Cyber Attacks Targeting OT a Pivotal Shift for Industrial Organisations

In 2023, motivated and sophisticated threat groups and hacktivists showcased their ability to breach the critical infrastructure networks and disrupt Operational Technology (OT) systems. Of the 905 global ransomware incidents affecting industrial organisations, 13 targeted Australian entities. The recent Lockbit 3.0 attack on DP World Australia highlighted the potential cascading impacts of ransomware on industrial operations, supply chains, and consumers.

Hayley Turner, Area Vice President of Dragos Asia Pacific, emphasised the growing threat landscape.

“Ransomware incidents continue to rise globally, leading to cascading impacts across virtually every industrial sector, particularly manufacturing. The number of vulnerabilities present in industrial control systems (ICS) is growing exponentially, along with adversaries’ appetite to exploit them.”

While the electric, oil and gas, water, and manufacturing sectors made moderate improvements in their ICS/OT cybersecurity posture on average, many industrial organisations still struggle with password security and threat detection in their ICS/OT environment.

“Now is time to take bigger strides,” adds Turner, stressing the need for coordinated efforts across Australia’s cybersecurity community and emergency measures when necessary to mitigate adverse effects on critical business operations and the communities they serve.

Key Vulnerability Findings

Dragos tracked 21 threat groups engaged in OT operations In 2023 and identified three new threat groups, including VOLTZITE linked to Volt Typhoon, and noted a nearly 50% increase in ransomware incidents reported by industrial organisations.

VOLTZITE targets electric power generation, transmission and distribution, and has been observed targeting research, technology, defence industrial bases, satellite services, telecommunications and educational organisations. This group overlaps with Volt Typhoon, which the U.S. Government links to the People’s Republic of China. The group’s threat activities include living off the land techniques, prolonged surveillance, and data gathering aligned with Volt Typhoon’s assessed objectives of reconnaissance and gaining geopolitical advantage in the Asia-Pacific region. Traditionally targeting US-based facilities, they have been seen targeting organisations in Africa and Southeast Asia.

Dragos found that 80% of vulnerabilities reside deep within the ICS network, 16% of advisories were network exploitable and perimeter facings, and 53% of the advisories could cause both a loss of view and loss of control, up from 51% in 2022. Additionally, 31% of advisories contained errors, and Dragos provided mitigations for 49% of advisories that had none.

Key Ransomware Findings

Ransomware remains the top attack method in the industrial sector, increasing 50% from 2022. Globally, Lockbit was responsible for 25% of total industrial ransomware attacks, with ALPHV and BlackBasta accounting for 9% each. The manufacturing sector remains the primary target, accounting for 71% of all ransomware attacks.

Although ransomware groups do not explicitly target ICS and OT, risks to these environments arise from precautionary operations shutdowns to limit the impact of an attack, flattened industrial networks, and the integration of ICS/OT kill processes into ransomware strains.

Threats to Australian Infrastructure Escalated

Australia’s Cyber and Infrastructure Security Centre (CISC) and agencies from the Five Eyes Intelligence Alliance highlighted the intensifying OT cyber threat landscape, with a focus on foreign espionage and interference as prime threats to critical infrastructure. The Australian Signals Directorate’s Annual Cyber Threat Report revealed a 50% jump in cyber incidents targeting infrastructure, which are increasingly preyed upon out of motivation to gain geopolitical advantages. A trend that underscores the critical need for robust cybersecurity measures and strong private-public partnerships to safeguard national interests.

Key Steps Taken to Ensure Security of Australia’s Critical Infrastructure

In 2023, the CISC advanced efforts to bolster national cybersecurity and resilience, particularly in ICS/OT environments where detecting sophisticated threats is paramount. Key initiatives included the publishing of critical infrastructure asset class definition guidance to enhance operational resilience across 22 sectors, and activating the Critical Infrastructure Risk Management Program. This program, part of the Security of Critical Infrastructure Act 2018 amendments, alongside Mandatory Cyber Incident Reporting and the Critical Infrastructure Asset Register, aims to elevate Australia’s critical infrastructure security.

“These steps signal the urgency and importance of robust asset monitoring, intelligence-based detections for sophisticated threats, and a coordinated response to safeguard essential services that Australians rely upon,” said Turner.

As ICS/OT cybersecurity becomes a top priority, aligning on key priorities is essential. Dragos recommends that Australian organisations consult the SANS Institute’s paper “Five critical controls for ICS/OT cybersecurity” for guidance.

For more information, the 2023 Dragos OT Cybersecurity Year in Review for Australia, and the accompanying executive summary, can be downloaded here.