Free Webinar:

When Ransomware Strikes | The Impact of Ransomware in OT Environments

Skip to main content

2021 Year In Review

Dragos's annual ICS/OT Cybersecurity Year in Review provides an overview and analysis of ICS vulnerabilities, global threat activity targeting industrial environments, and industry trends and observations gathered from customer engagements worldwide. Our goal is to give asset owners and operators proactive, actionable information and defensive recommendations in order to prepare for and combat the world’s most significant industrial cybersecurity adversaries.
The 2021 Year In Review follows the same interactive web experience as last year’s review and includes an in-depth report as well as an executive summary.

Threats

Growth of ICS-Focused Threat Activity Groups

Visibility into the industrial threat landscape has never been better. Dragos has been tracking ICS Threat Activity Groups since its inception in 2016. In 2021 we discovered 3 new activity groups, bringing the total of tracked groups to 18 worldwide.

In the animated graphic below, you’ll see the sectors and regions in which Dragos analysts have observed this ICS-targeting threat activity over time.
2020
2014
2015
2016
2017
2018
2019
2020
Icon for Electric industry Electric
Icon for Oil & Gas industry Oil & Gas
Icon for Manufacturing industry Manufacturing
Icon for Transportation industry Transportation
Icon for Chemical industry Chemical
North America
Europe
Africa
Middle East
Asia Pacific
Disclaimer: this data only represents public reporting. Customer confidential information is not shared.

Timeline

TIMELINE OF ICS THREAT ACTIVITY IN 2021

2021
2022
February
March
April
May
June
July
August
September
October
November
December
02.21 Cyber Attack
Oldsmar Municipal Water Attack
02.21 Activity Group Update
STIBNITE renewed activity
03.21 Malware
Honeywell Breach
03.21 Activity Group Update
KAMACITE renewed activity
03.21 Activity Group Update
Dragos identifies new Activity Group, KOSTOVITE
04.21 ICS Cybersecurity Advancement
Biden Administration Announces 100-Day Plan to Address Cybersecurity Risks to the U.S. Electric System
05.21 Ransomware
Colonial Pipeline Ransomware Attack
05.21 Ransomware
JBS Foods Ransomware Attack
05.21 ICS Cybersecurity Advancement
DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators
06.21 ICS Cybersecurity Advancement
Energy and Commerce Committee passed 4 energy cybersecurity bills
06.21 Vulnerability
Windows Zero-Day Vulnerability: PrintNightmare
07.21 ICS Cybersecurity Advancement
MITRE Engenuity Releases First ATT&CK® Evaluations for Industrial Control Systems Security Tools
07.21 ICS Cybersecurity Advancement
Biden Administration Announces Further Actions to Protect U.S. Critical Infrastructure
08.21 Activity Group Update
KAMACITE renewed activity
09.21 Ransomware
New Cooperative Ransomed
10.21 Activity Group Update
Renewed WASSONITE activity
11.21 New Activity Group
ERYTHRITE NEW ACTIVITY GROUP
12.21 New Activity Group
PETROVITE NEW ACTIVITY GROUP
12.21 Vulnerability
Apache Log4J Vulnerability
12.21 Cyber Attack
Cyber adversaries used HP iLO rootkit to wipe servers

Vulnerabilities

2021 ICS Vulnerabilities

In 2021, Dragos Threat Intelligence assessed 1,703 ICS/OT common vulnerabilities and exposures (CVE) reported by a variety of sources including independent researchers, vendors, and ICS-CERT. The key findings are summarized below.
Advisories with incorrect data
2019
30%
Change
+13%
2020
43%
Change
-5%
2021
38%
Which can prevent operators from accurately prioritizing patch management.
Advisories with no patch
2019
26%
Change
-4%
2020
22%
Change
+2%
2021
24%
Presenting a challenge for operators that want to take action to resolve the published vulnerability.
Of advisories with no patch; % with no mitigation
2019
76%
Change
-12%
2020
64%
Change
-45%
2021
19%
Which prevents an operator from taking any defensive action using information from the advisory.
Advisories that Dragos provided mitigation for
2019
77%
Change
+1%
2020
78%
Change
-9%
2021
69%
Of the advisories that had no mitigations, Dragos provided mitigation advice for a majority thereby enabling defenders to take action.
Individual CVEs that contained errors
2019
19%
Change
+14%
2020
33%
Change
+64%
2021
97%
Which can mislead practitioners who use CVSS scores to triage for mitigation.
Dragos corrected: MORE severe than public advisory
2019
73%
Change
-40%
2020
33%
Change
+19%
2021
52%
Of the advisories with errors, Dragos assessed a large proportion to be more severe than the public advisory indicated. This can cause issues with patching prioritization.
Dragos corrected: LESS severe than public advisory
2019
26%
Change
0%
2020
26%
Change
+19%
2021
45%
Of the advisories with errors, Dragos assessed a percentage to be less severe than the public advisory indicated. This can cause issues with patching prioritization.
Advisories applied to products bordering the enterprise
2019
21%
Change
+2%
2020
23%
Change
0%
2021
23%
Which can facilitate initial access by an adversary into an operations environment.
Vulnerabilities deep within ICS Network
2019
77%
Change
0%
2020
77%
Change
0%
2021
77%
Which requires existing access to a control systems network to exploit.
Impact: Loss of View & Loss of Control
2019
50%
Change
-14%
2020
36%
Change
-1%
2021
35%
Vulnerabilities that could cause both loss of view & loss of control - preventing operators from monitoring and modifying the system state.
Advisories with incorrect data
Advisories with no patch
Of advisories with no patch; % with no mitigation
Advisories that Dragos provided mitigation for
Individual CVEs that contained errors
Dragos corrected: MORE severe than public advisory
Dragos corrected: LESS severe than public advisory
Advisories applied to products bordering the enterprise
Vulnerabilities deep within ICS Network
Impact: Loss of View & Loss of Control
01 / 12

