While you learn stories about cyber-attacks affecting operational know-how (OT), it is simple to get caught up within the hype and assume each single one is subtle. However are OT environments all around the world actually besieged by a relentless barrage of complicated cyber-attacks? Answering that may require breaking down the various kinds of OT cyber-attacks after which trying again on all of the historic assaults to see how these sorts examine.
The Kinds of OT Cyber-Attacks
Over the previous few many years, there was a rising consciousness of the necessity for improved cybersecurity practices in IT’s lesser-known counterpart, OT. In reality, the strains of what constitutes a cyber-attack on OT have by no means been effectively outlined, and if something, they’ve additional blurred over time. Subsequently, we would like to start this submit with a dialogue across the methods by which cyber-attacks can both goal or simply merely impression OT, and why it may be necessary for us to make the excellence going ahead.
 |
| Determine 1 The Purdue Enterprise Reference Structure |
How we’re defining OT
Earlier than we outline any sort of OT cyber-attack, we have to outline what we’re contemplating as OT. Most OT environments are distinctive on account of a number of elements, such because the totally different functions and use instances, the quite a few vendor ecosystems, and the straightforward incontrovertible fact that there are a number of methods to engineer a bodily course of, to call just a few. Due to this, it helps to show to the Purdue Enterprise Reference Structure (PERA), generally often called the Purdue Mannequin, depicted in Determine 1.
From the highest, it begins by outlining ranges 4 and 5 because the Enterprise Zone, the place conventional IT is encountered. Subsequent is stage 3.5, the Demilitarized Zone (DMZ), which acts as a separator between IT and OT and, subsequently, the OT’s perimeter. The remaining ranges beneath the DMZ are all OT. Ranges 2 and three are comparable in that they each might monitor, management, and even configure the bodily atmosphere. Nevertheless, stage 2 is usually particular to a single cell or course of and even perhaps bodily shut, whereas stage 3 is usually centralized, significantly in geographically dispersed organizations. Stage 1 is the center of OT, the place units corresponding to programmable logic controllers (PLCs) will sense and actuate the bodily world in keeping with the logic they’ve been offered. Lastly, we attain stage 0, which, for all intents and functions, is the bodily world and accommodates the sensors and actuators that the PLCs use to govern it.
Safety Navigator 2024 is Right here – Obtain Now
The newly launched Safety Navigator 2024 gives important insights into present digital threats, documenting 129,395 incidents and 25,076 confirmed breaches. Greater than only a report, it serves as a information to navigating a safer digital panorama.
What’s Inside?
- 📈 In-Depth Evaluation: Discover traits, assault patterns, and predictions. Study from case research in CyberSOC and Pentesting.
- 🔮 Future-Prepared: Equip your self with our security predictions and analysis abstract.
- 👁️ Actual-Time Data: From Darkish Internet surveillance to industry-specific statistics.
Keep one step forward in cybersecurity. Your important information awaits!
🔗 Get Your Copy Now
The various kinds of OT cyber-attacks aren’t essentially outlined by the property that they impression however moderately by the property that they aim and the way they’re focused. Extra particularly, the precision, skillset, and intent with which they’re focused. Whereas that distinction might sound pedantic, it adjustments the menace panorama that defenders want to contemplate and makes it difficult for conventional IT controls to maintain up. There are 5 varieties of OT cyber-attacks that may be grouped into two distinct classes; let’s discover them.
Class 1: IT TTPs
The primary class of cyber-attacks endured by OT is probably the most frequent in public stories. They’re characterised by means of solely IT techniques, strategies, and procedures (TTPs) however nonetheless handle to have an effect on manufacturing in a roundabout way. There are 3 varieties of OT cyber-attack on this first class.
Sort 1a: IT focused
The primary sort, 1a, happens when the OT atmosphere is not even reached by an adversary. So, so far as the adversary is anxious, their assault doesn’t goal the sufferer’s OT. As a substitute, there are cascading impacts from an uncontained IT cyber-attack, corresponding to cyber extortion (Cy-X) delaying transport programs that require manufacturing to cease. The OT impacts of this may vary from a brief lack of telemetry all the way in which to a whole lack of manufacturing and a fancy, time-consuming course of to carry it again on-line. You will need to observe that each IT cyber-attack sort may end in a disconnect or shutdown of the OT atmosphere as a part of the response and restoration efforts, which might in the end trigger comparable results.
