Attacks and Vulnerabilities
Control device security
Critical infrastructure
IT/OT Collaboration
Malware, Phishing & Ransomware
Manufacturing
Mining, Oil & Gas
News
Perimeter security
Reports
Utilities: Energy & Power, Water, Waste
Vendors
Vulnerabilities

Dragos reports rise in vulnerabilities and ransomware, as ICS/OT systems digitally transform

February 23, 2022
2022.02.23 Dragos reports rise in vulnerabilities and ransomware, as ICS-OT systems digitally transform

Industrial cybersecurity company Dragos reported that it has assessed 1,703 ICS/OT common vulnerabilities and exposures (CVE) from various sources, including independent researchers, vendors, and ICS-CERT, recording more than twice as much as last year. In addition, the company found that 38 percent of ICS vulnerability advisories contained errors in the Common Vulnerability Scoring System (CVSS) score associated with the CVE. 

The company said that asset owners should consider this when making patching and mitigation decisions for their networks in its fifth ‘ICS/OT Cybersecurity Year in Review 2021’ report, released on Wednesday. There continues to be a trend where the guidance in vulnerabilities is lacking in context and details for operators to make risk-based decisions. Dragos also found additional mitigation strategies for 69 percent of advisories that did not have sufficient mitigation advice in 2021. 

Thirty-five percent of the advisories could cause both a loss of view and control in OT systems. Further, Dragos found that 19 percent of advisories without a patch had no alternate mitigation, 64 percent of advisories with a patch had no alternate mitigation advice, while only four percent of advisories that Dragos analyzed required immediate remediation. In 2021, 24 percent of advisories had no patch when announced, while 76 percent had a patch. 

This year highlighted vulnerabilities ranging “from the remote, persistent, and nearly ubiquitous risks like Log4j, the Windows zero-day vulnerability PrintNightmare, and industrial hardware rootkit-level vulnerabilities that allow attackers to compromise exposed devices,” Dragos said. These vulnerabilities underscore the fast-growing universe of persistent threats across all layers of the Purdue Model. These vulnerabilities also highlight the complex nature of connected and networked components in operational technology (OT) environments and ICS (industrial control system), it added.

“About 49 percent of the vulnerabilities this past year did relate to an ability to have a loss of view and a loss of control inside of the operational environment,” Robert M Lee, the company’s CEO and co-founder, said in a recent media discussion online. 

The Hanover, Maryland-headquartered company said that 2021 was a pivotal year for ransomware gangs and their affiliates, with ransomware emerging as the number one cause for compromises in the industrial sector. “Of all the industrial sectors in 2021, ransomware groups targeted the manufacturing industry more than any other, nearly twice as much as the other industrial groups combined,” it added. 

Analyzing industrial security trends during 2021, Dragos compiled data on ransomware from various sectors. It revealed that manufacturing accounts for 65 percent of all ransomware attacks, food and beverage comes in second place at 11 percent, and transportation takes third place with 8 percent of attacks.

Dragos found that metal components accounted for 17 percent, automotive attributed to eight percent, and technology explained for six percent were the most common when analyzing manufacturing subsectors. These are troubling trends when paired with the Dragos services team findings that the manufacturing sector is often the least mature in their OT security defenses.

The metrics focused on external connectivity, shared credentials, poor perimeters and limited visibility. All four common findings are prevalent and exist in over 70 percent of the water, food and beverage, and wind industries. “At least 50 percent of customers in all verticals had significant issues with both perimeter security and visibility inside of that perimeter,” Lee said.

Some ransomware adversaries indirectly impact OT when attacking enterprise IT, Dragos identified. Once adversaries achieve initial access, they can execute ransomware to gain a foothold in critical enterprise IT systems and potentially move laterally into OT systems. After compromising an organization, they demand ransoms that require victims to pay for the keys to decrypt their files. Often targets have little recourse to restore functionality to their systems, it added. 

Two ransomware groups, Conti and Lockbit 2.0, caused 51 percent of the total ransomware attacks, with 70 percent of their malicious activity targeting manufacturing, Dragos said. “Conti dates to 2020, with recent confirmed attacks targeting CS Energy and Shutterfly. In June of 2021, Lockbit 2.0 retooled and now focuses on stealing data and extorting victims for financial gain by threatening publication of exfiltrated data if victims do not pay the ransom,” it added. 

Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations and OT environments, whether through the integration of OT kill processes into ransomware strains, the existence of flattened networks to prevent ransomware from spreading into OT environments, or through operators shutting down OT environments, in a bid to attempt to stop IT ransomware from spreading to OT systems. 

The company assesses with low confidence that state-sponsored adversaries may leverage ransomware to mask their alternate operations, for theft of intellectual property including key OT schematic details, for reconnaissance of target networks, and for other Stage 1 components of the ICS Cyber Kill Chain. Dragos also assesses that ransomware actors’ extortion techniques will continue to grow in severity and intensity as adversaries deploy any means available to pursue their ransom payments.

Commenting on ransomware attacks having scaled back in light of recent law enforcement efforts, Lee said he “would disagree with some of the public commentary I’ve heard from various government officials and others that based on the actions of the administration, we’ve seen a decrease in ransomware cases. I think there’s a decrease in people reporting it to the government, but not a decrease in actual cases. It continues to be a constant theme in our life getting called in,” he added.

Addressing the incident response plan, Dragos said that organizations should determine the root cause of the intrusion into the OT environment and develop a recommended course of action for the OT operations team to contain, mitigate, and eradicate. During all steps, ensuring the OT environment remains in a safe and reliable state is imperative and running antivirus software on OT computer systems with the intent to remove malware neither helps to analyze a threat effectively nor reliably remove it. 

Given the complexity of remote access in OT environments, Dragos called upon OT and ICS environments to know what methods are used and by whom and routinely audit and review access logs for any irregularities. “You should pay particular attention to remote access methods that do not have specific use cases or are overly broad. Often, remote access to the OT environments is persistent and there is no baseline understanding for what is and is not ‘normal vendor access,’” it added. 

In 2021, Dragos uncovered that 86 percent of its services customers had limited to no visibility into their ICS environment. Full visibility is achieved when network and device logs are centralized and can correlate various segments with network traffic analysis and asset inventories. Defenders can see the full picture of what is occurring across their industrial assets and sites only with full visibility, it added. 

Seventy-seven percent of Dragos’ services engagements in 2021 involved issues with network segmentation, which is a slight decrease from the previous year. In 2021, external connections to OT spiked upwards, more than doubling to 70 percent, which Dragos assessed is due to the high demand for remote access in the wake of the COVID-19 pandemic. 

Lee said that he thinks “the larger public is generally unaware of just how connected these plants are, and sometimes a lot of the CEOs and boards of these companies are very unaware of how connected they are.”

In 2021, 44 percent of service engagements included a finding of shared credentials in OT systems, the most common method of lateral movement and privilege escalation, Dragos said. However, the use of shared credentials between IT and OT varied significantly depending upon the vertical. It was ‘exceptionally rare’ in the electric sector, though frequently observed in the rail sector. 

Dragos recommended that industrial organizations work towards building a more defensible architecture, strengthening OT monitoring capabilities and remote access authentication. The company also advised better prioritization of OT vulnerability management and continually improving the ICS/OT incident response plan by carrying out tabletop exercises and regularly exercising against real-threat scenarios with cross-disciplinary teams. 

Last week, Dragos entered into a public-private initiative with two key U.S. security agencies, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA). The move will use the company’s Neighborhood Keeper technology across ICS/OT networks to strengthen security and visibility across the nation’s critical infrastructure installations.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness