Contributed to this research: Adam Laurie and Sameer Koranne.
Given the accelerating rise in operational technology (OT) threats, this blog will address some of the most common threats IBM Security X-Force is observing against organizations with OT networks, including ransomware and vulnerability exploitation. IBM will also highlight several measures that can enhance security for OT networks based on insights gained from the X-Force Red penetration testing team and X-Force incident responses experience assisting OT clients with security incidents. These include a focus on data historian and network architecture, such as domain controllers.
OT is hardware and software that controls industrial processes, such as heavy manufacturing equipment, robotics, oil pipeline or chemical flows, electric utilities and water and the functionality of transportation vehicles.
Typically, OT networks are segregated from information technology (IT) networks at organizations that have both. Email, customer transactions, human resources databases and other IT are separated from technologies that control physical processes. Even so, typical threats against IT networks have the potential to affect OT networks, particularly if segmentation is not effective or engineers decide to shut down the OT network as a precaution after an attack on the IT network, such as ransomware.
Threats to OT networks are arguably more dangerous than threats to IT networks because of the physical outcomes that can result, such as passenger vehicle malfunctions, explosions, fires and potential loss of life. A cyberattack with these outcomes becomes, in effect, a physical weapon.
Of all the attack types X-Force observes against OT organizations, ransomware is the leader. In fact, nearly one-third of all attacks X-Force has observed against organizations with OT networks in 2021 have been ransomware a significantly higher percentage than any other attack type.
In many cases, ransomware attacks affect only the IT portion of a network. Yet, these IT infections can still have tremendous consequences for operations governed by OT networks. Research by X-Force and Dragos in late 2020 found that 56% of ransomware attacks on organizations with OT networks affected operational functionality in cases where the scope of impact was known. In many of these cases, OT networks were probably shut down as a precaution to prevent ransomware from spreading to OT networks or negatively affecting operations. This was the case in the high-impact ransomware attack on Colonial Pipeline that resulted in gasoline shortages in several U.S. states in May 2021.
In other cases, however, ransomware does make its way over to the OT portion of the network. Ryuk is the ransomware strain most commonly observed by IBM as attacking the OT network.
In the fall of 2019, Ryuk ransomware actors hit at least five oil and gas organizations in what appeared to be part of a targeted campaign aimed at OT specifically oil and gas entities.At least one of these organizations was a natural gas compression facility at a U.S. pipeline operator as reported by the U.S. Coast Guard, according to a report by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and analysis by Dragos.
AMaritime Safety Information Bulletin issued by the Coast Guard on Dec. 16, 2019, indicated that segregation between the pipeline organizations IT and OT network was insufficient to prevent the attacker from reaching the OT environment. The report stated that after infecting the organizations IT network, the virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The bulletin further indicated that the attack disrupted camera and physical access control systems and resulted in the loss of critical process control monitoring systems.
X-Force Incident Response has similarly observed Ryuk affiliates cross over into OT networks in attack remediation and investigations, using methods similar to those observed by the Coast Guard.
In February 2021, a report by theFrench government noted that newer Ryuk variants have worm-like capabilities and can replicate autonomously across an infected network. X-Force malware analysis of a Ryuk malware sample in June 2021 substantiated these findings, similarly revealing these worm-like capabilities in newer Ryuk variants. X-Force analysis of Ryuk malware showed that samples were packed in loaders similar to those used in Emotet and Trickbot campaigns, andEmotethas been known to worm into OT networks in the past.
It is possible that the new worm-like characteristics of recent Ryuk ransomware samples will give the group a higher likelihood of worming into OT networks in future ransomware operations, particularly if robust segmentation is not in place.
X-Force Incident Response data reveals that, in 2021, vulnerability exploitation is the primary method attackers are using to gain unauthorized access to organizations with OT networks. In fact, vulnerability exploitation has led to a staggering 89% of incidents X-Force has observed at organizations with OT networks so far this year, where the initial infection vector is known.
In 2021, X-Force has also observed threat actors exploit CVE-2019-19781 a Citrix server path traversal flaw to access networks at OT organizations. This was the most exploited vulnerabilityX-Force observed in 2020. The ease with which threat actors have been able to exploit this Citrix vulnerability and the level of access it provides to critical servers make it an entry point of choice for multiple attackers. We strongly recommend remediating this vulnerability if your organization has not done so already.
In some cases, OT organizations became victims of theKaseya-linked ransomware attack, where exploitation of a zero-day vulnerability and a supply chain-esque operation became the initial infection vectors. In the Kaseya case, Sodinokibi/REvil ransomware operators exploited a zero-day vulnerability in Kaseyas VSA software (now known as CVE-2021-30116) to deliver a ransomware attack. This attack leveraged attack techniques that are more common to advanced nation-state actors namely, exploitation of a zero-day and a supply-chain propagation technique which are uniquely difficult to defend against.
