This post was written with contributions from Dave McMillen.

So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT asset owners and operators, all of whom understand the need to keep critical infrastructures running safely, need to be aware of the shifting landscape and what they should be doing to secure their operations.

IBM Security X-Force analysts looked at X-Force Incident Response (IR) and Managed Security Services (MSS) data to provide OT defenders with the intelligence necessary to protect their assets.

• Most Common Attack Attempts:  Widespread and likely indiscriminate internal and external vulnerability scanning, as well as brute force attacks and use of weak and outdated encryption standards, are the most common attack attempts against OT-related industries’ IT and OT environments observed so far in 2022.
• Most Common Initial Access Vector: Phishing continued to be the most prevalent initial access vector identified across incidents that IBM responded to across OT industries.
• Top Incidents: The majority of incidents X-Force responded to involved malspam, with clients both receiving emails with the Emotet Trojan and being hijacked to forward it, and to a lesser extent remote access trojans (RATs), ransomware, and business email compromise (BEC) attacks.

Industry trends

The manufacturing industry was the most-attacked industry in 2021, according to the 2021 X-Force Threat Intelligence Index. So far in 2022, manufacturing remains in the lead across both metrics at 23% of total IR cases and 65% among OT-related industries. This is just ahead of where manufacturing stood throughout 2021, victimized in 61% of incidents in OT-related industries to which X-Force responded. Of the other OT-heavy industries so far in 2022, electric utilities place a distant second at 13% and oil and gas and transportation tied for third at 8%, all three of which are similar to their proportion of attacks through 2021. Heavy and civil engineering accounts for about 3% and mining just shy of 2%.

Figure 1: Proportion of IR cases by OT-related industry, January-June 2022. Source: X-Force incident response data.

Initial infection vectors

Incident response data

Looking at identified initial infection vectors, phishing served as the initial infection vector in 78% of incidents X-Force responded to across these industries so far in 2022. This tracks with phishing’s position as the lead infection vector across all incidents in 2021. This also highlights the importance of layered phishing defenses, including regular user education and training, software solutions to filter malicious email, email sandboxing solutions to analyze any attachments or linked payloads, web proxies to analyze linked domains and attachment downloads, and application allow listing and Attack Surface Reduction rules to limit which extensions and payloads can be executed by end users. Solutions such as EDR and XDR can help detect post-compromise actions on endpoints if Command and Control is established. This should also be combined with strong network and user behavior analytic detections and defenses in the event that a phish is ultimately successful.

Scanning and exploitation of vulnerabilities on external attack surfaces made up 11% of initial infection vectors in incidents. Proactively identifying and managing the external attack surface of IT and OT networks is essential to understanding what ports, services, and applications may be exposed to attackers externally and may require further hardening, patching, or isolation. Once the external attack surface is identified, focused vulnerability management can help address IT vulnerabilities, though such patching is notoriously difficult in OT environments where downtime is difficult to schedule and system refresh timelines can stretch over many years.  Because of this, one might expect successful compromise through vulnerability exploitation to be observed more frequently, but typically OT equipment itself is not exposed directly to the internet and is typically targeted via IT network access. Therefore, proper network security isolation is key to reducing attack paths for threat actors seeking to pivot from IT to OT networks. The use of removable media tied for second at 11% of incidents, underscoring the long-standing threat that such media poses to OT networks, often by end users using infected USB media drives between operator workstations and personal laptops while in the field.

Proper segmentation, proactive testing of security controls, knowing your environment, and hardening systems are just a few of the steps available to secure these assets. As for removable media, ideally, USB flash drives should be prohibited when possible. If absolutely necessary, strictly control the number of portable devices approved for use in your environment and disable autorun features for any removable media.

Figure 2: Identified infection vectors for incidents against OT-related industries, January-June 2022. Source: X-Force incident response data.

Network attack data

In addition to analyzing data from our incident response engagements, X-Force analysts also reviewed OT-related industries’ network attack data to determine how attackers are most often attempting to infiltrate those networks. Widespread vulnerability scanning, mostly broad spraying with some more targeted attempts, accounts for most of the observed network attacks on X-Force clients in OT-related industries. Weak encryption implementation and brute force attempts make up the majority of alerts in client environments with OT monitoring devices.

Vulnerability scanning

In most cases, the scanning attempts revealed in the data are not directly targeting OT or ICS, rather they are looking for any of a large number of vulnerabilities in an unspecified environment whether internally and externally. The fact that many of the OT-specific signatures triggered also appear against clients in industries without OT environments supports our assessment that much of this activity is indiscriminate scanning. When we analyzed network traffic related to ports commonly associated with OT, we found port scanning and Shodan scanner activity made up 47% and 36% of activity, respectively. These types of scanning can ultimately be used to identify vulnerable or accessible IT or OT environments.

Figure 3: Attack activity against ports commonly associated with OT, January-June 2022. Source: IBM Managed Security Services data.

The vulnerabilities X-Force sees being scanned for include ones from 2016, 2018, and 2021. Within network attack alerts from the subset of clients in OT-related industries, a filter bypass vulnerability in Trihedral’s VTScada application (CVE-2016-4510) that could allow unauthenticated users to send http requests to access files was most common. Other vulnerabilities scanned include cross-site scripting vulnerabilities in Advantech’s R-SeeNet devices platform (CVE-2021-21801, -21802, and -21803) and a vulnerability in CirCarLife SCADA software (CVE-2018-12634) that could lead to information disclosure. The CirCarLife CVE ranks 9.8/10 in CVSS, followed closely by Trihedral’s at 9.1, and the others at 6.1.

