COMMENT
Waterfall Security Solutions, in collaboration with ICS Strive, recently released its “Threat Report 2024.” The bad news is that, in 2023, there were 68 cyberattacks that shut down more than 500 brick-and-mortar operations. The good news (sort of) is that that’s only 19% more attacks than in the year previous What’s happening? Ransomware attacks with physical consequences are slightly down, hacktivist attacks are constant, and everything else is increasing. The report’s authors conclude that the 19% increase is most likely an aberration that we will see an increase close to 90%-100% in the future.
The details
Waterfall’s Operational Technology (OT) Security Threat Report is the most cautious in the industry: it tracks only deliberate cyberattacks that caused physical consequences in building automation, heavy industry, manufacturing and industrial infrastructure criticisms in the public register. That is, no private or confidential disclosures. The report’s full data set is included in its appendix. This means that the report is definitely an underestimate of what is really happening in the world, because the authors regularly report confidential disclosures that they cannot include in their counts.
OT incidents since 2010. Source: “2024 Threat Report”, Waterfall Security Solutions, in collaboration with ICS Strive
More attacks
Despite this undercount, cyber attacks that met the inclusion criteria continue to increase, nearly doubling every year since 2019. This is a big change from the 2010-2019 period, when OT attacks with physical consequences were stable, bouncing between zero and five attacks per year.
Threat actors. Source: “2024 Threat Report”, Waterfall Security Solutions, in collaboration with ICS Strive
What are these attacks? In 24 of 68 cases, there was insufficient information in public records to attribute the attack. Of the remaining, 35 attacks (80%) were ransomware, six (14%) were activist hackers, two were supply chain attacks, and one was attributed to a nation state. The 35 ransomware attacks are down slightly from 41 last year, which is unexpected given that ransomware attacks against IT networks continue to increase between 60% and 70% per year, depending on the report. Why? In part, because public reporting was less detailed this year, there were many more “unknown” threat actors this year.
Another factor has to do with the fact that most ransomware attacks that have impacted physical operations have only happened accidentally, or due to issues “abundance of caution” OT shutdowns, when IT is compromised or physical operations depend on a crippled IT infrastructure. In 2023, we saw a significant fraction of criminal groups dealing with ransomware abandon encryption and deactivation systems to simple data theft and ransom demands to destroy the stolen data rather than publish it. With fewer IT systems crippled by encryption, it appears that fewer OT systems and physical operations will be compromised.
We expect this trend to stabilize in 2024 and for OT impacts due to ransomware to return to the recent historical norm of nearly doubling annually. Why? Because not all companies have data that they are willing to pay to protect. Such companies, especially critical infrastructure, could still pay a ransom to restore functionality to crippled systems, so it makes sense that at least some ransomware criminals leave no money on the table and continue to cripple servers, as well as steal what data they can.
Supply chain
Supply chain attacks with physical consequences occurred this year for the first time in many years. Newag SA has been accused of incorporating codes into its trains to maximize revenues for authorized repair shops. He is accused of having acted for “block the train with fake error codes after a certain date, or if the train has not been running for a period of time.” Part of the code was found to contain GPS coordinates to limit the behavior to third-party workshops. Newag denies the allegations, blaming “unknown hackers And in an apparent contract dispute, ORQA, a maker of first-person-view (FPV) virtual reality headsets, has had its products blocked by what it describes as a “greedy former contractor.”
Wrapping up
The report contains many other findings: GPS blocking and spoofing are becoming a widespread problem, manufacturing companies are responsible for more than half of outage attacks, hacktivists are targeting critical infrastructure, and there is an alarming series of near misses, including the many critical infrastructures and services targeted China’s Typhoon Volt “living off the land” campaign. The report also touches on promising new developments on the defensive front, including the Computerized engineering strategy.