Waterfall 2023 Threat Report detects OT cyberattacks with physical consequences increasing exponentially

OT security company Waterfall Security Solutions reported 57 OT-related cyberattacks on industrial systems out of 218 incidents in 2022, which caused physical consequences in the real world. The data shows that industrial cybersecurity has transformed from a mostly theoretical problem last decade to a very real and rapidly growing problem this decade. Most of these attacks deploy ransomware, though the report identifies that hacktivists are increasing their activities.

Over the past year, there has been a 140 percent increase in the number of cyber attacks with over 150 industrial operations affected. According to company projections, if this growth rate continues, there could be up to 15,000 industrial sites shut down due to cyber attacks within the next five years. It also added that most of these were ransomware-style attacks that encrypted computers and data on IT networks, but also had consequences for OT (operational technology). 

“Hacktivist attacks that deliberately cause physical consequences are increasing –2022 saw six such attacks, the largest of any year in history,” according to the report created by Waterfall Security, in cooperation with ISSSource and their ICSStrive OT incident repository. “Of the remaining attacks, the vast majority are ransomware, and in most ransomware attacks, only the IT network was impaired, not the OT network. Nonetheless, in all ransomware attacks we track, there were physical consequences, either because physical operations relied on crippled IT systems for minute-by-minute operations, or because ransomware victims did not trust the strength of their OT security systems and so shut down operations ‘in an abundance of caution,’” it added. 

The Waterfall-lCSSTRIVE report disclosed that the transportation industry suffered the greatest number of attacks this year, with many of those attacks involving OT dependencies on IT systems. It also covered the U.S. TSA (Transportation Security Administration) has issued new directives for rails that mirror their 2021 pipeline directives, and many of the measures in these directives directly target IT/OT connections and IT/OT interdependencies. 

The Waterfall-lCSSTRIVE report referred to the large language-model-based tools, such as ChatGPT, which have the potential to enhance the capabilities of attackers in orchestrating cyberattacks with physical consequences. It also added that expect new regulations and legislation in many jurisdictions as cyber-attacks increasingly impact national security and the daily lives of citizens.

The Waterfall-lCSSTRIVE report also covered the new CIE strategy that shows promise for developing an engineering body of knowledge for designing out cyber risk to physical operations and public safety. “The industrial security threat environment suffered a significant transformation after 2020 –attacks with physical consequences are now increasing exponentially. The US administration has already reacted to the first symptoms of this transformation by modifying their defensive strategies. Other authorities worldwide will have no choice but to follow suit in the years ahead,” it added.

Looking forward, the Waterfall-lCSSTRIVE report said it predicts that because of the steadily increasing number of critical infrastructure outages, governments in many jurisdictions will order critical infrastructure owners and operators to implement dramatically stronger cybersecurity measures. “Worse, we note that natural language artificial intelligence tools such as ChatGPT have the potential to enhance cyber attack capabilities and so materially accelerate the growth of cyber attacks with physical consequences.” 

On the other hand, it added that “we also observe that the new Cyber-Informed Engineering initiative has the potential to materially improve the strength of OT security postures, even in the face of nation-state-grade ransomware and AI-powered cyber attacks.”

The Waterfall-lCSSTRIVE annual threat report focuses on discrete manufacturing operations that assemble many small parts into larger manufactured objects, such as automobiles or laptop computers. It also takes into account process industries operations that transform raw materials into a more usable form, such as mining or refining, and critical infrastructure that includes industrial operations that are essential for society to function such as transportation, power, and utilities.

The Waterfall-lCSSTRIVE report identified some of the year’s highest-profile and most noteworthy incidents. These included outages at widely known businesses, including fourteen of Toyota’s automobile manufacturing plants, twenty-three of Bridgestone Tire’s plants, and outages at Maple Leaf Foods and Macmillan Publishers. It also included flight delays for tens of thousands of air travelers in four separate attacks, and physical operations impacted in four attacks on metals and mining, with one of the attacks resulting in a fire and material equipment damage. 

The report also covered malfunctions in the loading and unloading of cargo containers, fuel, and bulk oil for half a dozen seaports on three continents. It also included contributing to the bankruptcy of two victim organizations. “While none of these incidents made front page news the way we saw with the Colonial Pipeline incident in 2021, 2022 did see these high-profile critical infrastructure sites impacted with physical consequences,” it added.

While the core focus of the Waterfall-lCSSTRIVE report is physically consequential OT cyber incidents, several near misses are worth examining for deeper insights into the nature of threats to critical industrial infrastructure. These events are defined as near misses as cyber attacks that had the potential for physical consequences if the circumstances of the attack had been slightly different. 

The six noteworthy near misses included are Seliatino Agrohub, where hacktivists in February tried to spoil 40,000 tons of frozen meat products in the Moscow region by changing temperature setpoints from -24 to +30 °C, but the attack is detected by operations, settings put back, and networks disconnected.

