Operational Technology Cybersecurity Threat Landscape And Key Shifts

OVERVIEW

Since 2019, the cyber threat landscape for Operational Technology (OT) systems has undergone significant changes. A key shift has been the increase in threat actors seeking to disrupt such systems. Advanced Persistent Threats (APTs), cybercriminal groups, and hacktivist groups have increasingly targeted OT environments, capitalising on expanded IT connectivity to exploit vulnerabilities. This has resulted in several disruptions to OT operations globally. This edition of CyberSense looks at the OT threat environment, especially in regard to the increasing complexity and impact of attacks.

Figure 1. Attacks Against OT: Evolution And Escalation

The OT Cybersecurity Threat Landscape

Advanced Persistent Threats (APTs): Evolving Tactics and Strategies

According to Dragos’ 2023 Cybersecurity Year in Review, the number of APT threat groups targeting OT systems has nearly doubled since 2019, rising from 11 to 21 — an increase of 2 to 4 new groups every year.^[1] This growth underscores the intensifying threat to critical infrastructure globally.

One significant development is the increasing sophistication of the techniques used by APT groups, such as the Pipedream malware framework by the Chernovite group. Pipedream, likened to a “Swiss Army Knife” for its versatility, poses a substantial threat to a wide range of OT systems. Its modular nature allows it to disrupt, degrade, or even destroy multiple OT environments, significantly lowering the barrier for other threat actors and potentially leading to a surge in OT-focused attacks. As the first scalable, cross-industry toolkit specifically designed for infiltrating and compromising OT systems, Pipedream signifies an uptick in cyber threat capabilities.

The second notable development is the increasing stealth and persistence demonstrated by threat groups. According to the US Cybersecurity and Infrastructure Security Agency (CISA), APT group Volt Typhoon has infiltrated critical infrastructure in the US and other nations since 2019, employing Living off the Land (LotL) techniques to avoid detection.^[2] This group has targeted sectors like utilities, potentially preparing for disruptive attacks rather than espionage. The group’s shift towards stealthier methods and its ongoing reconnaissance activities highlights the evolving tactics of APTs and the growing challenges for OT security.

Cybercriminals: Exploiting OT Systems for Financial Gain

Ransomware attacks on OT systems have surged, reflecting cybercriminals’ recognition of the high impact and financial potential of such attacks. Multiple cyber vendors have also reported a rise in ransomware attacks on OT environments. Claroty’s 2023 report on the global state of industrial cybersecurity found that ransomware attacks impacting OT environments were on the rise and remained costly, with a shift from primarily impacting IT environments to affecting both IT and OT environments.^[3] The financial repercussions of such attacks are substantial, with recovery costs often exceeding US$1 million for 23% of affected organisations.^[4] Ransomware strains like EKANS, designed specifically to target OT environments, represent a significant threat by disrupting industrial operations and causing unpredictable machinery behaviour. The rising frequency and cost of ransomware attacks on OT environments emphasise the urgent need for robust cybersecurity measures.

Hacktivist Groups: Intensified Activities and Improved Capabilities

Amid the evolving cyber threat landscape, hacktivist groups have increasingly targeted OT assets, particularly in light of geopolitical conflicts like Russia-Ukraine and Israel-Hamas. These groups are shifting from their traditional methods of Distributed Denial-of-Service attacks and web defacements to more direct disruptions of OT systems. Cybersecurity vendor Mandiant observed a significant increase in hacktivist attacks targeting OT assets coinciding with the onset of these conflicts, with the number of such incidents more than doubling in 2022 compared to the previous year.^[5]

Evidence suggests that hacktivist groups are increasingly capable and willing to move beyond low-level disruptions. Notably, those likely working under nation-states have become more aggressive in directly attacking critical OT infrastructure, possibly due to state support. Mandiant noted with high confidence that Sandworm, a Russian military intelligence unit, is suspected of controlling the pro-Russian hacktivist group Cyber Army of Russia Reborn (CARR).^[6] Although Sandworm has never directly launched a disruptive attack on a US network, CARR targeted US water utilities in early 2024, manipulating a Human-Machine Interface (HMI)^[7] to cause overflow in water tanks in Muleshoe, Texas. This indicates that state-influenced hacktivist groups may escalate from low-level disruptions to more severe incidents. While cybersecurity agencies like CISA classify these attacks as “unsophisticated,” they acknowledge that these groups can employ techniques that pose physical threats to unsecure OT environments.^[8] This highlights the urgent need for enhanced security measures to protect our OT infrastructure.

