Skip to main content

2020 Year In Review

Dragos's annual ICS Year in Review provides an overview and analysis of ICS vulnerabilities, global threat activity targeting industrial environments, and industry trends and observations gathered from customer engagements worldwide. Our goal is to give asset owners and operators proactive, actionable information and defensive recommendations in order to prepare for and combat the world’s most significant industrial cybersecurity adversaries.
This year we created an interactive web experience highlighting key findings along with an executive summary and an in-depth report.

Threats

Growth of ICS-Focused Threat Activity Groups

Visibility into the industrial threat landscape has never been better. Dragos has been tracking ICS Threat Activity Groups since its inception in 2016, and in 2020 we discovered 4 new Activity Groups. In the ebb and flow of these threats new activity groups are growing 3X faster than they are going quiet. In the animated graphic below, you’ll see the sectors and regions in which Dragos analysts have observed this ICS-targeting threat activity over time.
2020
2014
2015
2016
2017
2018
2019
Icon for Electric industry Electric
Icon for Oil & Gas industry Oil & Gas
Icon for Manufacturing industry Manufacturing
Icon for Transportation industry Transportation
Icon for Aerospace industry Aerospace
North America
Europe
Africa
Middle East
Asia Pacific
Disclaimer: this data only represents public reporting. Customer confidential information is not shared.

Timeline

TIMELINE OF ICS THREAT ACTIVITY IN 2020

2020
2021
January
February
March
April
May
June
July
August
September
October
November
December
01.20 Malware
Dustman wiper malware identified targeting oil and gas, electric in Middle East
01.20 Ransomware
EKANS ransomware identified
01.20 ICS Cybersecurity Advancement
MITRE releases ATT&CK for ICS framework
02.20 Ransomware
Ryuk ransomware attack on pipeline operations reported
02.20 Activity Group Update
PARISITE leverages Citrix vulnerability (CVE-2019-19781) in attacks targeting ICS entities
03.20 Phishing
Multiple intrusions impact European electric entities
03.20 Phishing
Remote access risks increase as employees work at home
04.20 Activity Group Update
New WASSONITE malware identified
04.20 New Activity Group
Dragos identified new activity group STIBNITE
05.20 Ransomware
EKANS ransomware impacts manufacturing, pharmaceutical, energy
05.20 Activity Group Update
ALLANITE targeted German critical infrastructure
05.20 Adversary Activity
Dragos identified new Sandworm infrastructure, activity
06.20 New Activity Group
Dragos identifies new activity group, TALONITE
06.20 Vulnerability
Ripple20 vulnerabilities may impact many ICS vendors
07.20 Espionage
Intrusion and espionage activity targets pharmaceutical and other industrial sectors
07.20 Vulnerability
Multiple critical vulnerabilities identified in network appliances and infrastructure
08.20 New Activity Group
Dragos identifies new activity group, VANADINITE
09.20 Activity Group Update
Changes in previously identified MAGNALLIUM infrastructure
09.20 Vulnerability
Zerologon vulnerability patched, exploitation continues
10.20 Activity Group Update
DYMALLOY watering hole activity
10.20 Activity Group Update
Possible ALLANITE or DYMALLOY operations
10.20 Activity Group Update
New TALONITE malware sample identified
10.20 Adversary Activity
U.S. Treasury sanctions Russian lab for TRISIS malware
11.20 Activity Group Update
Dragos identifies new CHRYSENE activity
11.20 Malware
Cyberattack disrupts cold-storage operations
12.20 Malware
SolarWinds supply chain compromise impacts thousands of companies

