Today we published our 2020 ICS Cybersecurity Year in Review report, an annual analysis of Industrial Control System (ICS)/Operational Technology (OT) focused cyber threats, vulnerabilities, assessments, and incident response insights. The ICS/OT community has long struggled with a lack of public insights into these types of problem areas. It is Dragos’s goal to share the observations and lessons learned with the industrial community for data-driven analysis and recommendations.
New this year, we’ve created an interactive ICS Cybersecurity Year in Review web page in an effort to make the insights and observations even more accessible to the wider community. Visitors can interact with data on threats, vulnerabilities, and lessons we learned from our customer engagements throughout 2020.
A Look Back at 2020
In 2020, the industrial community performed amazing feats to keep civilization running under extremely challenging circumstances with the global pandemic. Infrastructure providers kept key services and goods available including electric power, manufactured goods, water, oil and gas, mining, chemical, rail, and transport while many faced hardships globally. As a result of these efforts, organizations shifted in how they conducted business to include an increasingly connected industrial environment. This is a trend that has existed for many years, even while many organizations still believed they had highly segmented or even air-gapped ICS networks.
The risk to ICS is not born from an IT and OT convergence, but instead from a convergence of an increasingly ICS-aware and capable threat landscape with the digital transformation and hyperconnectivity of the industrial community. Now in its fourth year, the 2020 ICS Cybersecurity Year in Review report captures how some of the community is performing and progressing, and areas of improvement that will be needed to continue to provide safe and reliable operations.
- 90% of service engagements included a finding around lack of visibility across OT networks.
- Four new threat groups with the assessed motivation of targeting ICS/OT were discovered, accounting for a 36% increase in known groups.
- The abuse of valid accounts was the number one technique used by named threats.
- 54% of service engagements included a finding about shared credentials in OT systems.
- 88% of service engagements included a finding about improper network segmentation.
- 43% of ICS vulnerability advisories contained errors that would make it difficult to prioritize mitigations.
- 64% of advisories that had no patch also had no practical mitigation advice provided by the vendor.
- 61% of advisories that had a patch did not have any alternate mitigation advice provided by the vendor except for applying the patch, which in many industrial organizations can be difficult or significantly delayed.
ICS Threat Landscape
ICS threat activity continues to rise – both in terms of the number of distinct groups we’re tracking and the industries and regions that they are targeting. Dragos analysts uncovered four distinct new ICS Activity Groups primarily targeting energy and manufacturing, known as KAMACITE, STIBNITE, TALONITE, and VANADINITE. Throughout 2020 the 11 Activity Groups identified prior to 2020 were also observed expanding their targeting to new sectors and regions, as well as modifying their behaviors with many seeking to exploit the tectonic shift to remote work to gain access to industrial networks.
Other top stories include the identification of EKANS (ransomware with ICS-specific functions) and the heightened focus on supply chain compromise with the SolarWinds news in December. With threats on the rise, there was also progress made in enabling IT security teams to better understand OT networks, threats, and potential impacts with the release of the MITRE ATT&CK for ICS framework, which Dragos intel analysts contributed heavily to.
Hear directly from three Year in Review report authors about these new activity groups during a 30-minute webinar panel on March 17th.
Dragos analyzed 703 ICS/OT vulnerabilities in 2020, a 23% increase over the prior year. The number of advisories with errors (43%) continued an upward trend, which is concerning and causes issues with triage. The frequency of advisories issued with no patch available and no alternate mitigation advice remained relatively consistent with our findings in 2019. Finally, there continues to be a large proportion of advisories that are released that can generally be ignored – meaning they contain no environmental context or useful information that can be actioned by an ICS defender.
Lessons Learned from the Front Lines
The Dragos Professional Services team was busy in 2020, working with more industrial organizations than ever before. With threats on the rise, we’re still seeing a majority of the organizations we work with struggle with OT network visibility and, hence, the ability to detect abnormal activity. Proper network segmentation and credential managements issues persisted. In fact, there was an increase in both areas compared to 2019. We did see some improvement in IT/OT collaboration, with a larger proportion of the orgs we worked with having a solid, ready-to-test Incident Response Plan (IRP).
As organizations strategize a path forward, Dragos recommends five key OT cybersecurity initiatives to improve in 2021 and beyond. These are based on the empirical evidence provided throughout the report.
Recommendations for ICS Defenders
- Increase OT Network Visibility – 90% of service engagements included a finding around lack of visibility. Visibility includes network monitoring, host logging, and maintaining a Collection Management Framework (CMF).
- Identify & Prioritize Crown Jewels – 100% of external routable network connections to ICS environments were believed to be air-gapped. Crown Jewel Analysis identified a digital attack path to impact a critical physical process.
- Boost Incident Response Capabilities – 42% of IR services engagements discovered organizations did not have a suitable Incident Response Plan (IRP) and 75% had difficulty with declaring a cyber incident.
- Validate Network Segmentation – 88% of service engagements included a finding around improper network segmentation. This includes issues like weak or segmentation between IT and OT networks, permissive firewall rulesets, and externally routable network connections.
- Secure Credential Management – 54% of service engagements included a finding around shared credentials. This includes accounts shared between IT and OT, default accounts, and vendor accounts. Shared credentials enables adversaries to use Valid Accounts, which is the top TTP used by the ICS Activity Groups we track.
Ready to put your insights into action?
Take the next steps and contact our team today.