In a separate supply chain attack, multiple OT organizations reached out to X-Force for assistance in determining the extent to which theSolarWinds supply chain attack may have affected them. For some of the OT organizations impacted by the SolarWinds attack, original equipment manufacturers (OEMs) were the entry path, underscoring how attackers seek to exploit relationships of trust built between vendors and clients. The OEMs had access to the OT clients network to perform remote maintenance and were using compromised SolarWinds software across those remote connections.
Examples such as these highlight the significant risk to OT organizations from supply chain operations.
When it comes to OT network security, X-Force Red penetration testers have indicated that data historian often provides a reliable pathway into an OT network. Compromising data historian often can create opportunities to compromise the OT network. Thus, security teams should be careful not to overlook data historian when identifying and shoring up potential weak points in their OT network.
A data historian is a type of time-series database designed to efficiently collect and store process data from industrial automation systems. It is used widely for OT networks, industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks. Data historian was originally created for and continues to be used most commonly for identifying, diagnosing and remediating problems that might lead to costly downtime.
Adversaries that are able to gain access to data historian then have access to data, analysis and information on control systems at that organization useful for reconnaissance and further attack planning. In addition, data historian can provide a pathway from the IT network into the OT network, if the data historian is dual-homed. Further, data historian tends to have extensive connectionsthroughout OT networks, which can give an attacker an array of potential options for moving throughout an OT environment.
OT organizations can better secure data historian by creating historian security groups, carefully defining who has access to these groups, closely monitoring accounts with access to ensure they are not stolen or abused and implementing strong authentication measures. Organizations can also use electronic signatures and electronic recordsto demand authentication whenever a change is made to data or configurations in data historian. In addition, placing the historian in a demilitarized zone (DMZ) can help segregate it from the OT network while still providing access from the IT network.
It is not uncommon to find companies creating and using enterprise data historians hosted within the IT infrastructure. With aggressive cloud adoption strategies and an increase in Industrial Internet of Things (IIoT) devices, companies have started implementing or moving these enterprise historians to cloud environments. Typically, these historians aggregate the data from site- and plant-specific data historians. This approach provides scalability and seamless integration with cloud-based storage and applications for secure information sharing, where needed. However, companies must ensure that they store the data safely without creating an opening for an attack.
MITRE has provided several additional risk mitigation measures to help secure data historian servers/databases, and IBM recommends reviewing those and implementing as many as possible.
Securing OT networks is more critical than ever. OT network defenders can implement a range of measures to decrease the chances of encountering a cyber incident on their OT network. Some of these measures are aimed at decreasing the risk of a ransomware attack including Ryuk attacks while others can assist in preventing a range of different attack types with the potential to weaponize OT networks.
Originally posted here:
The Weaponization of Operational Technology - Security Intelligence
- Report: Apple acquires French startup behind AI and computer vision technology - 9to5Mac - April 22nd, 2024 [April 22nd, 2024]
- CACI Awarded $1.3 Billion Task Order to Provide Communications and Information Technology Expertise to U.S. ... - Business Wire - April 22nd, 2024 [April 22nd, 2024]
- What is semi-automated offside technology and how does it work? - The Athletic - April 22nd, 2024 [April 22nd, 2024]
- Can technology save us from an ecological apocalypse? - interview - CyberNews.com - April 22nd, 2024 [April 22nd, 2024]
- Does LaLiga have goalline technology? What about other major leagues? - AS USA - April 22nd, 2024 [April 22nd, 2024]
- Driver Assistance Technologies: NHTSA Should Take Action to Enhance Consumer Understanding of Capabilities and ... - Government Accountability Office - March 31st, 2024 [March 31st, 2024]
- OpenAI reveals Voice Engine, but won't yet publicly release the risky AI voice-cloning technology - The Associated Press - March 31st, 2024 [March 31st, 2024]
