Geopolitical tensions escalate OT cyber attacks

In this Help Net Security interview, Andrew Ginter, VP of Industrial Security at Waterfall Security, discusses operational technology (OT) cyber attacks and their 2024 Threat Report. He examines how global geopolitical tensions and evolving ransomware tactics are reshaping industrial cybersecurity. He sheds light on the significance of recent incidents and the critical role of defensive strategies against these growing threats.

How has the global geopolitical environment influenced the landscape of OT cyber attacks?

Politically-motivated hacktivist attacks with physical consequences have increased in the last couple of years. Almost all of these attacks are tied to either the Russian invasion of Ukraine, or the on-going Iran / Israel conflict. These attacks have historically not been terribly sophisticated, but everyone is watching the emergence of large language model AIs to see whether and how much more capable these AI’s will make the hacktivists.

Nation-state incidents are increasing as well – the Chinese were behind the Volt Typhoon campaign that compromised over 50 power plants and electric utilities in the USA, and the Russians are behind an attack on 22 large and small critical infrastructure providers in Denmark. Volt Typhoon was particularly noteworthy because it used “living off the land” techniques to persist – an attack technique that is extremely difficult for intrusion detection systems to discover and diagnose.

The 2024 Threat Report highlights a 19% increase in OT cyber attacks in 2023 compared to the previous year. What factors do you think are driving this consistent rise in attacks?

Ransomware is the main culprit. However, ransomware has historically driven much higher compound annual growth in attacks with OT consequences. The 19% is less than we expected this year, and we attribute the difference to shifting tactics.

A fraction of ransomware criminals appear to have moved away from encrypting compromised systems and moved entirely to extorting ransoms for promising not to publish stolen data. With fewer systems encrypted and crippled, there are fewer than predicted OT consequences. We expect this trend among ransomware groups to stabilize, probably this year, returning compound annual growth in consequential OT attacks closer to historical increases of 60-100% per year.

Can you elaborate on ransomware groups’ evolving tactics and impact on industrial cybersecurity?

There is a fair bit in the report about ransomware tactics, but let me give you some examples. First, the most sophisticated of today’s ransomware groups are either backed by nation-states – think North Korea – or are wealthy enough to build their nation-state-style attack tools, or they are actively buying and selling attack tools with nation-states. This means that the most sophisticated ransomware criminals are now nation-state grade. In the past, many of us might have thought, “Oh – my OT site is not important enough to be the target of a nation-state-grade attack,” and so we put limited cyber defenses in place. Today, nation-state-grade ransomware targets everyone with money. Do we have money?

Second, a significant fraction of ransomware impacts on OT is because of dependencies. Ransomware hits the IT network, encrypts a lot of stuff, and so cripples a large batch of IT servers and services. OT shuts down. Why? It turns out that our OT automation systems needed some of the IT services that were crippled.

Even if ransomware never touches the OT network, we must shut down production because production-critical services on the IT network are no longer available. This dependency problem is really only just starting to become widely known. OT security practitioners really need to ask themselves how they depend on IT services, and whether it is acceptable to shut down physical operations if some attack cripples IT.

The report mentions ‘near miss’ incidents in critical infrastructure industries. How important is the analysis of these near misses in strengthening OT cybersecurity?

We do not document all near misses, only the ones we think we can learn the most from. For example, the Volt Typhoon was important because it was subtle and the enemy persisted in critical infrastructure organizations for a long time. And the Russian attacks in Denmark were important, again because they provided evidence of nation-state activity targeting critical infrastructures.

How significant is the role of insider threats in OT cyber attacks, and what measures can organizations implement to mitigate this risk?

Well, the report is not all bad news, we cover the most important defensive developments in 2023 as well. In our estimation, the new Cyber-Informed Engineering (CIE) initiative at Idaho National Laboratory is the most promising development in OT security in over a decade. If I may paraphrase, CIE positions OT security as a coin with two sides: one side teaches engineering teams about cyber threats and cyber mitigations, while the other side encourages engineering teams to apply powerful engineering tools to the task of preventing unacceptable consequences.

For example, network engineering approaches are being used increasingly at consequence boundaries – connections between networks with dramatically different worst-case consequences of compromise. The most common such example is unidirectional gateway technology – hardware-enforced, engineering-grade prevention of the propogation of cyber attacks from the Internet and IT networks into OT networks, even nation-state style attacks.

And to your question, for insiders, we see cybersecurity controls deployed routinely including identity and access management, detailed logging and forensics, as well as intrusion detection and practiced response teams.

CIE does not teach us to choose between one side of the coin or the other. We spend the entire coin. At Waterfall Security we work with the most secure industrial sites on the planet. We observe that the sites that use safety engineering, network engineering, and other engineering approaches most aggressively to address cyber threats, also use IT-grade cybersecurity protections most aggressively.

Engineering-grade mitigations have been under-emphasized in the past, and so there is a big opportunity to make more systematic use of these techniques. But cybersecurity is also important, especially to address insider threats, for which there are limited engineering-grade options for protection.

If your readers would like to dig deeper into threats or engineering-grade options for protections, we would love to meet with them at GISEC – Apr 23-25 in Dubai. Waterfall will be in the World Trade Center, D39, Hall 7 and you can make appointments to chat here.