There is no doubt that some threat actors possess the tradecraft to break directly into ICS/OT networks by exploiting vulnerabilities. Likewise, some actors simply stumble upon the opportunity, typically via unsecured internet accessible devices. However, more frequently, initial access to ICS/OT networks is obtained from a third vector that we may place a little too much trust in.
The MITRE ATT&CK® Framework for Industrial Control Systems (ICS) includes 12 techniques known to be used by threat actors to gain initial access to ICS/OT networks. According to Dragos, the activity groups they track tend to favor four of those techniques. Gaining direct initial access to ICS/OT devices being highly prized. However, Dragos observes that gaining access to a corporate/IT network was the more common mechanism by which adversaries facilitated or prepared for a pivot to ICS/OT environments. That said, it’s important to understand and protect against those top techniques to protect both your IT and OT networks. Visit Dragos for access to the whitepaper, “How Dragos Activity Groups Obtain Initial Access into Industrial Environments.”