As we approach the halfway mark of 2023, now is a good time to reflect on the cyber security events of 2022 and see if we have learned from past experiences.
2022 was a difficult year for cyber security, and the world’s geopolitical troubles only compounded the risks. Organisations around the globe, including in Australia, were greeted with stark reminders of how cyber attacks can impact critical industrial systems as easily as IT networks.
Ransomware ramped up
Last year saw a new type of malware attack new modular industrial control systems (ICS) with the capability to impact devices that control critical infrastructure, including devices that manage energy and water supply systems.
If a ransomware attack disrupts production at a power or manufacturing plant, then it can be seen as a supply chain risk with flow-on effects for the wider economy. For example, we witnessed the first attacks against the mining and metals industries in Australia and New Zealand.
The scale and type of attacks escalated in 2022, with ransomware attacks against industrial organisations increasing 87 per cent over 2021. Moreover, 72 per cent of all ransomware attacks targeted 437 manufacturing entities in 104 unique manufacturing subsectors.
In addition to new malware, there were at least two new ransomware threat groups formed in 2022, all tasked with extorting money or disrupting geopolitical adversaries.
The huge lesson of 2022 is that ransomware is here to stay, and it is likely to only get worse in 2023 and beyond.
Australian organisations can no longer wait until an attack strikes; they must be on the front foot to properly mitigate the ransomware risk.
Combatting industrial cyber threats
The rise of cyber attacks on critical infrastructure is now a sobering reality, but that doesn’t mean we can’t be more proactive in how we prevent attacks in the first place.
In the case of ransomware, there are numerous variants, but in most cases, they rely on similar threat behaviours.
Importantly, ICS technology involves different device types and communication protocols, thus different types of tactics, techniques, and procedures (TTPs) specific to the threat groups should be employed to combat the threats.
TTPs can be aligned to an ICS cyber “kill chain”, which organisations can utilise as the input for data collection requirements in a collection management framework. This approach can identify the sources of data that can be used to detect the TTPs of an identified threat scenario.
For example, the reuse of valid accounts and stolen domain accounts can be mitigated with better credentials management.
The earlier in the kill chain that an attack is detected, the more options organisations have to respond and recover before the attack leads to consequences in the industrial process.
In addition to the need to improve processes, 2022 also served as a reminder of other root cause problems, such as poor quality passwords, which still exist in the OT environment.
Last year Dragos, the Industrial cyber security expert, shed light on a slightly different avenue of attacks in ICS — gaining access to industrial equipment by cracking operator passwords.
Root causes being protocols lacking authentication on critical functions and undocumented protocol commands. Baking authentication into the protocol and removing unnecessary and overly privileged commands will mitigate these issues.
Double-check disclosure notices
In recent years there has been good progress globally to highlight and even mandate the disclosure of data breaches.
Disclosure is important; however, advisories can contain errors, and research carried out by Dragos found a high 34 per cent of advisories contained errors in 2022. Furthermore, 30 per cent of the advisories they analysed during 2022 had no patch, and 77 per cent contained no mitigation from a vendor.
Vendors often do not provide mitigations for asset owners and operators if they cannot patch the identified vulnerability.
The good news is that the rate of advisories with no other mitigation fell in 2022, and over the years, the growth in mitigations shows that vendors and ICS-CERTs are getting better at generating mitigations.
Carry forward the lessons of 2023
In 2023, cybercriminals will continue to show more interest in vendors and suppliers because of the interconnectivity with their customers downstream due to the criticality of operations and their reach into numerous operating technology environments. This often results in higher or more frequent ransom payouts.
It’s for these reasons that we need to learn from past years and continuously improve processes and detection technology in 2023.
To learn more about the Dragos ICS cyber security discoveries made in 2022, please visit our website here and download the 2022 Year in Review: