Rockwell Automation recommends:

As security awareness further evolves, so does the need for more robust OT security protection. Simply putting a firewall between IT and OT environments is no longer enough to effectively separate IT and OT networks to prevent attacks. The same goes for remote access, where attackers are often able to easily circumvent standard practices, such as passwords. Without stronger protection measures, there is a risk that end devices will be infiltrated. Additional countermeasures must be considered, including a clearly defined incident response plan that can help your organization respond quickly to and recover from a cybersecurity incident.

Key Findings (5)

More than 80% of attackers come from outside the organization.

Insiders played an “indirect” role in more than a third of security incidents. The “indirect” role of an insider is primarily to be the victim of a phishing attack.

In the Cyentia study, nearly 60 percent of attackers came from state-linked groups. The identities and geographic locations of many of the attackers are hidden. Threat actors go to great lengths to conceal this information.

According to the report, the most common motivations for security attacks are political or economic.

Key Findings (6)

In the sample selected for this report, attacks attributed to state-related groups were higher than in other studies, accounting for almost 60 percent of all attacks. Other studies, such as the Cyentia Research Institute, have found that just over 1% of cyberattacks can be attributed to state action.

Surprisingly, however, given that state-related groups often want to influence critical infrastructure, supply chains, steal data from critical systems, or simply take OT systems offline, this conclusion is not illogical.

In a notorious attack in 2020, Russian state-backed hackers exploited system vulnerabilities to break into more than 200 systems. The attackers used credentials from at least three organizations to execute the attack, which affected multiple U.S. government systems, NATO, U.K. and European Union systems. As a result, the United States imposed sanctions on Russia. And the impact of infiltration and leakage of international government data will take years to fully unwind.

Key Findings (7)

Phishing has always been the simplest and most successful of the initial access (attack) techniques. Phishing has evolved to encompass multiple domains such as email, online, SMS/text messaging, and voice/phone calls, making it a powerful weapon for cybercriminals.

External remote services rank second among the initial access methods for IT and OT events. While the intention was to provide remote access to legitimate users, this has become an entry point for attackers since 2020.

Smart targets: As attackers become more sophisticated, any “smart” device on the network can become a target. Using best practices such as real-time network asset inventories, 24/7 threat detection, and appropriate policies and procedures regarding removable media can help prevent IT attacks from moving to OT, potentially shutting down an organization’s supply chain, processes, or even entire physical plants.

 

Key Findings (8)

According to MITRE, “ATT&CK for ICS focuses on adversaries whose primary goal is to attack industrial control systems, to attempt to interfere with industrial control processes, to destroy property, or to cause temporary or permanent harm or death to humans by attacking industrial control systems.”

In IT environments, attacks often start with network discovery, which is used to help attackers understand where assets are and how to access them.

In the OT space, attackers often try to directly affect industrial processes. Many seek to obtain money, such as ransom, or pursue other outcomes involving economic or military advantage. In 2022, the number of attacks on industrial organizations by threat actors in the United States increased by 35 percent, resulting in an 87 percent increase in data breaches during the same period.
Attackers use horizontal tool transport, leveraging remote services and standard application layer protocols to manipulate the operator’s view and, in many cases, take over specific OT processes.