Sort 1b: IT/OT focused
The second sort, 1b, is when the OT is reached by an adversary both by chance or simply as a result of they may. Nonetheless conducting IT TTPs, the adversary might deploy ransomware or exfiltrate knowledge for double extortion. Nevertheless, maybe on account of a weak or non-existent DMZ, the adversary’s assault might prolong to some OT property in ranges 2 or 3 of the Purdue Mannequin. The affected OT property might embrace units corresponding to engineering workstations, Home windows-based human-machine interfaces (HMIs), and different IT-based know-how. Though the adversary has managed to straight have an effect on OT property, the concentrating on is usually not deliberate. The impression of this assault sort might embrace lack of configurability and even management of the OT atmosphere.
Sort 1c: OT focused
The third sort on this class, 1c, is probably the most nuanced and the closest in nature to the subsequent class. Right here, an adversary with little to no OT functionality might intentionally goal the Home windows-based OT property of a company with IT TTPs. This can be to set off extra of a response from the sufferer or to trigger a extra critical impression than from simply affecting IT. This assault sort might intentionally goal OT property, however solely these with which an IT-focused adversary can be acquainted. There’s in any other case no OT-specific intent or utilization in such an assault, neither is there any precision in the way in which manufacturing is impacted. As with sort 1b, the impression of any such assault might embrace lack of configurability or management of the OT atmosphere, and manufacturing is simply prone to be affected by cascading results or response and restoration efforts.
Class 2: OT TTPs
The second class consists of the 2 sorts that possible spring to thoughts every time OT cyber-attacks are talked about. These are characterised by the inclusion of OT-specific TTPs and have the first intention of straight affecting manufacturing in a roundabout way.
Sort 2a: OT focused, crude
The general fourth sort and first of the second class, 2a, is usually often called the ‘nuisance assault’. Such a cyber-attack is based on the adversary reaching the OT, no matter DMZ. It leverages rudimentary OT-specific information and TTPs, however in a blunt trend with little precision or complexity. Reasonably than simply disrupting Home windows-based property corresponding to in class 1 assaults, it might goal OT property in deeper ranges of the Purdue Mannequin, nearer to the bodily course of, corresponding to PLCs and distant telemetry models (RTUs). The OT-specific strategies leveraged are crude and regularly use publicly identified exploitation frameworks and tooling. The impression of any such OT cyber-attack typically will contain stopping PLCs biking or imprecisely altering PLC outputs. This can undoubtedly have an effect on manufacturing, however such blunt assaults are sometimes overt and set off a swift response and restoration effort.
Sort 2b: OT focused, subtle
The ultimate sort, 2b, is probably the most superior but additionally most not often noticed. By exercising superior OT functionality, these cyber-attacks are exact and sophisticated in each their execution and impression. They contain intensive course of comprehension, an OT-specific tactic of gathering data to know the bodily atmosphere and the way the OT interacts with it. Adversaries craft an assault that’s bespoke for the OT atmosphere they’ve gained a foothold in and have an effect on it in a really deliberate approach. The potential impacts brought on by any such OT cyber-attack are close to limitless however rely extremely on the method into consideration. It’s unlikely the impacts can be overt or easy, corresponding to stopping the method, until it was in an excessive and everlasting approach. As a substitute, the meant impacts usually tend to contain, for instance, stealthily degrading the method or exfiltrating particulars of it to duplicate it elsewhere.
Why that is necessary
It seems there’s a skew in direction of class 1 assaults (as we identified earlier on this weblog), which may be saving us from the much-vaunted OT apocalypse. Many present OT cyber security controls and ideas are borrowed from IT, and as such, they’re higher at detecting and stopping class 1 assaults. Nevertheless, as entry to information and tools grows and as adversaries construct up higher capabilities to particularly goal OT, there’s an actual chance that we’ll see a rising variety of class 2 assaults. Creating the related OT cyber security controls to detect and forestall them is step one in making ready for that. To do that, we have to distinguish the classes and varieties of assaults to raised perceive how and when these class 2 assaults are on the rise.
35 Years of OT Cyber-Attacks
The varieties of OT cyber-attacks that we have outlined and the the reason why they’re necessary all depend on some daring claims. So, moderately than anticipate you to take our phrase for it, we thought we would put them to the take a look at. To do that, we have collected and analyzed each publicly reported OT cyber-attack we may discover from 1988 to 2023. Under is an excerpt from our evaluation; the total model and clear methodology might be discovered within the Safety Navigator 2024.
