OT Cybersecurity Survey Report 2023 ~Understanding real threats and taking effective measures~

Recently, security measures for OT environments such as factories and plants have been attracting attention. OT environments differ in many ways from IT environments, and the same security methods for IT environments do not apply, so it is necessary to consider the most suitable measures for your company's OT environment.

In this article, we will provide a summary of Dragos'OT cybersecurity review for 2023, "OT CYBERSECURITY THE 2023 YEAR IN REVIEW." By learning about trends overseas where OT measures are more advanced than in Japan, and the real threats that have actually been observed, we hope that not only companies that are about to start working on OT measures, but also those who are already working on them, will find this information useful in knowing what measures they should prioritize.

Download the full report here

Introduction

The OT cyber-related information provided by Dragos is referenced by many people both in Japan and overseas. Dragos has the world's largest OT/ICS threat intelligence team and provides threat groups and attack methods targeting the industrial sector, vulnerability assessment, incident response, and threat hunting. Based on the knowledge gained there, we will report on the annual trends in OT security.

Rising cyber threats to industry

Recent international tensions and the development of hybrid warfare have increased cyber threats. Three new threat groups targeting industry and OT have emerged, bringing the total number of groups tracked by Dragos to 21, 10 of which were active in 2023. In the conflict between Ukraine and Russia, threat groups ELECTRUM and KAMACITE were involved, and destructive malware targeting power facilities was confirmed. Attacks targeting OT have been observed in the conflict between Israel and Hamas, and targeted attacks against multiple industrial organizations have increased in the Asia-Pacific region. These threat activities have an impact on the industry beyond the conflict areas, and new and old attack methods and tools are being tried and spread.

Threat Group Trends

VOLTZITE (whose operations overlap with Volt Typhoon reported by the US government, etc.) has been conducting espionage activities in the power, communications, and defense sectors, mainly in Guam and the United States, since 2021. Recently, it has expanded its activities to Africa and Asia. It is difficult to detect because it uses LOTL (living off the land) techniques to remain hidden in targets for a long time. It secures a foothold at the network boundary, infiltrates IT, escalates privileges, and expands laterally, expanding into OT environments. In a campaign in June 2023, it exploited Sierra Wireless Airlink devices.

Dragos used its detection solution, the Dragos Platform, and its OT Watch program to analyze the attackers' TTPs (Tactics, Techniques, and Procedures) and found evidence of activity targeting SCADA (Supervisory Control and Data Acquisition) information. The findings were converted into Indicators of Compromise (IOCs) and implemented in the Dragos Platform as a threat detection method.

For more information on other threat groups, see the full report.

Ransomware impacts OT

The number of ransomware incidents reported in 2023 was 905, an increase of 49.5% from the previous year. 77 ransom groups were involved, of which 50 affected industrial sectors. LockBit accounted for 25 % of incidents, followed by ALPHV and BlackBasta at 9 % each.

OT ransomware attacks also work with Initial Access Brokers (IABs) to gain initial access through phishing, VPN and RDP compromise, and exploitation of public assets. Dragos has observed ransomware campaigns using the Citrix Bleed vulnerability as an initial intrusion vector.

After intrusion, the LOTL technique that exploits legitimate tools such as PsExec and PowerShell has become mainstream, making it difficult to detect threats with simple detection and firewalls. In the case of the Cl0p ransomware group, it was found to terminate OT-related processes running on Windows, so users of Honeywell, IBM, MITSUBISHI ELECTRIC Corporation, Rockwell, Schneider Electric, Siemens, etc. should be careful.

For more details, including input from the Dragos pentest team, please see the full report.

Many ransomware incidents in the industrial sector are due to inadequate network security controls. Approximately 70% of OT incidents originated from within the IT environment. A survey published by Dragos in 2023 revealed segmentation problems and improper firewall configurations in 28% of cases.

OT Vulnerabilities and Countermeasures

Vulnerabilities in OT continue to be discovered, but public advisories are insufficient to secure OT:

OT vulnerability advisories can be inaccurate and vague (researchers often do not comment on public advisories, there is a lack of consistency across industrial equipment vendors, etc.)
CVSS does not take into account OT network architecture and will assign a high score even if the vulnerability is not immediately attackable.
Lack of practical mitigation steps beyond patching.

In an OT environment, it is difficult to patch all vulnerabilities. Many OT devices and OT software have security flaws that are permanent and difficult to correct. Vulnerability mitigation measures other than patches are important.

In 2023, 72 % of advisories had patches, but 54 % of those had no mitigation. Dragos provided mitigation for 49 % of advisories without mitigation. Additionally, 28 % of advisories had no patches, and of those, about 19 % did not have any mitigation.

CERT/CC Methodology for Vulnerability Mitigation NOW / NEXT / NEVER

To address such vulnerabilities (including noise), we prioritize vulnerabilities by taking into account their exploitation status and ease of attack.

Now: Vulnerabilities that defenders need to address immediately
Next: Vulnerabilities that can be mitigated with firewalls and network hygiene
Never: Vulnerabilities that do not increase risk

In 2023, 2,010 vulnerabilities were disclosed, but only 3% of the total were in the "Now" category. "Next" accounted for 68 % and can be addressed by network monitoring, segmentation, and MFA (multi-factor authentication). "Never" accounted for 29 %.

The report further addresses the severity of the vulnerabilities, their location on the network, and their likelihood of exploitation.

Trend analysis by vulnerability type

The report evaluates vulnerabilities affecting ICS and highlights notable CWEs. If you are interested in the technical aspects, please read the full report.

Out of Bounds Read / Write- CWE-787/CWE-125
OS Command Injection- CWE-78
Exploiting Hardcoded Credentials– CWE-798
Path Traversal– CWE-22

Status of companies' OT cybersecurity measures

The European NIS2 Directive, the Australian SOCI Act, and the US Securities and Exchange Commission (SEC) Cybersecurity Risk Management Regulation have led companies to allocate resources to preparing for cybersecurity events. In 2023, Dragos delivered twice as many tabletop exercises compared to 2022, and delivered three times as many exercises with executive-level participation. Leaders are moving from reactive training to comprehensive incident response training for the organization. Incident response readiness varied by industry.

lastly

Cyber threats to the industrial sector are on the rise, and protecting OT is becoming more important. The traditional method of collecting vulnerability information and applying patches is no longer effective in OT. It is important to prioritize vulnerabilities by taking into account the attack exploitation situation and the ease of attack, and to implement viable mitigation other than patches. Furthermore, incident response is of utmost importance in OT, from small signs of attack to responding to ransomware incidents. We hope that this book will help you with your OT cybersecurity measures.
If you need assistance with planning and implementing specific measures or have any questions, please feel free to contact Macnica.