- Nexalin Technology Full Year 2023 Earnings: US$0.63 loss per share (vs US$0.30 loss in FY 2022) - Yahoo Finance - March 31st, 2024 [March 31st, 2024]
- 'Battle for your brain': What the rise of brain-computer interface technology means for you - WBUR News - March 31st, 2024 [March 31st, 2024]
- Firsthand Technology Value Fund (NASDAQ:SVVC) Research Coverage Started at StockNews.com - Defense World - March 31st, 2024 [March 31st, 2024]
- Suzhou Anjie Technology Full Year 2023 Earnings: Misses Expectations - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- Inside the shadowy global battle to tame the world's most dangerous technology - POLITICO Europe - March 31st, 2024 [March 31st, 2024]
- The Technological Pivot Of History: Power In The Age Of Exponential Innovation Analysis - Eurasia Review - March 31st, 2024 [March 31st, 2024]
- 'Women Behind the Wheel' explores the intersection of gender, culture and cars - NPR - March 31st, 2024 [March 31st, 2024]
- Shanghai Weihong Electronic Technology Full Year 2023 Earnings: Revenues Beat Expectations, EPS Lags - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- A Look At The Fair Value Of Powertech Technology Inc. (TWSE:6239) - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- Weaver Network Technology Full Year 2023 Earnings: EPS Beats Expectations, Revenues Lag - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- New York City will introduce controversial AI gun detection technology amid subway crime crisis - SiliconANGLE News - March 31st, 2024 [March 31st, 2024]
- Earnings Not Telling The Story For Beijing CTJ Information Technology Co., Ltd. (SZSE:301153) - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- Vontron Technology Full Year 2023 Earnings: EPS: CN0.35 (vs CN0.34 in FY 2022) - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- Huawei Revenue Rises as Technology Giant Commits to Growth - Technology Magazine - March 31st, 2024 [March 31st, 2024]
- Shenzhen Fortune Trend technology Full Year 2023 Earnings: Beats Expectations - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- USPACE Technology Group Limited (HKG:1725) May Have Run Too Fast Too Soon With Recent 28% Price Plummet - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- NYC to test gun-detecting technology in subway system - SILive.com - March 31st, 2024 [March 31st, 2024]
- Cancer Treatment: 3D Printing and Scanning Technology - Surviving Mesothelioma - March 31st, 2024 [March 31st, 2024]
- Does Contel Technology (HKG:1912) Have A Healthy Balance Sheet? - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- Oppo Find X7 series now supports 5G-Advanced technology with up to 10 Gbps downlink speed - The Indian Express - March 31st, 2024 [March 31st, 2024]
- DCPS receives nearly $20k in grants for technology program advancements - The Owensboro Times - March 31st, 2024 [March 31st, 2024]
- Hangzhou Electronic Soul Network Technology Full Year 2023 Earnings: Misses Expectations - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- International Business Digital Technology Full Year 2023 Earnings: CN0.07 loss per share (vs CN0.019 loss in FY ... - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- Analysts Are More Bearish On Guangzhou Tinci Materials Technology Co., Ltd. (SZSE:002709) Than They Used To Be - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- Daheng New Epoch Technology Full Year 2023 Earnings: EPS: CN0.11 (vs CN0.16 in FY 2022) - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- Tesla offers U.S. customers a month's trial of its driver-assist technology - Reuters - March 31st, 2024 [March 31st, 2024]
- Slam Dunk Technology: How AI Is Revolutionizing The Game Of Basketball - Forbes - March 31st, 2024 [March 31st, 2024]
- China Environmental Technology and Bioenergy Holdings Full Year 2023 Earnings: CN0.03 loss per share (vs CN ... - Simply Wall St - March 31st, 2024 [March 31st, 2024]
- Vuma and Huawei team up to launch industry first 50G PON ... - Light Reading - July 15th, 2023 [July 15th, 2023]
- See What Kim Kardashian and Kylie Jenner Look Like With Aging ... - E! NEWS - July 15th, 2023 [July 15th, 2023]
- AFRL conducts swarm technology demonstration > ONE AFRL ... - afrl.af.mil - May 20th, 2023 [May 20th, 2023]
- Shell to use new AI technology in deep sea oil exploration - Reuters - May 20th, 2023 [May 20th, 2023]
- Former Google CEO says AI at 'center' of technology competition between US and China - Fox News - May 20th, 2023 [May 20th, 2023]
- Agriculture and technology combine to drive the industrys growth - Times of India - May 20th, 2023 [May 20th, 2023]
- Technology and the Skills Shortage - Financial Times - May 20th, 2023 [May 20th, 2023]
- New License Agreement Announced for Next-Generation Base ... - BioPharm International - May 20th, 2023 [May 20th, 2023]
- Orion Governance Licenses Technology from GE to Deliver Next Generation Data Governance Solution - Yahoo Finance - May 20th, 2023 [May 20th, 2023]
- World needs to be 'vigilant' as AI technology improves and ... - KTVZ - May 20th, 2023 [May 20th, 2023]
- After Losing Son, Ridgefield Mother Pushes For Technology to Prevent Hot Car Deaths - NBC Connecticut - May 20th, 2023 [May 20th, 2023]
- After last year's fan violence in Queretaro, has Fan ID technology ensured safety for Liga MX fans? - ESPN - ESPN - May 20th, 2023 [May 20th, 2023]
- Bleach: The Soul Reapers' Gigai Technology, Explained - CBR - Comic Book Resources - May 20th, 2023 [May 20th, 2023]
- Cogito Tech - Catalyzing Transformation in Global Healthcare ... - Business Standard - May 20th, 2023 [May 20th, 2023]
- Barriers to Use of Technology in Diabetes Management - Patient Care Online - May 20th, 2023 [May 20th, 2023]
- Blue technology startups presented at the inaugural Gulf Blue ... - The University of Southern Mississippi - May 20th, 2023 [May 20th, 2023]
- CureVac files expanded patent lawsuit against Pfizer/BioNTech over ... - Reuters - May 20th, 2023 [May 20th, 2023]
- Harrison Ford defends use of de-ageing technology in new Indiana Jones film: I know that that is my face - Yahoo News - May 20th, 2023 [May 20th, 2023]
- Sanwo-Olu: Nigeria needs technology to compete with likes of China - Guardian Nigeria - May 20th, 2023 [May 20th, 2023]
- Prejudice in technology, and the necessity of time: Books in brief - Nature.com - May 20th, 2023 [May 20th, 2023]
- New technology uses ordinary sunlight to disinfect drinking water ... - Stanford University News - May 20th, 2023 [May 20th, 2023]
- Incredible AI technology shows what UK cities will look like in 2050 - LADbible - May 20th, 2023 [May 20th, 2023]
- Your Firm and Your Tools - Top Technology Initiatives - CPAPracticeAdvisor.com - May 20th, 2023 [May 20th, 2023]
- Tom Hanks: I could appear in movies after death with AI technology - BBC - May 20th, 2023 [May 20th, 2023]
- Transform your career with Chief Technology Officer online course - Economic Times - May 20th, 2023 [May 20th, 2023]
- e-Learning Jamaica Technology in Education Conference Slated for ... - Government of Jamaica, Jamaica Information Service - May 20th, 2023 [May 20th, 2023]
- Andrew Maynard | What's a Luddite? From Industrial Revolution to ... - TribDem.com - May 20th, 2023 [May 20th, 2023]
- At Yale, Kaloyan Kolev used technology to create and to make ... - Yale News - May 20th, 2023 [May 20th, 2023]
- This technology could alter the entire planet. These groups want every nation to have a say. - MIT Technology Review - April 17th, 2023 [April 17th, 2023]
- The secret lives of snakes and how Georgia College uses technology to study them - 13WMAZ.com - April 8th, 2023 [April 8th, 2023]
- Technology Innovation Institute to host 2nd 'Additive Manufacturing the Future' seminar in Abu Dhabi - Devdiscourse - April 8th, 2023 [April 8th, 2023]
- Can Array Technologies Inc (ARRY) Stock Rise to the Top of Technology Sector Thursday? - InvestorsObserver - March 31st, 2023 [March 31st, 2023]
- Here's Why We Think Pfeiffer Vacuum Technology (ETR:PFV) Might Deserve Your Attention Today - Simply Wall St - February 18th, 2023 [February 18th, 2023]
- Will WM Technology Inc (MAPS) Stay at the Top of the Technology Sector? - InvestorsObserver - February 18th, 2023 [February 18th, 2023]
- Ways in which technology can enhance the abilities of law enforcement agents to assist the community - Times of India - February 7th, 2023 [February 7th, 2023]
- Meet The Titans: Google And OpenView (Microsoft) Faceoff On Chat Technology Innovation - Forbes - February 5th, 2023 [February 5th, 2023]
- MACOM Technology Solutions Holdings, Inc.'s (NASDAQ:MTSI) Stock Has Been Sliding But Fundamentals Look Strong: Is The Market Wrong? - Simply Wall St - February 5th, 2023 [February 5th, 2023]
- WVU Dept. of Ophthalmology acquires state-of-the-art technology for simulation lab - WV News - February 5th, 2023 [February 5th, 2023]
- Executive Vice President of Technology & Operations Alok Sethi Just Sold A Bunch Of Shares In Franklin Resources, Inc. (NYSE:BEN) - Simply Wall St - February 5th, 2023 [February 5th, 2023]
- Is Now The Time To Put Amkor Technology (NASDAQ:AMKR) On Your Watchlist? - Simply Wall St - January 27th, 2023 [January 27th, 2023]
- There Are Reasons To Feel Uneasy About New Oriental Education & Technology Group's (NYSE:EDU) Returns On Capital - Simply Wall St - January 27th, 2023 [January 27th, 2023]
- Technology has set us on a path toward one of two dystopian scenariosbut its not too late to save democracy - Fortune - January 17th, 2023 [January 17th, 2023]
- IonQ Acquires Entangled Networks And Locks In Quantum Networking Technology Critical To Its Future Success - Forbes - January 10th, 2023 [January 10th, 2023]
- Industrialization 3.0 - How Technology, Wall Street, And The Government Can Help The US Win In A World Of Re-Industrialization - Forbes - January 10th, 2023 [January 10th, 2023]
- Connect with aspirational India through technology and work in interest of world: Anurag Thakur to NRIs - Economic Times - January 8th, 2023 [January 8th, 2023]