Essentially the most notable side of the 35 years of OT cyber-attacks was the surge of assaults perpetrated by cyber criminals starting in 2020. This surge is in keeping with the arrival of double extortion and subsequently conforms with our Cy-X knowledge.
 |
| Determine 2 Depend of sufferer sectors per 12 months |
The rise of double extortion did not simply change the general varieties of adversaries attacking OT; it additionally modified the sufferer sectors affected. Once we break down the sufferer sectors by 12 months, we additionally see a big shift from a various vary of sectors to being closely manufacturing-focused. Nevertheless, provided that Cy-X tends to favor concentrating on manufacturing, this is sensible.
 |
| Determine 3 Flows from 12 months to adversary to class to sort to Purdue depth |
Determine 3 reveals us the flows of OT cyber-attacks. The 12 months of an assault, grouped into 5-year bins for readability, flows from the left into the adversary that carried out the assault. The assault circulate continues from the adversary to the class of OT cyber-attack, via to the sort. Lastly, the kind of assault flows right into a illustration of the deepest stage of the Purdue Mannequin the assault reached when it comes to concentrating on (it might have impacted the OT utterly, even from Stage 5).
The quick takeaway from this visualisation is the drastic enhance in assault frequency in 2020, which overwhelmingly noticed criminals committing IT TTPs in opposition to IT targets, resolving at ranges 4 and 5 of the Purdue Mannequin. This reinforces the 2 narratives we described occurring earlier than and after the arrival of double extortion in 2020.
Delving right into a deeper evaluation of the classes and kinds, it turns into clear {that a} considerably bigger variety of cyber-attacks that trigger OT impression are class 1 and use solely IT TTPs at 83% of the whole. That is bolstered by the big illustration of sort 1a assaults at 60% of the whole, which particularly goal the IT, which means ranges 4 and 5 of the Purdue Mannequin. By comparability, assaults that included the usage of OT TTPs have been poorly represented at 17% of the whole.
So, the place can we go from right here? What is going to the long run maintain? Are OT cyber-attacks all simply IT TTPs on IT targets and circumstantial OT impression? Or may we see the relentless onslaught from criminals flip in direction of class 2 assaults for higher brutality?
Will Criminals Flip to OT TTPs?
No matter organizations that use OT, the present sort 1a Cy-X assaults seem like comparatively profitable for criminals, and the veritable pandemic might worsen earlier than it will get higher. Nevertheless, if organizations start to construct up resilience to modern Cy-X assaults, whether or not that’s via good backup processes or in any other case, it’s logical that prison modus operandi (MO) will change. Given the prevalence of OT-using organizations as Cy-X victims, may we see that change in MO be in direction of class 2 OT cyber-attacks? Thankfully, to facilitate a dialogue round that query, we will flip to routine exercise principle (RAT).
RAT is a criminological principle that states a crime might be prone to happen given three parts are current: a motivated offender, an appropriate goal, and the absence of a succesful guardian. Right here we’ll present a short dialogue on every level primarily based on what we have now seen to date.
Motivated offender
As might be seen from the OT cyber-attack knowledge we have now introduced right here, for no matter purpose, criminals at the moment have a penchant for organizations that occur to make use of OT. What’s extra, the way in which present Cy-X assaults heedlessly have an effect on their victims’ OT environments makes it clear that criminals aren’t involved about bodily penalties. Both that, or they’re probably even deliberately inflicting threats to security. Lastly, if we see ransom funds for IT-focused Cy-X decline, that may possible strain criminals into altering their MO to one thing for which their victims are much less defensively ready.
Appropriate goal
Criminals might already be particularly concentrating on organizations that use OT as a result of they see the impact of impacting manufacturing as beneficial. If present strategies for doing this, corresponding to sort 1a Cy-X assaults, decline in reliability, criminals might search to focus on the OT straight as an alternative. In our knowledge, 40% of all OT cyber-attacks and 16% of these carried out by criminals managed to succeed in the operational know-how to have an effect on it. These have been sort 1b, 1c, 2a, or 2b OT cyber-attacks. Adversaries and, to a lesser extent, criminals are already accessing OT environments. Ought to they require entry to intentionally goal the OT, it is not inconceivable that criminals would have the ability to obtain it.
One main consideration concerning whether or not OT is an appropriate goal is its unfamiliar context to most criminals. Nevertheless, whereas they would want to develop technical functionality, there’s a rising base of OT cyber security information within the type of programs, books, talks, and even devoted conferences from which they may study. Furthermore, OT units corresponding to PLCs and HMIs have gotten much less prohibitively costly for studying and eventual assault testing. All of this culminates in decreasing obstacles to entry from a technical perspective.