Figure 4: OT-related vulnerability scanning activity against OT-related industries, January-June 2022. Source: IBM Managed Security Services data.

Refining and maturing your vulnerability management program can help protect your assets from threat actors seeking to identify vulnerabilities in your systems via such scanning. This should include dedicating a well-resourced and supported team to the task and prioritizing the CVEs below for OT networks. Overall, it is important to bear in mind that your specific environment does not need to be directly targeted to be compromised–if your network is vulnerable or misconfigured, it can be compromised.

Weak encryption and brute force

Weak encryption and brute force alerts were the two most significant network attack alerts that clients with OT monitoring devices experienced. Almost 60% of the alerts concerned the continued use of TLS 1.0, an outdated and insecure encryption method deprecated in March 2021. Though the US Government recommends reconfiguration to use TLS 1.2 or 1.3, NIST guidelines address in more depth the more common reality that older systems may need to continue using weaker versions of encryption to ensure continued functionality.

X-Force strongly recommends that organizations inventory and understand their environments; the types of encryption deployed should certainly be on those lists. We also recommend clients weigh the security risks with the possible benefits of continuing use of older encryption methods based on the sensitivity of the communications being secured.

Figure 5: Network alerts from OT monitoring devices, January-June 2022. Source: IBM Managed Security Services data.

Another 42% of alerts concerned brute force, both attempted and successful events. Among the small percentage of other alerts were a variety of network enumeration alerts including Modbus function code, illegal parameter, and suspect variables scans, and things like weak or default passwords found on devices, a basic but necessary vulnerability to address that makes brute force attacks easier for attackers. Other mitigations to reduce your networks’ susceptibility to brute force attacks include ensuring multi-factor authentication is deployed and regular re-authentication is required for as many logins as technically feasible, keeping applications and operating systems updated, and implementing lockout policies.

Top threat: Malspam delivering Emotet

So far this year, malspam ranks as the top threat across OT-related industries at 44% of incident response engagements. Notably, the majority of malspam incidents involved the delivery of the Emotet Trojan, which is reflective of a cross-industry trend not just in the OT space, and aligns with our data indicating phishing as the leading infection vector. Many of those incidents involved Emotet infections, receipt of thousands of infected emails, and infection from unauthorized downloads that sometimes led to system identifying information being stolen. In some of the cases, victims’ emails were hijacked to send Emotet-infected spam, probably to make the emails look more legitimate and get more clicks. Remote access trojans (RATs) come in second at 19%, ransomware accounts for 13% of incidents responded to, and business email compromise (BEC) and server access attacks account for about 6% each.

These numbers so far reflect a shift from 2021, when ransomware accounted for 36% of all attacks across these industries. Most of those ransomware events affected IT networks directly, with some having an indirect impact on OT networks. This trend is currently being observed across all industries, not just those with OT environments. Although new and existing ransomware groups continue to plague many organizations, X-Force assesses that fewer ransomware IR cases this year compared to last may be the result of defenders improving their own ransomware response plans or security posture to detect malicious behaviors in their environment before attackers have an opportunity to strike.

Figure 6: Identified threats for incidents against OT-related industries, January-June 2022. Source: X-Force incident response data.

Mitigating risk to OT

Government and private institutions around the world have been turning their focus to mitigating risks to OT in recent years. Cybercriminals are developing new threats on a daily basis that can potentially result in catastrophic utility and manufacturing outages.

The threat to OT permeates across a nation’s entire economy and infrastructure. Organizations across all verticals must take full responsibility for protecting their own assets and consumers. The best way to keep adversaries out of an ICS is to implement simple safeguards, best practices, and risk management solutions. You can download ICS specific resources from government entities like the National Institute of Standards and Technology (NIST), which also offers network protection advice for connected things within industrial realms.

For more information on protecting ICS from rising threats while continuing to enable technological advancements, read X-Force’s recent blog, “Where Everything Old is New Again: Operational Technology and Ghosts of Malware Past.” The report looks at the history of ICS, the susceptibility of these systems to certain attacks, and ways to defend those systems.

Recommendations:

• Implement layered phishing defenses:
  • Regular user education and training.
  • Software solutions to filter malicious email.
  • Email sandboxing solutions to analyze any attachments or linked payloads.
  • Web proxies to analyze linked domains and attachment downloads.
  • Application allow listing and Attack Surface Reduction rules to limit which extensions and payloads can be executed by end users.
  • Solutions such as EDR and XDR can help detect post-compromise actions on endpoints if Command and Control is established.
  • Implement strong network and user behavior analytic detections and defenses to protect against ultimately successful phishing.
• Proactively identify and manage the external attack surface of IT and OT networks to understand what ports, services, and applications may be exposed to attackers externally and may require further hardening, patching, or isolation.
• Segment your IT and OT networks properly and proactively test security controls
• Ideally, USB flash drives should be prohibited when possible. If absolutely necessary, designate a single device for any maintenance, re-format it for every use, and disable autorun features for any removable media.
• Refine and mature your vulnerability management program to help protect your assets. This should include dedicating a well-resourced and supported team to the task and prioritizing CVEs for OT networks when appropriate.
• Know the types of encryption deployed in your environments and weigh the security risks with the possible benefits of continuing use of older encryption methods based on the sensitivity of the communications being secured.
• Change weak or default passwords found on devices, ensure multi-factor authentication is deployed and regular re-authentication is required for as many logins as technically feasible, keep applications and operating systems updated, and implement lockout policies.