In April, seven Indian State Load Despatch Centres (SLDCs) faced an eight-month-long, Chinese state-sponsored attack on Indian load distribution centers in the Ladakh region that ultimately failed, amid an ongoing border dispute between the two nuclear powers. In April, ESET and CERT-UA determined with high confidence that Unit 74455 of Russia’s GRU (a.k.a. Sandworm) targeted high-voltage substations in Ukraine with Industroyer2 malware, but the attack was detected and stopped while in progress.

In July, DTEK’s Kryvorizka Power Plant faced a combined kinetic and cyber attack on Ukraine’s grid, where both Russian missile strikes and an attempted cyber attack by threat group XakNet on the plant’s OT network, ultimately failed to destabilize the grid. In August, South Staffs Water & Thames Water faced Cl0p ransomware gang that breached IT and OT systems at South Staffs Water in the UK, but in a strange mix-up attempts to double-extort Thames Water, elsewhere in the country. Neither water utility suffers OT consequences. 

In October, the Secretariat of Infrastructure, Communications and Transportation (SICT) faced a cyber attack that shut down IT systems at Mexico’s agency that licenses commercial truck operators, threatening to impair international trade and halt operations for truckers with expiring permits. An emergency decree to extend all permits and papers to December 31 and the subsequent lack of media reports on the issue suggests the issue was resolved by the New Year.

The Waterfall-lCSSTRIVE report said that in 2022, 42 ransomware attacks were identified with physical consequences in discrete manufacturing, process industries, and industrial critical infrastructure. “That is nearly as many as the 47 such attacks in all previous study years combined(2010-2021). Of the known ransomware attacks in 2022, 17 (40%) are attributed to a known ransomware type or group. Attribution by the numbers was (6) by BlackCat or ALPHV; (2) each by Conti, LockBit, Hive, and Black Basta; and (1) each to Black Byte, RansomEXX, and LV,” it added. 

The report added that most ransomware attacks covered caused operational shutdowns not deliberately, but because either IT systems that were essential to the continued operation of OT systems were crippled by the attack, or because the victim organization chose to shut down operations to prevent the spread of ransomware to those systems in ‘an abundance of caution.’

Transportation, discrete manufacturing, and food and beverages are 2022’s top three victim-targeted industries, the same as the previous year. One possible reason for this distribution is that ‘discrete manufacturing’ is not one industry but many, and market research suggests that there are at least as many discrete manufacturing sites on the planet as the sum of all critical industrial infrastructure and process manufacturing sites. It is therefore perhaps not surprising that this collection of industries suffers a comparable fraction of outages due to cyber attacks. 

The report also identified another factor contributing to industry targeting may be IT/OT interdependencies. “In the transportation industry, IT systems are often essential to minute-by-minute operations, because it is the IT systems that track packages, containers, and contents. In a large fraction of ransomware attacks, IT networks are the first networks compromised, and the first networks whose contents and systems are encrypted and impaired. Thus, industries whose physical operations and OT automation systems are heavily dependent on IT systems are more likely to suffer physical consequences when ransomware enters their IT networks,” it added. 

The Waterfall-lCSSTRIVE report identifies key takeaways that reveal an increase in attack sophistication, thus highlighting the need for increased security, new perspectives on security, and new approaches to implementing cybersecurity measures. It also identifies IT dependencies in OT, as it has become clear that it can be very difficult to eliminate all OT dependencies on IT systems.

“However, we cannot simply ignore any dependencies that must remain. Instead, we must recognize that IT systems that are essential to continued physical operations are in fact reliability-critical components. These reliability-critical systems may be hosted on the IT network instead of the OT network but must be managed and secured as if they were OT systems,” the report added.

The report also pointed to the dependencies on external systems and suppliers. “If a supplier cannot deliver goods or services essential to physical operations at a manufacturer or other industrial operation, then the affected operation must shut down. And if a supplier or cloud services provider with connections into a manufacturer is compromised, then again that manufacturer and in fact every industrial operation with connections to that compromised provider risks an ‘abundance of caution’ shutdown. Whether a client of the compromised supplier or service shuts down depends of course on the strength of cybersecurity at each client.”

Providing predictions, the Waterfall-lCSSTRIVE report included the use of artificial intelligence for stage 2 in the ICS cyber kill chain, enhanced global response and legislation, and the emergence of engineered cybersecurity, such as the publication of the Department of Energy’s Cyber-Informed Engineering (CIE) Strategy. 

There exists increased globalized exposure to ransomware attacks which will continue to define the OT cyber threat landscape. In 2022, ransomware disrupted operations directly by targeting ICS (industrial control systems) mechanisms across organizations, vendors, and subsidiaries from various industries, with its frequency increasing. 

Multiple factors, such as escalating geopolitical tensions, the introduction of Lockbit Builder, and the continued growth of the RaaS model, have been identified as contributing to the increasing ransomware activity that is impacting industrial organizations and will continue to affect the threat landscape. Last year, RaaS also continued to grow as an attack vector with an even greater impact on ICS and OT environments.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.