Essentially the most basic level of this part is the suitability of the sufferer organisation itself. This suitability consists of a big assault floor, accessible time for the adversary to conduct the assault, and the worth particular property might must the sufferer. As we will see in historic Cy-X assaults, adversaries are already discovering loads of vulnerabilities to use of their victims and clearly don’t typically encounter what can be described as greatest observe cyber security.
The uptime and effectivity of an OT atmosphere is commonly effectively quantified, which means the worth of OT impression is probably going not as nebulous as encrypted or leaked knowledge. This all presents a clearly appropriate goal in OT-using organizations.
Absence of a succesful guardian
If criminals contemplate transferring away from conducting class 1 Cy-X with IT TTPs, it can primarily be in response to efficient guardianship from IT cyber security controls. Subsequently, they might transfer to use the problem encountered in defending in opposition to OT TTPs brought on by an absence of obtainable controls which might be particularly made for OT.
Technical security controls aren’t the one type of succesful guardian, in fact. RAT considers different types of guardianship, corresponding to casual (neighborhood) and formal guardianship. The latter, formal guardianship, implies efforts made by legislation enforcement and governments. Finally, OT will face the identical challenges in disrupting the prison ecosystem and so the absence of a succesful guardian, or its effectiveness in disrupting crime, is a sensible outlook.
A POC: Lifeless Man’s PLC
Whereas we have been contemplating whether or not there could also be a shift to criminals concentrating on OT with class 2 cyber-attacks, we have been engaged on some attention-grabbing, speculative analysis. It has culminated in a novel and pragmatic Cy-X method particularly focused in opposition to OT units; specifically, PLCs and their accompanying engineering workstations. We name it Lifeless Man’s PLC.
Lifeless Man’s PLC begins on the engineering workstation, the asset the place engineers will create configurations and cargo them onto PLCs throughout the OT atmosphere. As we have seen, there is no such thing as a scarcity of OT cyber-attacks reaching the depths of the Purdue Mannequin the place engineering workstations might reside – typically ranges 2 or 3 relying on quite a few elements.
When the prison is on the engineering workstation, they will view present ‘stay’ PLC code of their challenge information, edit them, and obtain new configurations to the PLCs. Lifeless Man’s PLC takes benefit of this functionality, in addition to present OT performance and seldom-used security controls, to carry the sufferer’s whole operational course of and, by proxy, the bodily world to ransom.
Lifeless Man’s PLC works by including to the authentic, operational PLC code to create a covert monitoring community, whereby all of the PLCs stay purposeful however are always polling each other. If the polling community detects any try from the sufferer to answer the assault, or the sufferer doesn’t pay their ransom in time, polling will stop, and Lifeless Man’s PLC will set off akin to a Lifeless Man’s swap and detonate. Detonation includes deactivating the authentic PLC code, which is chargeable for the management and automation of the operational course of, and activation of malicious code that causes bodily harm to operational units. This leaves the sufferer with no real looking choice however to pay their ransom; their solely different various restoration technique is to gracelessly shut down and change each affected PLC of their operational course of, which is able to price them misplaced manufacturing time, broken items, and the price of new property.
If you would like to learn extra about Lifeless Man’s PLC and the way it works, its devoted analysis paper on this matter.
Abstract: What does this all imply?
This evaluation has explored the historical past of OT cyber-attacks to know the altering panorama and what we might face within the imminent future. The current knowledge from 2020 onwards, when cut up into its classes and kinds, reveals that we should not consider the hype of OT cyber-attacks. As a substitute, we ought to be specializing in tackling the Cy-X problem itself within the brief time period. This implies constructing operational resilience and confidence in our OT to resist assaults on Ranges 4 and 5 of the Purdue Mannequin. We’re, nonetheless, conscious that’s simpler mentioned than accomplished.
It would not be prudent to outright declare that criminals are going to start attacking OT with novel Cy-X strategies in response to much less dependable ransom funds both.
Nevertheless, it additionally would not be prudent to say that is by no means going to occur. On the danger of sitting on the fence, we’ll say that there’s a real chance that we may even see Cy-X evolve to focus on OT-specific property, it might simply take a very progressive Cy-X group to take action.
That is simply an abridged model of one of many tales discovered within the Safety Navigator. Different thrilling analysis, like a research of Hacktivism and an evaluation of the surge in Cyber Extortion (in addition to a ton of different attention-grabbing analysis matters), might be discovered there as effectively. It is freed from cost, so take a look. It is price it!
Notice: This informative piece has been expertly crafted and contributed by Dr. Ric Derbyshire, Senior Safety Researcher, Orange Cyberdefense.
