus from stealing information to inflicting damage,” Ayalon added. “Various groups were involved, whether directly attributed to nation-states or ‘nation-related.’ We saw the rise in Iranian cyber attacks on Israel during the war, mainly on critical infrastructure providers and IoT devices, with the number of attack groups doubling during the war.”

Nation-state cyber strategies and impact on security landscape

The executives look into how nation-states utilize cyber capabilities to pursue geopolitical goals and the implications of these actions for critical infrastructure, including threats and attacks. They also examine emerging alliances and conflicts that influence the landscape of cyber warfare, thereby impacting OT/ICS environments.

Veeneman said that the Unitronics incidents provided examples of risks that accompany ‘convenience’ when third-party firms expose control systems interfaces to the public Internet for data collection and monitoring. “The fact there was a need for a CVE to explain the inherent risks of default passwords is very concerning. On average threat adversaries can reverse engineer patches for identified vulnerabilities within 30 days. Remediation of vulnerabilities can be anywhere from 90 to 120 days for medium to enterprise-level organizations. Operations, engineering, and security practitioners are perpetually behind the curve,” he added.

He flagged that the most concerning alliances are those between nations and hacktivist groups. “The Russian-Ukraine war, the Hamas-Israeli war, the attacks against US critical infrastructure, many of the cyber-related threats are coordinated efforts of groups that have allegiances to nations on opposite sides of these conflicts. The theater of war is digital and kinetic, and the impact of regional tension has global reach. Exploits and infiltration can be cultivated over time to be used at strategic points, applying pressure to mounting hostilities.”

Livingston said that the first part of this question is almost too broad to answer, as there are dozens of ways they do this. “They access CI systems to scout and gather data waiting for the time when it will make sense for them to execute an attack. So this threat is latent and often unknown until it’s too late. I believe the Israel-Hamas war will shift the natural alliances. Israel will find itself with many fewer friends and many more enemies as a result of the public impression of their response. Therefore the alliances may shift significantly,” he added. 

Pointing out that it has always been known that nation-states do not act independently of private actors, Livingston mentioned that there are alliances that cross state-private borders. “Each side uses the other for its purposes. There will likely be more private cyber actors that will have sympathy for acting against Israel and its allies and may cooperate with nation-states, even while not knowing they are doing their bidding.”

Suhler said that overt cyber attacks by nation-states against critical infrastructure are rare. “Russia’s attacks against the Ukrainian grid are the most prominent example, and even those are overshadowed by missile launches and other physical attacks against the same targets. However, we know that China, Russia, and Iran have infiltrated many OT and ICS networks and have the ability to cause widespread damage if they choose to do so.” 

He added that the awareness of that constant threat is motivating many critical infrastructure operators to invest in stronger cyber protection.

“Modern warfare uses cyberspace as another battlefield where nation-states leverage cyber capabilities for geopolitical objectives through espionage, sabotage, information warfare, economic attacks, and political manipulation,” Ayalon said. “We can identify threats against critical infrastructure, such as power grids and transportation systems, and this is done through cyberattacks exploiting OT and ICS environments that are often legacy-based.”

He added that there are emerging alliances related to actual conflicts, where nation-states and hacker groups collaborate, often serving as proxy warfare. “An example would be the recent attack on water facilities infrastructure in the US where a hacker group identified as Cyber Av3ngers was related to the Iranian Revolutionary Guard Corps Cyber, Electronic Command (IRGC-CEC).”

Government response to geopolitical cyber threats, state-sponsored hacking

The executives examine the adjustments governments and international organizations make to their cybersecurity policies in response to geopolitical influences on cyber threats in 2024. Additionally, they delve into the role of state-sponsored hacking groups in furthering geopolitical agendas, especially concerning vulnerabilities in critical infrastructure.

Veeneman said that global cybersecurity threats have given rise to international consortiums and cooperation, sharing of threat intelligence and resources, and coordination of law enforcement across nations. “There are several successful examples of nations collaborating to bring cyber criminals to justice and shutting down criminal operations. However, there are limitations to what law enforcement can accomplish due to politically charged treaties governing the extradition of suspected hackers. The US lacks such treaties with Russia, China, and other nations from which such attacks have originated, preventing accountability for hackers harbored in their home country.”

Various US agencies and associations such as the Cybersecurity & Infrastructure Security Agency (CISA), the Department of Energy (DoE), the American Water Works Association, and their EU counterparts such as the European Union Agency for Cybersecurity (ENISA) have created policies and guidance aimed at improving cybersecurity resilience, he pointed out. While incrementally moving the needle forward, criticisms are that policies are not ‘security,’ are still IT-focused versus OT-focused, and much of global critical infrastructure lacks sound asset management and basic cyber-physical best practices.