Vulnerabilities

2020 ICS Vulnerabilities

In 2020, Dragos assessed 703 ICS vulnerabilities reported by a variety of sources including independent researchers, vendors, and ICS-CERT. The key findings are summarized below.
2019
35%
Irrelevant vulnerabilities
Change
-4%
2020
31%
These vulnerabilities requires local access and have no actionable mitigation advice.
2019
30%
Advisories with incorrect data
Change
+13%
2020
43%
Which can prevent operators from accurately prioritizing patch management.
2019
26%
Advisories with no patch
Change
-4%
2020
22%
Presenting a challenge for operators that want to take action to resolve the published vulnerability.
2019
76%
Of advisories with no patch; % with no mitigation
Change
-12%
2020
64%
Which prevents an operator from taking any defensive action using information from the advisory.
2019
77%
Advisories that Dragos provided mitigation for
Change
+1%
2020
78%
Of the advisories that had no mitigations, Dragos provided mitigation advice for a majority thereby enabling defenders to take action.
2019
19%
Individual CVEs that contained errors
Change
+14%
2020
33%
Which can mislead practitioners who use CVSS scores to triage for mitigation.
2019
73%
Dragos corrected: MORE severe than public advisory
Change
0%
2020
73%
Of the advisories with errors, Dragos assessed a large proportion to be more severe than the public advisory indicated. This can cause issues with patching prioritization.
2019
26%
Dragos corrected: LESS severe than public advisory
Change
0%
2020
26%
Of the advisories with errors, Dragos assessed a percentage to be less severe than the public advisory indicated. This can cause issues with patching prioritization.
2019
21%
Advisories applied to products bordering the enterprise
Change
+2%
2020
23%
Which can facilitate initial access by an adversary into an operations environment.
2019
77%
Vulnerabilities deep within ICS Network
Change
0%
2020
77%
Which requires existing access to a control systems network to exploit.
2019
50%
Impact: Loss of View & Loss of Control
Change
-14%
2020
36%
Vulnerabilities that could cause both loss of view & loss of control - preventing operators from monitoring and modifying the system state.
2019
25%
Advisories where Free & Demo software is available
Change
-10%
2020
15%
The majority of ICS-related vulnerabilities are included in software for which there is no free version available.
Irrelevant vulnerabilities
Advisories with incorrect data
Advisories with no patch
Of advisories with no patch; % with no mitigation
Advisories that Dragos provided mitigation for
Individual CVEs that contained errors
Dragos corrected: MORE severe than public advisory
Dragos corrected: LESS severe than public advisory
Advisories applied to products bordering the enterprise
Vulnerabilities deep within ICS Network
Impact: Loss of View & Loss of Control
Advisories where Free & Demo software is available
01 / 12

Key Findings

2020 ICS Environment Assessments

In 2020, Dragos gathered first-hand insights to understand the state of ICS cybersecurity, impacts for the community overall, and recommendations to improve strategies for all levels of OT cybersecurity maturity. The team's findings are summarized below.
2020
90%
2019
81%
Change
+9%
Extremely limited / no visibility into OT environment
Extremely limited visibility of ICS network, assets, & flow of information makes detections, triage, & response incredibly difficult at scale.
2020
88%
2019
71%
Change
+17%
Poor security perimeters
The Dragos Red Team was able to easily gain initial access to a majority of ICS networks, meaning that a determined adversary could as well.
2020
54%
2019
54%
Change
0%
Lacked separate IT & OT user management
The most common method of lateral movement & privelege escalation continues to be Valid Credential recovery.
2020
100%
2019
90%
Change
+10%
IR cases involving shared credentials for lateral movement
This reinforces the Dragos Red Team finding that IT and OT user access must be managed independently.
2020
100%
2019
66%
Change
+34%
IR cases where adversary accessed ICS network from Internet
Many organizations believe their ICS network is "air-gapped" from external networks. Not so in the IR cases our team worked in 2020.
2020
58%
2019
33%
Change
+25%
Had a solidified IRP ready to test
Dragos works with our customers to build incident response plans (IRP). In 2020, the majority had a plan ready to test.
01/06

Recommendations

Practical advice for ICS defenders

  • 01
    Increase OT Network Visibility
    90% of service engagements included a finding around lack of visibility. Visibility includes network monitoring, host logging, and maintaining a Collection Management Framework (CMF).
  • 02
    Identify & Prioritize Crown Jewels
    100% of external routable network connections to ICS environments were believed to be air-gapped. Crown Jewel Analyses identified a digital attack path to impact a critical physical process.
  • 03
    Boost Incident Response Capabilities
    42% of IR Services Engagements discovered organizations did not have a suitable Incident Response Plan (IRP) and 75% had difficulty with declaring a cyber incident.
  • 04
    Validate Network Segmentation
    88% of Services engagements included a finding around improper network segmentation. This includes issues like weak or segmentation between IT and OT networks, permissive firewall rulesets, and externally routable network connections.
  • 05
    Separate IT & OT Credential Management
    54% of service engagements included a finding around shared credentials. This includes accounts shared between IT and OT, default accounts, and vendor accounts. Shared credentials enables adversaries to use Valid Accounts, which is the top TTP used by the ICS Activity Groups we track.
2020 Year In Review

2020 Year In Review

Read the 2020 Year In Review Report

2019 Year in Review_Lessons Learned from the front line of ICS Cybersecurity
2019 Lessons Learned
Dragos 2019 ICS Year in Review: Lessons Learned from the Front Lines of ICS Cybersecurity
ICS Landscape and Threat Activity Groups
2019 ICS Threat Landscape and Activity Groups
This report assess the state of the ICS cybersecurity threat landscape, including the latest threats, malware, vulnerabilities, and public threat activity groups focused on industrial operations.
ICS Vulnerabilities
2019 ICS Vulnerabilities
This report assesses 438 ICS vulnerabilities reported by a variety of sources–including independent researchers, vendors, and ICS-CERT
nsights To Build An Effective Industrial Cybersecurity Strategy For Your Organization
2018 Insights To Build An Effective Industrial Cybersecurity Strategy For Your Organization
Insights To Build An Effective Industrial Cybersecurity Strategy For Your Organization
View More

Want to speak directly to a Dragos expert?

We'll put you in touch with exactly who you need.