The 2022 Dragos ICS/OT Cybersecurity Year in Review provides a comprehensive look back at the cyber events that dominated news headlines in the past year and a forward-looking approach to the industrial controls systems (ICS) and operational technology (OT) threat landscape, with access to deep threat research and analysis, lessons learned from real incidents and threat hunts in the field, and first-party data not available anywhere else.
We will share updates on threat groups targeting ICS/OT, insights on the industrial impact of ransomware, data-driven insights into critical vulnerabilities in ICS/OT environments, plus evidence from the field on how the community is performing and areas of improvement to provide safe and reliable operations into 2023 and beyond.
Highlights from the Dragos 2021 ICS/OT Cybersecurity Year in Review
In 2021, major events such as the disruptive Colonial Pipeline ransomware attack and the attempted corruption of the Oldsmar treatment facility’s water supply drew increased attention and investment in ICS/OT security in the United States, and across the globe. The Dragos 2021 ICS/OT Cybersecurity Year in Review covered these events and more, featuring unique insights from the Dragos OT researchers and defenders.
3 New Threat Groups Discovered Targeting ICS/OT
Dragos discovered three new threat groups in 2021, two of which achieved Stage 2 of the ICS Cyber Kill Chain demonstrating their ability to get access directly to ICS/OT networks.
| KOSTOVITE Targeting energy industries | PETROVITE Targeting mining & energy operations in Kazakhstan | ERYTHRITE Broadly targets the IT networks of ICS/OT facilities in the U.S. & Canada. |
Dragos also monitored and reported on renewed activity from STIBNITE, KAMACITE, and WASSONITE threat groups in 2021.
37 Percent Increase in External Network Connections to Internet from Previous Year
Our team of experienced incident responders have consulted on numerous cases where significant time and resources could have been saved with preparation. In 2021, Dragos shared these insights to help OT asset owners avoid issues that increase the time, personnel, downtime, and expense of managing a cybersecurity incident. Key findings we reported to were:
- 86% of service engagements had a lack of visibility across OT networks—making detections, triage, and response incredibly difficult at scale.
- 77% of service engagements included a finding about improper network segmentation.
- 70% of service engagements included a finding of external connections from OEMs, IT networks, or the Internet to the OT network.
- 44% of service engagements included a finding of shared credentials in OT systems, the most common method of lateral movement & privilege escalation.
Ransomware Is #1 Attack Vector in Industrial Sector
Some ransomware adversaries indirectly impact OT when attacking enterprise IT. Once adversaries achieve initial access, they can execute ransomware to gain a foothold in critical enterprise IT systems and potentially move laterally into OT systems. Conversely, some ransomware groups specifically target OT systems. In 2021, ransomware became the number one attack vector in the industrial sector.
- Dragos assessed that manufacturing accounted for 65% of all ransomware attacks in 2021, nearly twice as much as the other industrial sectors combined.
- Two ransomware groups, Conti and Lockbit 2.0, caused 51% of attacks—with 70% of their malicious activity targeting manufacturing.
Trends in ICS/OT Vulnerability Classification – More Errors, Less Severe
Dragos works with the community to help vendors provide more accurate, actionable, and easier-to-track advisories. For each CVE, Dragos independently assesses, confirms, and often corrects the advisories and describes any flaws in firmware or software.
- In 2021, Dragos researchers analyzed 1703 ICS/OT common vulnerabilities and exposures (CVEs).
- Dragos assessed that 97% of individual CVEs contained errors which can mislead practitioners who use CVSS scores to triage for mitigation, 64% more errors than in the previous year.
- Of advisories with errors, Dragos assessed that 45% of CVEs were LESS SEVERE than the public advisory scoring, causing issues with patching prioritization.
- Ultimately, Dragos recommended immediate mitigation on only 4% of vulnerabilities assessed in 2021.
Reserve Your Copy Today!
Prepare your enterprise with the data-driven analysis from the Dragos 2022 ICS/OT Cybersecurity Year in Review, including the security controls you need to have a world-class OT cybersecurity program in 2023.
Ready to put your insights into action?
Take the next steps and contact our team today.