“The early stages of the Hamas-Israeli war clearly demonstrated the impact of hacktivist group participation or involvement,” Veeneman added. “The coordination of DDoS attacks against Israel’s critical infrastructure, early warning systems, and communications by Cyber Av3ngers and Anonymous Sudan displayed the evolution of hybrid warfare. To accomplish these strategic and tactical initiatives, the vulnerabilities of these systems were identified and targeted for exploit and compromise well in advance of the conventional offensive.”

In short, Livingston said not well. “The private sector is very successful at pushing back against any form of compliance requirements and the governments are distracted with other issues. As for the role nation-states play, this is somewhat answered by the first question, they are accessing and discovering large components of our CI.” 

He added that perhaps the one key point to add is that again they do not do this alone. “They align with private sector actors that share an enemy. Perhaps that private actor doesn’t have a desire to shut down the grid or make nuclear weapons ineffective. However, nation states will use them as a part of their overall mission.”

Suhler observed that state-sponsored hacking groups, often working hand-in-hand with criminal organizations, are central to Russia’s and China’s political agendas. “State-sponsored attacks against IT assets are very common and are used to advance a variety of objectives, from stealing intellectual property to gathering data on other nations’ citizens.” 

On the OT side, Suhler noted that nations want it understood that they have the capacity to launch attacks against critical infrastructure, but most are cautious about actually using that ability because those attacks are highly visible and would probably be viewed as an act of war.

“2023 was a wake-up call to many organizations and governments that should have prioritized cyber protection,” according to Ayalon. “State-sponsored hacker groups are being used as a weapon that can cause massive damage relatively stealthily and seriously damage critical infrastructure. This warfare is not a local phenomenon – but a global one.”

He added that directives such as the EU Network and Information Security (NIS) are being updated (NIS2) to areas, such as maritime critical infrastructure.

Impact of geopolitical dynamics on cyber norms and OT/ICS regulations

The executives assess how geopolitical considerations influence the creation and enforcement of international norms and regulations designed to govern cyber activities within the OT/ICS domain. Furthermore, they highlight the steps critical infrastructure operators are undertaking to bolster the resilience of their systems against the backdrop of a shifting geopolitical landscape and emerging cyber threats.

Veeneman highlighted that each nation will have its national security interests, varying perspectives and perceptions on threats, and international consensus will be arduous at best. “Veiled or direct ultimatums, geopolitical tensions, and posturing of nations over specific regions of influence will require each nation to determine safeguarding of its own critical infrastructure. Conflicts on one side of the globe spill over to the other. Connectivity is influence, whether implied or executed, the capacity to disrupt water, electricity, or basic services has a profound impact,” he added.

He added that since Slammer Worm in 2003, there has been a consistent increase in the sophistication of threats, risks, and impact on critical infrastructure over the past 20 years.  

“The cybersecurity global marketplace in 2023 was $191B US, and that number is expected to reach $298B US by 2028. The increase of cybersecurity spend is proportional to the increase of threats but not the mitigation of threats,” according to Veeneman. “At the time of the Unitronics event in Pennsylvania, there were approximately 254 exposed Unitronics devices in the US, the majority of which are on cellular networks. Today there are 33. That represents an 87% reduction of openly exposed control systems interfaces across the US.” 

He added that critical infrastructure operators and decision-makers must get back to basics, requiring personnel and third parties to implement cyber-physical best practices, ensuring assets are not compromised by convenience, ‘easy for us is easy for them.’

Livingston said that critical infrastructure institutions are acting, but much too slowly relative to the threat. “They have begun steps to separate their networks, begin to gather some telemetry, etc. However, the big rocks of updating software, ensuring regular backups of critical systems, and managing access down to an asset or application level on critical operational systems are still a long way off. The number of legacy processes and equipment combined with the push for greater efficiency and blocking any new initiatives slow down the progress we need immediately,” he added.

“There’s been a lot of discussion about new regulations to protect OT and ICS assets in recent years, and there’s a greater sense of urgency in those discussions as the conflicts in Ukraine and the Middle East continue to escalate,” Suhler pointed out. “But those regulations take a long time to implement, and even then they don’t always address the greatest risks.” 

He also added that OT asset owners who truly take these issues seriously will continue to harden their systems against attacks, regardless of whether they’re subject to industry or governmental mandates.

Ayalon said that 2024 appears to continue last year’s trend, increasing the number of cyber attacks on OT/ICS space. “Apart from the geopolitical considerations, there are also technological changes that are happening at the same time, such as the fast-growing Low Earth Orbit (LEO) satellite usage such as Starlink that is pushing critical infrastructure, such as the maritime one to a hyperconnectivity, allowing attackers to exploit OT in such environments,” he concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems