Dragos assesses that European industrial infrastructure lack asset visibility, face distinctive threats

Industrial cybersecurity company Dragos assesses with high confidence that the biggest cybersecurity weaknesses European industrial infrastructure asset owners currently face are lack of asset visibility into their network and weak network authentication policies. In addition, the company gauges with low confidence that Europe is at low risk for localized or small-scale disruption or destruction, as motivated state-executed adversaries may perform low-stakes operations when deemed politically or economically advantageous. 

“Europe’s Industrial Infrastructure cyber landscape faces distinctive threats, both from Dragos-tracked Activity Groups and cyber criminals,” Anna Skelton, a senior intelligence analyst at Dragos, wrote in a company blog post on Tuesday. “The high interdependence yet independently managed and operated nature of industrial operations across Europe present a unique regional systematic risk where a threat to one European country is a threat to operations in other countries,” she added.

Industrial infrastructure refers to industrial operations that provide necessary functions to support humanitarian, economic, and other civil functions, including food production, water and wastewater management, energy production, and transportation. The classification helps differentiate industrial operations from what is traditionally overly generalized and ambiguously described as ‘critical infrastructure.’

Dragos further assessed in a white paper with high confidence that adversaries threaten European industrial infrastructure presently and into the next 12 months. In addition, increasing regional tensions will likely result in industrial operations impacted by criminals and other adversaries. Particularly of concern are geographically dispersed industrial operations such as renewable electric generation, electric transmission, upstream and midstream oil and gas, water and wastewater management, etc.  

The Hanover, Maryland-based company also expects an increase in ransomware attacks, especially those targeting small- to medium-sized manufacturing entities. The continued development of Activity Group (AG) techniques, tactics, and procedures (TTPs), and the high interdependence yet independently managed and operated nature of industrial operations across Europe present a unique regional systematic risk where a threat to one European country is a threat to operations in other countries. 

Activity Groups targeting energy entities are known to quickly weaponize and exploit vulnerabilities in internet-facing services, including Remote Desktop Protocol (RDP), VPN services, and network infrastructure, Dragos said. This includes PARISITE, MAGNALLIUM, ALLANITE, XENOTIME, and VANADINITE. 

New vulnerabilities revealed throughout 2021 impact critical network infrastructure services, including F5, Palo Alto Networks, Citrix, and Juniper network devices, and are targets for adversaries, Dragos said. These vulnerabilities can enable adversaries to gain initial access to enterprise operations or pivot into industrial operational environments. Additionally, OT-specific devices and services vulnerabilities can introduce risk to the operating environment. 

As of February 2022, Dragos researchers assessed and validated 1301 advisories (3286 individual Common Vulnerabilities and Exposures) impacting industrial equipment worldwide. Of these, 216 advisories (483 individual Common Vulnerabilities and Exposures) directly impact Europe, as they are from vendors that European entities use, according to U.S. Cybersecurity and Infrastructure Security Agency (CISA) advisories analyzed by Dragos vulnerability analysts. 

Of these Europe-specific vulnerabilities, 310 (64 percent) required an adversary to be on the network to exploit them. Additionally, Dragos found that 108 of these advisories could cause a loss of view and/or control within a compromised environment.

Skelton also said that increasing regional tensions are likely to result in industrial operations impacted by criminals and other adversaries. “Particularly of concern are geographically dispersed industrial operations such as renewable electric generation, upstream and midstream oil and gas, water and wastewater management, and electric transmission,” she added.

Ransomware remains a threat to Information Technology (IT) and Operational Technology (OT) environments, Dragos said. Ransomware attacks can disrupt production if OT is not properly segmented from the targeted IT systems. It added that these disruptions have led to significant financial loss, damage, and reputational damage in the European region.

Dragos-tracked Activity Groups target European entities with disruptive and destructive attacks. Even if not currently active, Dragos assesses with moderate confidence that these groups likely maintain this capability level should a situation warrant such use reoccur. 

