Source: John T via Shutterstock
Three-quarters of industrial firms suffered a ransomware attack in the past year, with far more compromises affecting operational technology (OT) than ever before — representing a surge in attacks driven by both the industrial sector's vulnerability and propensity to pay ransoms in order to remain operational.
In the past 12 months, more than half of industrial firms (54%) suffered a ransomware attack that impacted their operational technology, whether directly or because a linked IT system had been attacked, according to a report released by cyber-physical defense company Claroty on Dec. 6. The impact of the attacks on OT systems is a notable increase from the firm's last report in 2021, when 47% of companies had ransomware impact their operations.
Indeed, attacks on industrial firms and critical infrastructure providers have become downright common. The Aliquippa Municipal Water Authority, located in Pittsburgh, recently suffered a site defacement after an Iranian-linked threat group known as Cyber Av3ngers forced it to shut down a water-pressure monitoring system and changed the site's landing page. That incident turned out to be part of a wider spate of cyberattacks on water facilities across the US that started in late November. But it's not just utilities in the sights: in February 2022, tire maker Bridgestone had to shut down its manufacturing networks for several days after the LockBit 2.0 ransomware group successfully breached its network.
While the Claroty survey shows that direct targeting of OT systems remained consistent over the two time periods, with more than a third of companies (37%) suffering attacks that affected both IT and OT systems in 2023, there has been a significant increase from the 27% of organizations suffering dual-impact attacks in 2021, say Grant Geyer, chief product officer at Claroty.
"The numbers — as astounding as they were last year — they continue to not only show the severity of the problem, but the fact that it's an extremely viable business model and puts operations at risk, not just IT," he says. "Because so many OT systems are Windows-based, the ransomware often spills over from the IT environment into the OT environment, because of poor or no segmentation."
While the number of ransomware incidents against industrial firms has increased, they consistently account for a third of all attacks. Source: NCC Group.
Overall, the industrial sector has remained the top ransomware target every month for the past year, according to data from the NCC Group, a cybersecurity services firm. Ransomware attacks were up 81% in October, compared to the same month the previous year, and attacks on the industrial sector routinely represent a third of all ransomware incidents.
Threat activity has also increased overall because of recent geo-political conflicts, leading to industrial attacks by both state-sponsored actors and hacktivists, says Sean Arrowsmith, head of Industrials for the NCC Group.
"The ability to disable, and or cripple energy infrastructure can result in limited to no access for its consumers, adding to the instability and chaos that war and conflict bring," he says. "These acts of sabotage play into the all-important power dynamics of international security issues."
Industrials to Attackers: "Hey, We'll Pay"
One reason for the attractiveness of attacking industrial companies: disruptions to operations result in a greater likelihood of pay ransoms. Typically, companies' propensity to pay ransomware depends heavily on their revenue — smaller companies pay up 36% of the time, instead relying on backups, while larger companies pay 55% of the time, according to Sophos' annual State of Ransomware report.
Meanwhile, victims in the industrial sector pay a whopping two-thirds (67%) of the time, according to Claroty's Global State of Industrial Cybersecurity 2023 report.
"You have to look no further than the fact that two-thirds of organizations are paying the ransom to recognize why so many organizations are being attacked," Claroty's Geyer says. "Operational outages puts CIOs between a rock and a hard place, and forces them to make these untenable emotional decisions."
Third parties are another weakness that companies reliant on OT — such as industrial firms and utilities — need to address.
All Top-10 energy firms in the United States, for example, had a third-party provider that suffered a compromise in the past 12 months, leading to a breach of their business, according to security metrics firm SecurityScorecard. While only 4% of the nearly 2,000 third-party providers tracked by the firm suffered a direct compromise, that led to 90% of energy firms worldwide dealing with the fallout of those breaches over a year.
Case in point, the MOVEit breach alone affected hundreds of energy firms, according to Rob Ames, staff threat researcher at SecurityScorecard.
"This sort of claim of a breach and then threatened data exposure is becoming a more-and-more central part of the exposure of the extortion attempt, rather than the actual deployment of ransomware properly," he says. "I would say that extortion attempts that rely more on claimed exposure, rather than actual encryption is a trend, and, of course, still financially motivated."
More Government Help Necessary for OT Security
Many water utilities and other critical infrastructure firms are small, local companies, or operated by towns and counties. As such, they tend to be behind on deploying cybersecurity. Case in point: two years after the ransomware attack on Colonial Pipeline, critical infrastructure owners are still not ready to protect against ransomware, often because the economics does not add up, says Claroty's Geyer.
"Free-market forces in certain segments can't economically drive change to some of these least protected/most vulnerable aspects of our society," he says. "And this is the opportunity for whole of government to step in and not just drive regulation, but drive funding to help ensure that many of these entities under-invested in cyber — what we call 'target rich, cyber poor' sectors — are properly defended."
Companies do not need to have deep expertise in-house, but should focus on visibility, planning, and incident response exercises, says NCC Group's Arrowsmith.
"Develop a robust incident-response plan for IT and OT, then rehearse and drill that plan so all stakeholders are clear on roles and responsibilities," he says.