OT Cyber Security Threats to Watch Out in 2022
Operational technology (OT) systems, such as industrial control systems and SCADA, were overlooked by cyberpunks in the past. Robbing OT system data was challenging as it was not connected to external networks.
But that’s no longer the point. Today, multiple industrial systems are linked to company networks with access to the Internet and utilize everything from interconnected sensors to big data analytics, to provide operational progress. This convergence and integration of OT and IT have increased cyber-risks, including effective and harmful cyber incidents across both IT and OT.
Cybersecurity threats in the world of OT are diverse from IT, as the effect goes beyond losing data, reputational harm, or the decay of customer trust. An OT cybersecurity incident can lead to production loss, damage to equipment, and environmental release.
In 2022, cyber threats are expected only to increase. It’s essential to have strong network and security devices to protect the organization. Undoubtedly no one can predict the upcoming cyber threats; let’s discuss the top 10 cyber threats to watch out for in 2022.
Ransomware Attacks
In such an attack, the target’s device is locked, generally by encryption, stopping them from operating the device and everything reserved in it. The target has to pay the ransom in virtual currency to regain access to his device. However, ransomware is usually dispersed through malicious email extensions, contaminated software apps, compromised websites, or infected external storage.
According to expert predictions, the expense of ransomware damage is anticipated to surpass $265 Billion by 2031. The prediction states that there can be a new attack every 2 seconds, as ransomware criminals progressively modify their malware payloads and connected extortion activities.
Man-in-the-Middle Attacks
Man-in-the-middle (MitM) attacks are when cyberpunks spy on the communication between two parties. These attacks are typically used to rob personal or company data or redirect that data to another destination or in spying cases, such as when Russian cyberpunks tried to breach the Organization for the Prohibition of Chemical Weapons (OPCW).
MitM attacks deliver a threat for organizations as more workers work remotely post-2020.
Vendor Backdoor Attack
In the backdoor attack, an industrial site has outsourced a remote support function to a control system. A software developer at a software vendor inserts a back door into software used on industrial control systems networks. The software may be ICS software or driver, management, operating system, networking, or other ICS components.
The back door may have been installed with the permission of the software vendor as a “support mechanism” or may have been installed secretly by a software developer with malicious purposes. The software scans the vendor website weekly for software updates and informs the user through a message on the screen when an update is known. The software also, unknown to the end-user, forms a steady connection to update notification on the website when the website demands and permits personnel entry to the website to operate remotely on the machine on the ICS network.
Cyberpunks find this back door and compromise the vendor’s software-update website with a password-phishing attack. The attackers then use the back door to damage operations at industrial sites associated with businesses the hacktivists have imagined that they have some objection against. Anti-virus systems are unlikely to find this back door since this is not the autonomously-propagating kind of malware that AV systems are developed to find out. Sandboxing systems are dubious about finding it either since the only network-aware behavior visible by those systems is a periodic call to a legitimate vendor’s software update site requesting update instructions.
Distributed Denial of Service Attacks
Distributed denial of service (DDoS) attacks hinder traffic to the website, application, server, service, or web by overflooding it with traffic from compromised computer networks (botnets) that obstruct real users from accessing it. In 2018, GitHub encountered the most significant DDoS attack ever when it crashed with 1.35 terabits of traffic per second. According to Kaspersky, DDoS attacks are only expected to increase in 2022.
Compromised Vendor Website
Cyber attackers find a poorly-defended ICS vendor website in the compromised vendor website attack and compromise it. They download the latest documents of the vendor software and study it. They learn where the name or some other identifier for the industrial site is reserved in the system.
These attackers are dissatisfied with some industrial enterprises for imagined environmental or other offenses and search the shared media to decide which of these companies use the compromised vendor’s software. The attackers use the compromised website to unload the latest security update for the ICS software and insert a small script. The attackers repack the safety update, sign the modified update with the secret key on the web server, and post the hacked update and a new MD5 hash for the update.
Over time, many sites download and install the compromised update. At each target, the script triggers. If the script fails to find the name of the targeted company in the control system, the script does nothing. When the script finds the name, it installs another small script to function one week later, erasing the hard drive and triggering an unexpected and perhaps uncontrolled shutdown. The one-week delay in outcomes makes tracing the attack back to the software update somewhat more complex.
