Dragos Industrial Cybersecurity “Year in Review” Reports Rise in Threat Groups, Vulnerabilities, and Ransomware as ICS/OT Systems Digitally Transform
Number of industrial organizations with external connections to their Industrial Control Systems doubled, yet 86% of organizations report limited-to-no visibility of ICS environments
HANOVER, MD, February 23, 2022 – Dragos, Inc., the global leader in cybersecurity for industrial controls systems (ICS)/operational technology (OT) environments, today released its fifth annual Dragos ICS/OT Cybersecurity Year in Review (YIR) report, the most comprehensive report on cyber threats facing industrial organizations. The report named the emergence of three new threat groups targeting ICS/OT environments, including two that have gained access into the OT systems of industrial organizations. The report also shows the number of discovered vulnerabilities in OT systems in 2021 more than doubled over the previous year to 1,703. Ransomware became the number-one attack vector among industrial organizations, with manufacturing as the most targeted sector representing 65%, or 211, of the ransomware cases detected at industrial organizations.
The Dragos YIR report is an annual overview and analysis of ICS/OT-focused global threat activities, vulnerabilities, and industry insights and trends. The report aims to share data-informed observations and lessons learned from within the industrial community to give asset owners and operators actionable information and recommendations to help them more fully understand cyber risks to their ICS/OT environments and strengthen their cyber readiness.
“While the industrial community has discussed the importance of OT cybersecurity for years, 2021 brought high-profile attacks that showed the real-world outcomes on local communities and global economies,” said Robert M. Lee, Chief Executive Officer and Co-Founder of Dragos, Inc. “Data from our YIR shows that cyber risk to industrial sectors is accelerating at a time when digital transformation initiatives are driving hyper connectivity, which increases risk and exposure. The real-world observations and data-backed insights in our 2021 YIR report can serve as practical, timely guidance as the industrial community strives to understand where they are exposed, what threat groups are doing, and how to build security and resiliency into their OT systems.”
Details of 2021 Year in Review
- Dragos identified three new ICS/OT Activity Groups—KOSTOVITE, PETROVITE, and ERYTHRITE, with KOSTOVITE and ERYTHRITE reaching Stage 2 of the ICS Cyber Kill Chain, meaning they gained access directly into ICS/OT networks. With these additions, Dragos analysts now track 18 Activity Groups worldwide that show the intent, opportunity, or capability to impact industrial operations.
- KOSTOVITE targets renewable energy operations in North America and Australia, and in 2021 had a confirmed intrusion into an operations and maintenance (O&M) firm’s OT networks and devices.
- PETROVITE targets mining and energy operations in Kazakhstan and Central Asia. The group displays an interest in data collection on ICS/OT systems and networks.
- ERYTHRITE targets organizations in the US and Canada. Dragos has observed ERYTHRITE compromising the OT environments of a Fortune 500 company and the IT networks of a large electrical utility, food and beverage companies, auto manufacturers, IT service providers, and multiple Oil and Natural Gas (ONG) service firms.
- ICS/OT Vulnerabilities in 2021 doubled compared with 2020, reaching 1,665. Analysis of these vulnerabilities and related advisories found that 35% could cause both a loss of view and loss of control in an OT system, which are among the worst operation scenarios in an ICS/OT environment. Almost 90% of the vulnerabilities had no mitigations or alternative mitigations in place at the time of the advisory issued about them.
- Ransomware became the number one attack vector in the industrial sector. Two groups, Conti and Lockbit 2.0, caused 51% of total industrial ransomware attacks, with 70% of their activity targeting manufacturing. Overall, manufacturing was the primary target of ransomware across the board and accounted for 65% of all attacks, nearly twice as much as every other industrial group combined.
- Lessons from the Front Lines: Based on data gathered from annual customer service engagements conducted by Dragos’s cybersecurity experts in the field across the range of industrial sectors, the top challenges industrial organizations need to address are:
- Limited or No OT Network Visibility: 86% of organizations had limited to no visibility into their ICS environment making detections, triage, and response incredibly difficult at scale.
- Poor Security Perimeters: 77% of service engagements involved issues with improper network segmentation.
- External Connections to the ICS Environment: 70% of organizations had external connections from OEMs, IT networks, or the internet to the OT network, which is more than double the amount from 2020.
- Lack of Separate IT & OT User Management: 44% of organizations had shared credentials between their IT and OT systems, the most common method of lateral movement and privilege escalation.
- New Incident Response Use Cases: The YIR report highlights Incident Response use cases from the field and examines previously undisclosed compromises of OT systems to add context to the major ICS/OT headlines of 2021—from the effects of the SolarWinds breach on ICS/OT environments to an example of an attack targeting an OT system that moved laterally to the IT network of an electric operator.
The YIR also provides recommendations for five key OT cybersecurity controls, that if implemented effectively, can result in a strong defense against increasing ICS/OT cyber threats in 2022 and beyond.
YIR Report and Resources
- Download the full 2021 Dragos ICS/OT Cybersecurity Year in Review report and the accompanying executive summary document.
- View the interactive, web-based 2021 Dragos Year in Review results.
About Dragos, Inc.
Dragos has a global mission: to safeguard civilization from those trying to disrupt the industrial infrastructure we depend on every day. The practitioners who founded Dragos were drawn to this mission through decades of government and private sector experience.
Dragos codifies the knowledge of our cybersecurity experts into an integrated software platform that provides customers critical visibility into ICS and OT networks so that threats are identified and can be addressed before they become significant events. Our solutions protect organizations across a range of industries, including power and water utilities, energy, and manufacturing, and are optimized for emerging applications like the Industrial Internet of Things (IIOT).
Dragos is privately held and headquartered in the Washington, DC area with regional presence around the world, including Canada, Australia, New Zealand, Europe, and the Middle East.
Contacts
Kesselring Communications for Dragos
Leslie Kesselring, 503-358-1012
Leslie@kesscomm.com
Discover more resources.
Explore more resources to support you on your ICS cybersecurity journey.
See the Dragos Platform in Action
Take the next step to protect your OT environment now with a free demo