Ransomware attacks on manufacturing firms made up 70 percent of all such attacks on industrial infrastructure organizations in 2022, finds a new report from cybersecurity firm Dragos, which recommends that improving prioritization and mitigation vulnerabilities in industrial control systems (ICS) and operational technology (OT) networks could minimize future attack risk.
The report – entitled “ICS/OT Cybersecurity Year in Review 2022” – lists a total of 605 ransomware attacks affecting the industrial sector in 2022, a 92 percent increase from the 315 attacks detected in 2021. The number of ransomware attacks specific to manufacturing firms almost doubled, with at least 437 attacks in 2022 compared to 211 in 2021.
“With over 70 percent of all ransomware attacks focused on manufacturing, ransomware actors continue to broadly target many manufacturing sectors and subsectors. As ransomware activity increases, it results in more risk for OT networks, particularly networks with poor segmentation,” the report says.
A prominent issue manufacturing firms are facing is lack of network segmentation. The report finds that 53 percent of manufacturing firms used the same credentials for IT and OT systems, making it much easier for threat groups to cross from IT to OT systems.
The report does acknowledge marked improvements to the use of network segmentation in engagements, much better than the 70 percent documented in 2021. But the 53 percent of uncontrolled external connections into OT is still too high, it says.
In addition, the report finds that manufacturing facilities continue to face a lack of visibility into their systems. About 80 percent of operators had little or no visibility into traffic and devices in ICS and OT environments. Many operators continue to struggle with this issue, which indicates that a “vast majority of environments will find it challenging to detect and investigate issues, much less maintain accurate asset inventory,” the report says.
Overall, vulnerabilities in ICS and OT systems saw an increase of 27 percent in 2022, with 77 percent of vulnerabilities lacking any sort of mitigation. Those figures, according to the report, demonstrate the challenge of employing a risk management approach that can both mitigate the risk of exploitation and reduce production downtime due to patching.
“Vulnerability reporting in the ICS space is improving; however, there are still significant gaps in mitigations and reporting. These include incorrectly rating the severity of vulnerabilities and limited investment and resources focused on identifying vulnerabilities with ICS-specific protocols and services,” the report says.
Dragos advised ICS defenders to prioritize vulnerabilities by using a “Now, Next, Never” framework to help asset owners and operators identify vulnerabilities and prioritize patching. Vulnerabilities in the “Now” category require immediate action. Vulnerabilities in the “Next” category are a threat to asset owners and operators who don’t have proper segmentation or whose networks are accessible from the internet. Vulnerabilities in the “Never” category pose a possible threat but rarely require prioritization.
“The framework is not a one-size-fits-all solution for patch management,” the report finds. “When combined with consequence-driven threat modeling, it can help OT security practitioners determine when and if to fix flaws in industrial control equipment.”