Compromised Remote Site
In a SCADA system that might handle an electric or water distribution system, a cyberpunk targets a substation or pumping station that is physically remote from any possible witnesses. The attacker physically cuts the padlock on a wire fence around the remote station and penetrates the physical site. The attacker discovers the control equipment shed – typically the only roofed structure at the site – and again forces the door to enter the shed. The attacker discovers the only rack in the small area, plugs a laptop into the Ethernet switch in the rack, and tapes the laptop to the base of a piece of computer equipment low in the rack where it is unlikely to be noticed. The attacker then leaves the site.
An investigation follows, but the investigators discover only physical damage and nothing seemingly missing. The extra laptop hidden low in the rack is not detected. A month later, the attacker parks a car near the remote site and operates with the laptop via Wi-Fi, listing the network and discovering the connections back into the central SCADA site. The attacker uses the laptop to enter equipment at the remote site, and from there into the central SCADA system. The attacker then utilizes Ukraine-style techniques to cause physical shutdowns.
ICS Insider Threats
In the ICS insider attack, a disgruntled control-system technician steals passwords by “shoulder surfing” other technicians, logs into equipment controlling the physical process using the stolen passwords, and issues shut-down instructions to parts of the physical process, automatically triggering a partial plant shut-down.
Hijacked Two-Factor
Sophisticated attackers aim to compromise operations at an industrial site protected by best practice industrial security. They insert custom RAT malware to evade antivirus systems and target technicians at the industrial site using social media research and targeted phishing emails. The support technicians start malware attachments and authorize administrative privileges because they assume the malware is a video codec or some other legitimate-seeming technology.
Rather than activate the RAT at the industrial site, where the site’s sophisticated intrusion detection systems might catch its operation, the cyberpunks wait until the technician target is on their home network but must log in to the industrial site remotely to go through some problem. The technician activates their VPN and logs in using two-factor authentication. At this point, the malware starts, moving the Remote Desktop window to a hidden extension of the laptop’s screen and showing the technician a tricky error message, such as “Remote Desktop has halted responding. Click here to try to solve the problem.” The malware delivers remote control of the hidden Remote Desktop window to the cyberpunk.
The technician initiates another Remote Desktop session to the industrial site, assuming nothing of the interruption. In this way, sophisticated attackers have entry to industrial operations as long as the technician’s laptop and VPN are enabled. The only indication of the ICS IDS’s issue is that the technician logged in twice. The attackers ultimately understand enough about the system to misoperate the physical operation and cause severe damage to equipment or cause an environmental tragedy through a release of toxic materials.
Hardware Supply Chain
A hardware supply chain attack occurs when a physical component of a machine is tampered with in some way. These kinds of attacks are relatively infrequent.
To date, much priority has been placed on controlling and mitigating attacks on the hardware supply chain. A hardware supply chain attack is highly complex to analyze and costly because hardware cannot be repaired or fixed remotely.
Password Spraying Attacks
Password spraying is also a sort of brute-force attack where cyber criminals try to guess a user’s password from a checklist of expected passwords like “123456” or “password.”
Similar to credential stuffing, password spraying is also increasing day by day. People must be aware of these types of attacks and must update their passwords on a regular basis.
Final Thoughts
As modern technologies evolve continuously and people become more and more dependent on them, the chances of being hit by cybersecurity attacks increase. Like hacking and losing confidential information, cyber attacks can have devastating consequences on any company.
The COVID-19 pandemic has accelerated digital modification for many companies globally. With the new remote working system, the risks and threats to critical data have increased.
Cyber security is one of the biggest threats for organizations and a significant-top priority concern in the global risk landscape. It is required that the entire organization, including all employees, are trained and equipped to defend themselves against cybercrime. A prepared IT Department will not be enough to protect an organization. OT cyber threats are a serious concern as they may harm people’s lives.
Uncover more about OT cyber security in this new eBook from ATS. Be one of the first to have a copy of the ATS eBook on Operational Technology (OT) Cyber Security and download your free copy today.