While all private and public European industrial entities face a threat from ransomware operators, small- and medium-sized manufacturing firms in Italy, Germany, Austria, and Switzerland are at the highest risk of targeting, specifically by Ransomware-as-a-Service (RaaS) groups, due to a lack of IT/OT security and obscured asset visibility. 

The countries of Germany, Austria, Switzerland, and Italy (DAS+I) make up a significant portion of manufacturing in Europe; together, Germany and Italy account for 47 percent of sold production in Europe, according to Eurostat. Dragos analyzed Dark Web resources from Jun. 1 to Dec. 31. Dark Web site victim postings of DAS+I countries accounted for 56 of 79 postings involving European countries, or 71 percent of total European victims. Of these, 45 (80 percent) were in the manufacturing sector. 

The highest number of manufacturing subsector victim postings were for metal product manufacturing, Dragos said. RaaS families – Lockbit 2.0 and Conti – were responsible for 34 of the 56 attacks (61 percent). This trend is reflected globally. It added that many victim companies were of small- to medium-size with similar technology processes, presenting ripe targets for ransomware adversaries.

Dragos assesses with moderate confidence that ransomware operators will continue to target DAS+I countries, specifically manufacturing firms located in these countries, motivated by profit. While state-affiliated ransomware operations are challenging to prove, Dragos assesses with low confidence that this type of attack may occur in DAS+I countries and greater Europe.

Dragos said that oil and natural gas assets, including key regasification plants such as those located in Rotterdam, present a target for adversaries looking to disrupt the flow of oil & natural gas (ONG) energy into Europe. In addition, the U.K. electric sector is at risk of disruption by adversaries capable of carrying out coordinated attacks against multiple power stations. 

Since 2019, Dragos has assessed with low confidence that increased targeting of the European oil and gas sector is likely, specifically by groups including DYMALLOY and XENOTIME. Gasification and processing terminals in key areas, including the Isle of Grain and Rotterdam, demonstrate key dependencies that could significantly impact European LNG if successfully disrupted by adversary groups, Dragos said. If these facilities are deemed too impenetrable for adversaries to dedicate time and resources to target. In that case, third-party suppliers of critical equipment, including the hydrogen used in the regasification process, may become attractive targets for adversaries due to lower barriers of entry caused by less mature security controls.

Dragos assesses with moderate confidence that as European oil and gas operations expand and markets become more competitive, the economic interests of states that rely on the oil and gas vertical. For instance, state-owned oil companies will likely generate more intrusions by groups like XENOTIME and DYMALLOY. All third-party connections should be thoroughly analyzed to ensure an attack on a third party can be cordoned off from key dependencies. 

The transmission sector is also at risk due to the limited number of controlling parties, though these entities generally demonstrate a greater degree of defense in depth, Dragos identified. Public and private entities will continue to struggle with widely acknowledged threats to OT environments, including those brought by insiders, supply chain threats, intellectual property theft, and digital transformation. These threats may decrease as organizations invest in cybersecurity programs and progress in maturity. 

Dragos also said that European organizations face unique risks from political and economic threats in near- and far-term abroad. Historic adversary operations against industrial infrastructure in Europe have been well documented, including a unique case in which attempted intellectual property theft resulted in extreme operational impact. 

The company also analyzed the unique layout of the U.K. energy sector, which naturally leads to a distinctive threat landscape. “While an attack against transmission assets would be most disruptive (specifically those of National Grid, which controls balancing for the U.K.), these organizations leverage a strong defense in depth at every level of the Purdue model to remain well guarded against adversaries. However, smaller distribution companies are less likely to have dedicated security staff and budgets,” it added.

Dragos assesses with moderate confidence groups that have previously targeted electricity operations in Europe, including XENOTIME and VANADINITE, are likely to demonstrate an interest in the U.K. energy infrastructure; however, a direct attack is unlikely barring significantly heightened political tensions. Dragos also determines with low confidence that adversaries, whether state-affiliated or cyber-criminals, may target small energy distributors and power stations to cause disruption or demand ransom payments. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.