Key Findings

2021 ICS Environment Assessments

Dragos gathered first-hand insights to understand the state of ICS cybersecurity, impacts for the community overall, and recommendations to improve strategies for all levels of OT cybersecurity maturity. The team's findings are summarized below.
2021
86%
2020
90%
2019
81%
Change
-4%
Extremely limited / no visibility into OT environment
86% of service engagements have a lack of visibility across OT networks, making detections, triage, and response incredibly difficult at scale.
2021
77%
2020
88%
2019
71%
Change
-11%
Poor security perimeters
77% of service engagements included a finding of external connections from OEMs, IT networks, or the Internet to the OT network.
2021
70%
2020
33%
2019
100%
Change
+37%
External Connections to the ICS Environment
70% of ICS Environments had external connections.
2021
44%
2020
54%
2019
54%
Change
-10%
Lacked separate IT & OT user management
44% of service engagements included a finding of shared credentials in OT systems, the most common method of lateral movement and privilege escalation.
01/06

Recommendations

Practical advice for ICS defenders

  • 01
    Build Defensible Architecture
    Network architects can leverage traditional tools and concepts such as strong segmentation, firewalls, and software defined networks to reduce cyber risk, especially around remote access. This can take a variety of forms such IEC62443 zones and conduits, DMZs, jumphosts, etc..
  • 02
    Implement Network Monitoring
    Visibility gained from monitoring your industrial assets validates the security controls implemented in a defensible architecture. Threat detection from monitoring allows for scaling and automation for large and complex networks.
  • 03
    Establish Remote Access Authentication
    The most effective control for remote access authentication is multi-factor authentication (MFA). Where MFA is not possible, consider alternate controls such as jumphosts with focused monitoring.
  • 04
    Manage Key Vulnerabilities
    The majority of vulnerabilities do not need to be addressed if you have a defensible architecture. Dragos recommends defenders prioritize those that bridge IT and OT over those residing deep within the ICS/OT network.
  • 05
    Create an ICS Incident Response Plan (IRP)
    Lastly, Dragos recommends that industrial organizations have a dedicated incident response plan (IRP) for their ICS/OT environments, and that these organizations regularly exercise the plan with cross-disciplinary teams (IT, OT, Executives, etc.).
2021 Year In Review

2021 Year In Review

Read the 2021 Year In Review Report

Image of the Dragos 2020 ICS/OT Cybersecurity Year in Review Report
2020 ICS Cybersecurity Year in Review
Discover findings from frontline incident response and threat hunts, new activity groups tracked by Dragos in 2020 and industry-specific insights…
2019 Year in Review_Lessons Learned from the front line of ICS Cybersecurity
2019 Lessons Learned
Dragos 2019 ICS Year in Review: Lessons Learned from the Front Lines of ICS Cybersecurity
ICS Landscape and Threat Activity Groups
2019 ICS Threat Landscape and Activity Groups
This report assess the state of the ICS cybersecurity threat landscape, including the latest threats, malware, vulnerabilities, and public threat activity groups focused on industrial operations.
ICS Vulnerabilities
2019 ICS Vulnerabilities
This report assesses 438 ICS vulnerabilities reported by a variety of sources–including independent researchers, vendors, and ICS-CERT
View More

Want to speak directly to a Dragos expert?

We'll put you in touch with exactly who you need.