TXOne reports critical infrastructures face large-scale ransomware attacks, as 94% of IT security incidents impact OT

Data published Wednesday by Trend Micro’s OT security arm TXOne Networks identified a heightened frequency of cyberattacks on key industry suppliers, especially those in the energy and critical manufacturing sectors in 2022. It also disclosed that 94 percent of IT security incidents have also impacted the OT (operational technology) environment as IT and OT become more integrated, as increased complexity of OT and lack of visibility into third-party security capabilities are becoming serious security challenges for organizations.

TXOne data also found that several new, ecosystem-complete Ransomware-as-a-Service (RaaS), such as Black Basta, Pandora, and LockBit 3.0, emerged and adopted a ruthless multiple extortion strategy, attacking vital departments in the critical manufacturing, energy, food and agriculture, and healthcare and public health industries. 

In its annual report titled ‘Insights into ICS/OT Cybersecurity 2022,’ TXOne revealed that 93 percent of organizations have deployed at least one OT cybersecurity solution and 85 percent of organizations still plan to increase their OT security capabilities next year. Despite increased investment in OT security, 70 percent of organizations are still considering adopting IT security solutions for the OT environment, while a mere six percent of organizations have 100 percent of their Windows devices protected by endpoint security solutions. It also assessed that the future of OT security must be comprehensive, integrated, performant, and accessible.

“Organizations are all too slowly realizing that hacker attacks can disrupt production operations, seriously affecting productivity and requiring hours or even days to recover. Adversaries can use various extortion methods to steal sensitive business information, leading to data breaches, property loss, and violations that weaken customer trust and harm brand value,” TXOne reported. “In response to Industry 4.0 becoming a critical aspect of corporate competitiveness, management, and cybersecurity leaders should prioritize OT network protection at the top of their cybersecurity strategy.”

The report also disclosed the dangers of insufficient cybersecurity are at the door, and organizations are due for a very rude awakening. “First, they need to learn that ICS/OT requires a different set of security solutions, skills, processes, and methods than IT. They need to build specific cyber defenses to manage OT/ICS security risks in order to protect our critical infrastructure and industries for the future,” it added. 

TXOne evaluates that the RaaS system continues to adopt the multiple extortion model, such as destroying data, holding data for ransom, selling data on the dark web, and threatening customers or suppliers. “Overall, after the release of LockBit 3.0, we saw an increase in activity related to LockBit 3.0 in Q4 2022,” the report added. Ransomware adds anti-analysis measures making it difficult for researchers to analyze and deepen the impact of an attack on organizations. 

“Ransomware is using fast encryption methods and hardening tactics to evade detection and prevent attacks. For example, some use intermittent encryption that encrypts files in 16-byte increments, reducing the intensity of file I/O operations and avoiding statistical analysis and detection methods,” TXOne reported. “Hackers are also exploiting vulnerabilities (e.g., Log4j) and using legitimate Windows/Microsoft Defender tools to download malicious DLL files and encrypted Cobalt Strike payloads. They can also shut down specified services (e.g., antivirus, backup, Volume Shadow Copy Service, sql) and then implant the ransomware.”

In 2022, supply chain attacks on major sectors skyrocketed, as energy and critical manufacturing industries face an exceptionally high risk of supply chain attack. “Of the supply chain attacks, TXOne grasped in 2022, 24% were in the energy sector and 24% in critical manufacturing. Automotive factories made up most of them due to automation growth in this area. The energy sector is escalating risk due to threats from geopolitical conflicts and the vulnerability of interdependencies with other sectors,” the report added.

TXOne also found that with the rise of automated manufacturing in the automotive industry. As more and more car manufacturers adopt the trend of automation in their plants, measures to mitigate supply chain attacks will become a matter of do-or-die for these factories in the future.

Analysis of global critical infrastructure attacks in 2022 shows that the energy sector accounted for 31 percent of all incidents, making it the most targeted industry, primarily due to increased connectivity between the OT systems of power grids and wind farms with IT systems, enabling attackers to gain access and control these systems. “The industry is facing new security challenges, and concerns are growing over rapidly accelerating emerging threats.” 

