Contributed to this research: Adam Laurie and Sameer Koranne.
Given the accelerating rise in operational technology (OT) threats, this blog will address some of the most common threats IBM Security X-Force is observing against organizations with OT networks, including ransomware and vulnerability exploitation. IBM will also highlight several measures that can enhance security for OT networks based on insights gained from the X-Force Red penetration testing team and X-Force incident response’s experience assisting OT clients with security incidents. These include a focus on data historian and network architecture, such as domain controllers.
OT is hardware and software that controls industrial processes, such as heavy manufacturing equipment, robotics, oil pipeline or chemical flows, electric utilities and water and the functionality of transportation vehicles.
Typically, OT networks are segregated from information technology (IT) networks at organizations that have both. Email, customer transactions, human resources databases and other IT are separated from technologies that control physical processes. Even so, typical threats against IT networks have the potential to affect OT networks, particularly if segmentation is not effective or engineers decide to shut down the OT network as a precaution after an attack on the IT network, such as ransomware.
Threats to OT networks are arguably more dangerous than threats to IT networks because of the physical outcomes that can result, such as passenger vehicle malfunctions, explosions, fires and potential loss of life. A cyberattack with these outcomes becomes, in effect, a physical weapon.
Of all the attack types X-Force observes against OT organizations, ransomware is the leader. In fact, nearly one-third of all attacks X-Force has observed against organizations with OT networks in 2021 have been ransomware — a significantly higher percentage than any other attack type.
In many cases, ransomware attacks affect only the IT portion of a network. Yet, these IT infections can still have tremendous consequences for operations governed by OT networks. Research by X-Force and Dragos in late 2020 found that 56% of ransomware attacks on organizations with OT networks affected operational functionality in cases where the scope of impact was known. In many of these cases, OT networks were probably shut down as a precaution to prevent ransomware from spreading to OT networks or negatively affecting operations. This was the case in the high-impact ransomware attack on Colonial Pipeline that resulted in gasoline shortages in several U.S. states in May 2021.
In other cases, however, ransomware does make its way over to the OT portion of the network. Ryuk is the ransomware strain most …….