Assessing Threats to European Industrial Infrastructure

Europe’s Industrial Infrastructure cyber landscape faces distinctive threats, both from Dragos-tracked Activity Groups and cyber criminals. The high interdependence yet independently managed and operated nature of industrial operations across Europe present a unique regional systematic risk where a threat to one European country is a threat to operations in other countries.

Dragos assesses with high confidence that the biggest cybersecurity weaknesses European asset owners currently face are a lack of asset visibility into their network and weak network authentication policies. Without asset visibility organizations are unable to properly secure their Operational Technology (OT) environments as defenders cannot protect what they cannot see. Industrial operators should evaluate and implement the principle of least privilege to limit unauthorized access to OT environments.

Additionally, increasing regional tensions are likely to result in industrial operations impact from criminal and other adversaries. Particularly of concern are geographically dispersed industrial operations such as renewable electric generation, upstream and midstream oil and gas, water and wastewater management, and electric transmission.

Key Findings

1. Dragos-tracked Activity Groups target European entities with disruptive and destructive attacks. Even if not currently active, Dragos assesses with moderate confidence these groups likely maintain this level of capabilities, should a situation warranting such use reoccur.
2. While all private and public European industrial entities face a threat from ransomware operators, small- and medium-sized manufacturing firms in Italy, Germany, Austria, and Switzerland are at the highest risk for targeting, specifically by Ransomware-as-a-Service groups, due to lack of IT/OT security and obscured asset visibility.
3. Oil and Natural Gas assets, including key regasification plants such as those located in Rotterdam, present a target for adversaries looking to disrupt the flow of Oil & Natural Gas (ONG) energy into Europe.
4. The UK Electric sector is at risk of disruption by adversaries capable of carrying out coordinated attacks against multiple power stations. The Transmission sector is also at risk due to the limited number of controlling parties, though these entities generally demonstrate a greater degree of defense in depth.
5. Public and private entities will continue to struggle with widely acknowledged threats to OT environments, including those brought by insiders, supply chain threats, intellectual property theft, and digital transformation. These threats may decrease as organizations invest in cybersecurity programs and progress in maturity.
6. Finally, European organizations face unique risks from political and economic threats in both the near- and far-term abroad. Historic adversary operations against industrial infrastructure in Europe have been well documented, including a unique case in which attempted intellectual property theft resulted in extreme operational impact.

Ten of Dragos’s Activity Groups have conducted operations targeting European entities, including:

• XENOTIME
• MAGNALLIUM
• ELECTRUM
• ALLANITE
• CHRYSENE
• KAMACITE
• COVELLITE
• VANADINITE
• PARISITE
• DYMALLOY

Dragos assesses with moderate confidence Europe is at low risk for widespread industrial infrastructure-targeted destruction and disruption campaigns originating from cyber attacks due to the deterrence posed by potential political and economic impact as well as the direct effect on civilian lives and infrastructure. Additionally, Dragos assesses with low confidence Europe is at a low risk for localized or small-scale disruption or destruction, as motivated state-executed adversaries may perform low-stakes operations when deemed politically or economically advantageous. Ransomware remains a threat to Information Technology (IT) and OT environments.

Vulnerabilities in OT-specific devices and services can introduce risk to the operating environment. As of February 2022, Dragos researchers assessed and validated 1301 advisories [3286 individual Common Vulnerabilities and Exposures (CVEs)] impacting industrial equipment worldwide. Of these, 216 advisories (483 individual CVEs) directly impact Europe, as they are from vendors that European entities use, according to U.S. Cybersecurity and Infrastructure Security Agency (CISA) advisories analyzed by Dragos vulnerability analysts.

Of these 483 Europe-specific vulnerabilities:

• 310 (64%) required an adversary to be on the network to exploit them.
• 108 of these advisories could cause a loss of view and/or control within a compromised environment.
• 28% of all advisories affecting European systems contained Common Vulnerability Scoring System (CVSS) errors.
• 17% of all advisories have a public Proof of Concept.
• 23% of advisories had no patch.

Additional information regarding the European Industrial Infrastructure cyber threat landscape, including assessments of activity conducted following the Russian invasion of Ukraine and in-depth defensive recommendations, can be found in the full analysis here.

< class="mini-cta__header heading--3"> Get the latest threat intelligence

Understand the European cyber threat landscape and how to protect against specific threat behaviors with this free report from Dragos.

Learn more