What Manufacturers Need to Know About the OT Cyber Threat Landscape

Manufacturing environments are increasingly becoming targets for cyber adversaries. The digitalization of manufacturing processes has blurred the lines between IT (Information Technology) and OT (Operational Technology), making it easier for threats to proliferate from enterprise IT into OT environments. This convergence has introduced several trends: 

• Proliferation from IT to OT: Compromises originating in enterprise IT are increasingly affecting OT environments due to business and process dependencies. 
• Removable Media as a Threat Vector: The use of removable media such as USB drives and CDs has re-emerged as a significant threat vector, often serving as the initial infection point. 
• Ransomware: Ransomware continues to plague the manufacturing sector, with adversaries realizing that disrupting production is an effective way to force victims to pay ransoms.

Key Adversaries Targeting Manufacturing Environments 

Dragos OT Cyber Threat Intelligence identifies and tracks adversaries that are particularly relevant to the manufacturing sector. These adversaries are categorized based on their observed behaviors rather than their intent. 

• GANANITE, LAURIONITE, and WASSONITE: These threat groups focus on espionage, initial access, and data exfiltration. They have been observed targeting critical manufacturing across various geographies and sectors. 
• CHERNOVITE: This threat group stands out due to its development of a modular ICS malware framework known as PIPEDREAM. This framework includes several distinct modules designed to interact with and disrupt various ICS components.

CHERNOVITE’s PIPEDREAM Framework 

CHERNOVITE’s PIPEDREAM framework is particularly concerning because of its modular nature and the sophistication of its components. The ICS malware framework includes: 

• Evil Scholar: Targets Schneider Electric PLCs. 
• Bad Omen: Interacts with Omron software and PLCs. 
• Mousehole: Interacts with OPCUA servers. 
• Dust Tunnel: Performs host reconnaissance and command and control. 
• Lazy Cargo: Exploits vulnerabilities to load unsigned drivers in enterprise IT environments.

The modularity of PIPEDREAM means that it can be adapted and expanded, posing a significant threat to both enterprise IT and OT manufacturing environments. 

Manufacturing Threat Scenarios to Consider

Real-world scenarios for manufacturers to consider include:  

• Ransomware Propagation: In a typical ransomware event, the initial infection occurs in the IT enterprise. Once the ransomware gains sufficient privileges, it propagates through the network, encrypting data and disrupting operations. 
• Transient Devices: Transient devices like USB drives can introduce malware into control systems during maintenance operations. Without strong removable media policies, these devices can bypass network segmentation and spread malware.

The rapid adoption of smart technologies in manufacturing introduces new cybersecurity challenges. These technologies expand the attack surface and require a skilled cybersecurity workforce to manage them. Additionally, manufacturing organizations involved in wartime efforts are at greater risk of sabotage, as seen in the recent Ukraine-Russia conflict. 

By understanding the behaviors and capabilities of key adversaries, organizations can better prepare and defend against these threats. Manufacturers need a robust cybersecurity strategy that includes strong policies, continuous monitoring of IT and OT environments, and ongoing investment in cybersecurity skills and technologies. 

As the digital transformation of manufacturing continues, staying informed and vigilant is crucial to safeguarding operations and maintaining resilience against cyber threats. 

Download the Manufacturer’s Guide to OT Cybersecurity

Don’t wait for a cyber incident to disrupt your manufacturing operations. Download the Manufacturing Executive Guide for OT Cybersecurity today and take the first step towards a more secure future for your manufacturing enterprise.