Singapore’s OT Threat Landscape Outlook

While Singapore has not yet faced these threats directly, the potential for attacks on our critical infrastructure and internet-facing OT networks exists. Cybercriminals and hacktivist groups may exploit vulnerabilities in OT systems locally. To mitigate these risks, organisations should:

a. Safeguard entry points into OT networks, including IT-OT links and removable media.

b. Prevent attackers from traversing and surveying OT environments by securing IT-OT interfaces.

c. Minimise vulnerabilities through timely patching of OT assets.

Vigilance and proactive measures are crucial to protecting Singapore’s OT systems from the evolving threat landscape. Additionally, SANS’ five critical controls for OT and Industrial Control Systems provide a useful baseline for preventing, detecting, and responding to cyber incidents in these environments.^[9] This framework offers adaptable measures that can be tailored to meet each organisation’s unique needs and risk profile, defending against adversarial activity directed at OT systems.

Vigilance and proactive measures are crucial to protecting Singapore’s OT systems from the evolving threat landscape. Additionally, SANS’ five critical controls for OT and Industrial Control Systems provide a useful baseline for preventing, detecting, and responding to cyber incidents in these environments.^[9] This framework offers adaptable measures that can be tailored to meet each organisation’s unique needs and risk profile, defending against adversarial activity directed at OT systems.

To gain deeper insights into the evolving threat landscape and the Singapore’s national strategies designed to secure OT systems, explore the updated Operational Technology Cybersecurity Masterplan. Unveiled by Mrs. Josephine Teo, Minister for Digital Development and Information, at the Singapore OT Cybersecurity Expert Panel Forum on 20 August 2024, this masterplan outlines critical initiatives aimed at safeguarding the nation’s infrastructure.

REFERENCES:

CISA, Claroty, Dragos, Mandiant, Wired.

FOOTNOTES:

[1] While Dragos does not classify the threat groups they monitor as APTs, we have classified them as such to differentiate them from the broader category of threat actors (as per Dragos’ terminology). The term threat actor typically encompasses a larger set, including cybercriminals, hacktivist groups, and other non-state affiliated groups with varying motives and capabilities. Additionally, several of these threat groups, such as Chernovite, have been classified by governments as APTs.”Dragos 2019 ICS Year in Review: Executive Summary | Dragos”, accessed 14 June 2024, https://www.dragos.com/blog/industry-news/dragos-2019-ics-year-in-review-executive-summary/.

[2] “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | CISA”, accessed 17 June 2024, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a.

[3] “Report: The Global State of Industrial Cybersecurity 2023 | Claroty”, accessed 17 June 2024, https://claroty.com/resources/reports/the-global-state-of-industrial-cybersecurity-2023.

[4] Ibid.

[5] “We (Did!) Start the Fire: Hacktivists Increasingly Claim Targeting of OT Systems | Mandiant | Google Cloud Blog”, accessed 17 June 2024, https://cloud.google.com/blog/topics/threat-intelligence/hacktivists-targeting-ot-systems.

[6] “The Reborn Cyber Army of Russia: A New Threat from the Kremlin's Sandworm Unit | Wired”, accessed 16 June 2024, https://www.wired.com/story/cyber-army-of-russia-reborn-sandworm-us-cyberattacks/.

[7] An HMI is a device that lets human control and automate machines using easy to understand instructions displayed on the device screen.

[8] “Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity | CISA”, accessed 14 June 2024, https://www.cisa.gov/resources-tools/resources/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity.

[9] Industrial Control Systems is a collective term used to describe several types of control systems and associated instrumentation to control industrial processes such as manufacturing, product handling, production, and distribution. Dragos. “The SANS ICS Five Critical Controls: A Practical Framework for OT Cybersecurity.” Accessed 20 August 2024. www.dragos.com/blog/the-sans-ics-five-critical-controls-a-practical-framework-for-ot-cybersecurity/.