Data released by industrial cybersecurity company Dragos shows a surge in security threats targeting industrial control systems (ICS) and other ransomware. These can disrupt industrial and manufacturing processes, leading even to Internet exposed assets, intellectual property theft and industrial espionage.
Dragos publicly tracks five ICS-focused threats or activity groups that target manufacturing entities. These are Chrysene, Parisite, Magnallium, Wassonite and Xenotime. It also tracks other ransomware activities that are capable of disrupting operations by impacting resources such as logistics, fleet management and sales operations. Dragos categorizes activity groups by monitoring elements such as an adversary’s methods of operation, the infrastructure used to execute actions, and the targets that they focus on.
Intellectual property theft and industrial espionage are major threats to manufacturing entities, coming especially from what Dragos describes as “state-sponsored adversaries and malicious insiders,” it said in a blog post.
Headquartered in Hanover, Maryland, Dragos has earlier said that the rise in cyber risks was caused by intrusions enabling information gathering and process information theft, and disruptive cyberattacks that affect industrial processes.
Dragos data exposes that in 2020 the number of publicly reported ransomware attacks on manufacturing entities has more than tripled compared to 2019. As of October 2020, with close to half of the advisories describing a vulnerability that could cause a loss of view and/or loss of control within a compromised environment, the company’s researchers assessed and validated 108 advisories containing 262 vulnerabilities impacting industrial equipment found in manufacturing environments.
Among the exposure assessed by Dragos impacting manufacturing industrial equipment, 70 percent require access to the victim network to exploit, 26 percent require the attacker to have access to the vulnerable device itself, and 8 percent require the invader to be on the LAN to facilitate exploitation.
Some of the tracked ICS-targeting activity groups – Parisite, Magnallium, Allanite and Xenotime – have previously targeted or currently attempt to exploit remote access technology or logon infrastructure. In July this year, U.S. security agencies NSA and CISA also recommended prompt and necessary measures to bring down exposure across operational technologies and control systems.
Ransomware is being used by both financially motivated operators and state-sponsored actors, engaged in cyber operations targeting manufacturers.
Companies must also look to identify the distinctiveness in manufacturing IT/OT environments, compared to traditional IT systems, stay up-to-date about recent ransomware attacks, and develop better knowledge and understanding of their systems when dealing with cyber risk.