You are here

Dragos 2021 Industrial Cybersecurity Year In Review – New Activity Groups, Lessons Learned, and the Impact of Ransomware on Industrial Organizations

Dragos 2021 Industrial Cybersecurity Year In Review – New Activity Groups, Lessons Learned, and the Impact of Ransomware on Industrial Organizations

Created: Thursday, February 24, 2022 - 13:59
Categories:
OT-ICS Security, Security Preparedness

What the Verizon DBIR is to the world, the Dragos Industrial Cybersecurity Year in Review is to the ICS community as it enduringly endeavors to provide meaningful insights into the cyber risks surrounding ICS/OT environments. This year’s report is no different. Always anticipated, never disappointing. Dragos published its 2021 Industrial Cybersecurity Year in Review yesterday. Based on extensive experience, assessments, and incident response engagements, Dragos shares its key insights, poignant lessons learned, and proactive recommendations in this annual data-driven analysis of Industrial Control System (ICS)/Operational Technology (OT) focused cyber threats and vulnerabilities. In addition to several key findings and recommendations for ICS defenders, read the report for more on:

  • Threat Activity Groups. Learn about three new activity groups Dragos is tracking and new cyber threat activity from known groups compromising the OT environments of a Fortune 500 company and the IT networks of a large electrical utility, food and beverage companies, auto manufacturers, IT service providers, and multiple Oil and Natural Gas (ONG) service firms.
  • State of ICS/OT Vulnerabilities. Dragos researchers analyzed 1703 ICS/OT common vulnerabilities and exposures (CVEs) during 2021, which is more than twice as many as last year’s 703 (which was a 23% increase from 2019). Through its own analysis, Dragos provides more context and insights into reported CVE’s for better prioritization.
  • ICS Threat Landscape. According to Dragos, ransomware became the number one attack vector in the industrial sector for 2021. And looking ahead into 2022, Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations and OT environments, whether through the integration of OT kill processes into ransomware strains, the existence of flattened networks to prevent ransomware from spreading into OT environments, or through operators shutting down OT environments as a precaution while they attempt to stop IT ransomware from spreading to OT systems.
  • Lessons Learned. Dragos highlights four very interesting key findings across its customer engagements, including:
    • Poor OT asset management. 86% of service engagements have a lack of visibility across OT networks—making detections, triage, and response incredibly difficult at scale.
    • Poor segregation of critical ICS/OT systems. 77% of service engagements included a finding about improper network segmentation.
    • Lack of the air-gap that many believe they have. 70% of service engagements included a finding of external connections from OEMs, IT networks, or the Internet to the OT network.
    • Substandard account protections. 44% of service engagements included a finding about shared credentials in OT systems, the most common method of lateral movement & privilege escalation.
    • Dragos also shares lessons learned from a few incident response engagements, including:
      • SolarWinds Orion compromise. How it was discovered that SolarWinds Orion is used by several Managed Service Providers (MSPs) to monitor their customer ICS/OT environments and that many industrial OEMs embed the software as part of their management offerings and some of the largest OEMs use the tool to monitor service and maintenance access. As a result, many ICS/OT environments were compromised directly with the software installed in their environments or indirectly through their third-party agreements despite not directly installing SolarWinds in their own environment.
      • The Ghost in the Power Generator. Discusses how one night, unexpectedly, the gas-powered turbines at a peak power generation site suddenly turned on and went into idle.
      • Never Let an Incident Response Team’s First ICS Be Your ICS! Discusses how an organization created more trouble for itself when it quickly called in an incident response provider who did not have experience in ICS incident response
      • An MSP Case Study. In April 2021, Dragos identified the compromise of an industrial Managed Service Provider (MSP) and OT software vendor based in South Asia with a worldwide customer base.

For more insight and analysis on threats to ICS/OT, members are encouraged to access the full 65-page ICS/OT Cybersecurity Year in Review 2021, 16-page Executive Summary, and/or sign up for the 3-part 2021 YIR Webinar series at Dragos.