Dive Brief:
- The manufacturing sector remains hackers’ top operational technology target, the security firm Trellix said in a report published on Tuesday, accounting for 42% of detections across Trellix’s critical infrastructure customers.
- Transportation and shipping companies, utilities, energy producers and aerospace firms rounded out the top-five list.
- OT companies should focus on network segmentation, vulnerability remediation and legacy equipment replacement to combat hackers, the report said.
Dive Insight:
Trellix’s report, based on data from April through September, contains observations about threat actors’ behavior that offer important insights for critical infrastructure operators looking to harden their defenses.
“Over the past five years,” the report said, “attacks on operational technology have evolved from accidental IT spillover to deliberate targeting of critical infrastructure by both criminal and state-sponsored actors.”
The boundary between IT and OT assets is often one of the weakest points in any infrastructure provider’s network, and Trellix found that the most common attack techniques targeting OT systems exploited this area. PowerShell and Cobalt Strike represented the two biggest attack vectors that Trellix detected, with hackers scanning for industrial control systems protocols, moving laterally between machines and deploying stolen credentials.
“Threat actors, recognizing the inherent difficulties and high visibility risks of directly targeting low-level [industrial process] controllers, are instead prioritizing the compromise of [devices] that bridge the networks,” Trellix said. These “boundary devices” have more commonplace vulnerabilities than computers directly linked to industrial equipment, but they can still manipulate and even damage that equipment.
In some cases, hackers have sought to destroy data on computers controlling industrial devices’ safety systems or turn off those systems entirely.
“The concentration of attacks on manufacturing and energy sectors, combined with the emergence of safety-system targeting, represents a critical threat to global infrastructure,” Trellix said in its report.
The report is the latest to warn companies that their use of legacy industrial control systems protocols puts them at risk. Protocols such as Modbus and DNP3 are inherently insecure, the company said in its report, as are Supervisory Control and Data Acquisition (SCADA) device makers’ proprietary protocols. “Programmable logic controllers (PLCs) face increasing targeting,” Trellix said, highlighting the Russia-linked Triton malware’s deployment against Schneider Electric Triconex systems.
Alarmingly, companies take much longer to patch vulnerabilities on OT assets than in traditional IT systems, according to the report: 180 days for IT versus 30 days for IT.
To mitigate OT risks, the report said, operators should segment and monitor their networks, enforce zero-trust access principles on all external connections, require vendors to meet stringent software supply chain transparency and integrity requirements, embed cybersecurity expectations into vendor contracts and exchange threat intelligence with other companies in their sectors.
“Organizations must prioritize OT security investments, implementing defense-in-depth strategies that account for the unique operational requirements of industrial systems,” Trellix said. “The evolution from opportunistic attacks to targeted campaigns against safety systems requires immediate attention to prevent potential catastrophic incidents that could result in loss of life and widespread economic disruption.”