The report also pointed out that in the second half of 2022, critical infrastructure sectors experienced the highest number of known ransomware attacks among industries closely related to the ICS/OT environment. “For example, in August, the Clop ransomware group claimed to have compromised a British water supply company, attaining access to the internal network of the industrial control system, and disrupting the flow of water, as evidenced by the publication of the water plant’s HMI screen. Additionally, SEKOIA.IO reports that Conti, LockBit, and Hive are the RaaS strains that occur most frequently in Utilities, with Conti and LockBit each accounting for one-third of all attacks,” it added.

The report said that although outright war hasn’t been declared, the beginnings of technological warfare are well underway as radical hackers are already parlaying their skills to threaten national stability and the daily lives of civilians. “Due to the critical nature of national infrastructure, such as energy, transportation, and communication, a successful compromise could seriously impact a country. As such, critical infrastructure is a desirable target for state-supported or politically motivated attackers.” 

In the wake of interdependence in utility industries and the threat of APT and ransomware attacks on suppliers, TXOne highlighted that critical infrastructure industries are often interconnected, with coal mining and transportation systems serving as an example of the interdependence between energy and transportation. 

The TXOne report said that the concept of IT/OT convergence, which aims to integrate physical equipment and devices into the digital realm, is not new. However, it has only recently gained significant traction in the industry. Typically, a ‘successful digital transformation’ in the industry begins by identifying key application cases, and then implementing them on a small scale in factories. During the process, data is shared, and the intelligence of IT systems is applied to the physical assets of OT systems to achieve new efficiencies, streamline operations, foster innovation, and introduce new services. 

Availability is paramount in OT/ICS network architectures rather than confidentiality, and productivity is the primary consideration in most decision-making processes, TXOne reported. Therefore, the network architecture of OT/ICS is rarely designed with cybersecurity defense functions in mind and tends to be flattened creating common OT/ICS cybersecurity challenges. These include incomplete cybersecurity architecture, internal/supply chain threats, complex OT communication protocols, legacy operating systems, and IT cybersecurity solutions that are not suitable for OT environments. 

The report also covered recent cybersecurity incidents that have prompted governments to reexamine their cybersecurity regulations and policies in order to prevent hackers from threatening urban power, and water supply, or stealing sensitive corporate or personal data. 

The rise in attacks targeting manufacturing and critical infrastructure highlights the gravity of OT attacks, emphasizing the need for security, TXOne reported. Businesses now understand that ransomware attacks can disrupt production line operations, seriously hinder productivity, and take hours or longer to recover. Hackers may use multiple extortion methods to steal sensitive corporate information, leading to data breaches, property damage, and violations that can erode customer trust and harm brand value. Therefore, as Industry 4.0 becomes a crucial aspect of corporate competition, corporate management and information security leaders should make the protection of the OT network a top priority in their information security strategies. 

In conclusion, TXOne anticipates that cybersecurity in 2023 will be increasingly complex and challenging, due to the emergence of numerous new RaaS offerings, such as Black Basta, Pandora, and LockBit 3.0, in 2022. As the RaaS business model and revenue streams mature, attacks on the energy and critical manufacturing sectors are likely to persist, with a significant impact on manufacturers of automobile-related products. With the drive towards the integration of IT and OT, an increasing number of automobile manufacturers are adopting automation in their manufacturing processes. 

Future measures to mitigate supply chain attacks will be key for these factories. Despite individual organizations having robust security, the vulnerabilities of third-party partners can still be exploited by attackers. Lack of visibility into the security capabilities of third-party partners was the primary challenge mentioned by organizations across all major countries/regions.

“We believe that for OT cybersecurity complexity, organizations’ security teams should have a higher level of specialized knowledge rather than copying IT solutions to the OT environment,” TXOne reported. “Organizations should prioritize OT proactive defense strategies including supply chain security, asset inspection, endpoint detection and threat intelligence, network segmentation, vulnerability management, patching, and continuous monitoring to prevent potential threats.” 

Based on OT zero-trust solutions, providing a superior baseline of protection by elevating the cybersecurity standards of the network and assets from the ground up, “we believe organizations can better respond to OT cyber threats that may arise in 2023.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.