Rockwell reports surge in cyberattacks on critical infrastructure, intense focus on energy sector

New research released by Rockwell Automation identified that approximately 60 percent of cyberattacks on the industrial sector are orchestrated by state-affiliated entities, with internal personnel unintentionally facilitating these attacks in roughly 33 percent of cases. The findings of the initial research report indicate that 40 percent of these cyberattacks resulted in unauthorized access or data exposure. The research aligns with previous industry studies that indicate a rising trend in both the number and frequency of OT/ICS security incidents, particularly targeting vital infrastructure like energy producers.

Titled ‘Anatomy of 100+ Cybersecurity Incidents in Industrial Operations,’ Rockwell’s research disclosed that OT/ICS cybersecurity incidents in the last three years have already exceeded the total number reported between 1991-2000. Hackers are most intensely focused on the energy sector (39 percent of attacks) – over three times more than the next most frequently attacked verticals, critical manufacturing (11 percent) and transportation (10 percent).

“As is well reported, the potential for high impact creates greater opportunities for both ransomware payouts and for adversarial nation-state goals,” Rockwell revealed. “However, power plants, substations, and related infrastructure are also aging, with many built up to 50 years ago. Older infrastructure wasn’t built to leverage modern security controls.”

“Energy, critical manufacturing, water treatment, and nuclear facilities are among the types of critical infrastructure industries under attack in the majority of reported incidents,” Mark Cristiano, commercial director of global cybersecurity services at Rockwell Automation, said in a media statement. “Anticipating that stricter regulations and standards for reporting cybersecurity attacks will become commonplace, the market can expect to gain invaluable insights regarding the nature and severity of attacks and the defenses necessary to prevent them in the future.”

“The dramatic spike in OT and ICS cybersecurity incidents calls for organizations to take immediate action to improve their cybersecurity posture or they risk becoming the next victim of a breach,” according to Sid Snitkin, vice president for cybersecurity advisory services at ARC Advisory Group. “The threat landscape for industrial organizations is constantly evolving, and the cost of a breach can be devastating to organizations and critical infrastructure. The report’s findings underscore the urgent need for organizations to implement more sophisticated cybersecurity strategies.”

The Rockwell data also acknowledged that the U.S. government has recognized a growing number of incidents targeting the water and wastewater sector and has implemented emergency regulations in this and other critical infrastructure sectors. “Strengthening of reporting requirements by regulatory agencies is a global trend. Governments are compelling public and private entities to disclose incidents, data theft, and ransom payments. One such regulation in the European Union is the Directive on Security Network and Information Systems.”

Data also identified that phishing remains the most popular attack technique (34 percent), underscoring the importance of cybersecurity tactics such as segmentation, air gapping, zero trust, and security awareness training to mitigate risks. In more than half of OT/ICS incidents, SCADA (supervisory control and data acquisition) systems are targeted recording 53 percent, with PLCs (programmable logic controllers) as the next most common targeted at 22 percent. 

Rockwell said that more than 80 percent of attackers come from outside the organization. “Insiders play an ‘indirect’ role in more than one-third of incidents. The ‘indirect’ role insiders play is primarily becoming a victim of a phishing attack. Nearly 60% of attackers in this Cyentia research study come from nation-state affiliated groups. Many attacker identities and regional locations are hidden. Threat actors go to great lengths to conceal this information. The most common motives reported are politically or financially driven.”

Survey data showed that over 80 percent of events started with an IT system compromise. “This is attributed to increasing interconnectivity; most OT networks communicate with the outside world via an IT network. In addition, attackers increasingly leverage internet-facing systems such as human-machine interfaces (HMIs) and engineering workstation applications, which are prime targets.”

The report added that this underscores the importance of proper network architecture to support enterprise security in this era of rising industrial connectivity. “If you don’t set up networks properly, keep OT networks segmented and air-gapped, along with other best practices such as ongoing employee security awareness training – the potential for attack increases.”

Rockwell reported that in the U.S. and across Europe, there’s a rising regulatory focus on OT cybersecurity, especially for industries in critical infrastructure sectors. “Greater regulatory oversight means that industrial organizations should evaluate their current cybersecurity protections and any potential gaps to help them add more proactive protections that will better secure their operations against cyberattacks.”

Rockwell reported that OT/ICS security incidents are increasing in frequency every year. “Just a few years into the most recent decade, and we have already exceeded the number of incidents reported in the decade running from 1991-2000,” it added.

In 2022, industry reports indicated a 2,000 percent increase in adversarial reconnaissance targeting Modbus/TCP port 502, a commonly used industrial protocol, which could allow hackers to control physical devices and disrupt OT operations, Rockwell identified. “Event frequency data is likely to increase not only due to targeting but also because there are better detection tools and capabilities available to help identify cybersecurity incidents.”

Rockwell also disclosed that broader supply chains are also impacted approximately 65 percent of the time. “A Japanese auto manufacturer suspended operations on 28 production lines across 14 plants, for at least a day after a key supply chain partner, a plastic parts and electronic components manufacturer, was hit by a suspected cyberattack.”

The report also identified that in OT, attackers most often attempt to directly impact industrial processes. “Many seek to disrupt operations for monetary gains, such as ransom payments, or for other outcomes involving economic or militaristic advantages.

The number of U.S.-based threat actors attacking industrial organizations grew by 35 percent in 2022, driving an 87 percent increase in breaches over the same period.”

Also, attackers use lateral tool transfers, exploitation of remote services, and standard application layer protocols to manipulate an operator’s view, and in many cases, take control over specific OT processes. “‘Manipulation of View’ and ‘Manipulation of Control’ are the top two methods used to impact ICS environments. The numbers here are directly tied to the incidents analyzed in this study,” the report disclosed.

Rockwell urged organizations to get started with strengthening their OT cybersecurity by focusing on defense-in-depth, including pulling from structures such as zero trust and the NIST Cybersecurity Framework; secure remote access, through stronger passwords and multifactor authentication; and monitoring for threats 24/7. It also recommends segmenting IT and OT to make the most of firewall configurations that will help keep IT attacks from bleeding into OT environments, and continuously train internal staff to keep up with the latest phishing scams and how to avoid them.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.