OT cybersecurity specialists Dragos spent last year hunting and responding to industrial control systems adversaries. Now the company has taken what they’ve learned to produce reports detailing the current ICS threat landscape and vulnerabilities.
“Despite no publicly reported destructive attacks, ICS network intrusion and disruption persists, and the associated cyber risk continues to grow and remains at a high level,” Dragos says. “The growing threat landscape affirms previous Dragos assessments: as the community achieves greater visibility into the industrial threat landscape through increased visibility, threat hunting, ICS-specific threat detection, and rising industrial cybersecurity investment, we will continue to identify new adversaries and gain a better understanding of the behaviors, tradecraft, and threats to ICS environments.”
In Dragos’ 2019 report looking at the ICS threat landscape attacks groups, the company identifies three new activity groups targeting ICS entities globally. This increases Drago’s count of activity groups to 11.
According to Dragos’ report, there is an increased focus on ICS organizations, specifically in critical infrastructure across the United States and the Asia-Pacific region. Additionally, escalating geopolitical tensions have increased the potential for cyber attacks against ICS, putting critical infrastructure and human life at higher risk.
In 2019, Dragos found that third-party and supply chain threats increased particularly in the areas of telecommunications, managed service providers, and backbone internet service providers. According to the report, attackers are increasingly targeting remote connectivity such as virtual private networks (VPNs), vendor and business management integrations, remote desktop connections, and managed service providers.
The threat landscape report demonstrates that ransomware and commodity malware, such as Ryuk and Emotet, remain threats to industrial operations. Other common tactics, such as phishing, password spraying, and watering holes, remain popular and effective as initial access vectors into industrial organizations.
“Dragos anticipates activity targeting and affecting ICS to increase into 2020 and further. We expect to see more adversaries expand their focus to additional critical infrastructure and industrial environments, which will likely align with activity associated with military or geopolitical conflict,” the report says. “Although defenders continue to gain insight through OT-specific detection and monitoring platforms, it is imperative we continue to improve visibility into activities and threats impacting critical infrastructure.”
Dragos vulnerability analysts have asses 438 ICS vulnerabilities reported by independent researchers, vendors and other sources. Their recent ICS vulnerabilities report looks at how these vulnerabilities affect industrial control networks and mitigation efforts to address these vulnerabilities. The ICS vulnerabilities report also examined whether appropriate mitigation is provided alongside published advisories regarding vulnerabilities.
According to the report, 77 percent of the vulnerabilities Dragos assessed were considered “deep within” a control systems network, requiring some existing access to a control systems network to exploit. Only 9 percent of advisories applied to products generally associated with systems bordering the enterprise, which could facilitate initial access into operations.
“The remaining vulnerabilities fit into neither category. These include systems such as door access controls, video management systems, and heating, ventilation, and air conditioning (HVAC) controllers, which generally have no direct impact on operations or are not industrial-specific,” the report says. “However, adversaries previously exploited HVAC contractor connections to obtain initial access to building control networks and could be used as an initial access vector.”
Dragos also found that 26 percent of advisories had no patch available when the initial advisory came out, which limits the ability for users to take action on the published vulnerability. Additionally, 30 percent of advisories included incorrect data, preventing operators from accurately prioritizing patch management.
The ICS vulnerabilities report also looks at the vulnerability scores associated with public reports.
“In 2019, Dragos began tracking advisory errors with a great deal of granularity, putting an increased focus on this important data point,” the report says. “Dragos found that vulnerabilities frequently contain an incorrect severity score, which can potentially harm security and patching prioritization at affected companies.”
Dragos’ final 2019 report details the observations, industry trends, and lessons learned from their team during threat hunts, incident response engagements, vulnerability assessments, and more.
“These adversaries largely remain unchecked by defenders, stemming from a combination of both the lack of visibility in industrial environments and our community’s lack of understanding and communication around the potential impacts of a cybersecurity incident on control systems,” the report says. “Understanding today’s evolving cyber threat landscape – through a deep understanding of how adversaries behave and the potential operational, safety, and financial impacts they can cause – is vital for the industrial control systems (ICS) community to raise the bar in cybersecurity and secure the resources needed to effectively protect the processes civilization depends on daily.”