At least 68 cyberattacks last year caused physical impacts to operational technology (OT) networks at more than 500 sites around the world, in some cases causing $10 million to $100 million in damage.
Not surprisingly, these were not Stuxnet-like eventsbut the opposite.
According to a new report from industrial control systems (ICS) vendor Waterfall Security Solutions, which studied real-world cyberattacks against OT organizations, most of the hackers known to target the OT sector these days are hacktivists . And most outages are not caused by direct manipulation of OT systems, but are downstream consequences of IT-based attacks, most often involving ransomware.
This does not mean, however, that the impacts are less severe. Accidents involving Johnson Controls and Clorox last year cost those companies about $27 million and $49 million, respectively. A cyber attack that led to the temporary suspension of operations at MKS Instruments in Massachusetts cost $200 million, and one of its suppliers, California-based Applied Materials Inc., reported losing another $250 million.
According to the report, the number of attacks with physical consequences increased by almost 20% last year.
IT attacks with OT consequences
Over the past fifteen years, only about a quarter of cyberattacks with OT consequences were caused by actually hitting the OT network. according to the report Waterfall published in collaboration with OT ICS incident threat database STRIVE.
“A large portion of attacks that caused OT consequences did so by exclusively compromising machines in the IT network,” explains Andrew Ginter, vice president of industrial security at Waterfall and co-author of the report. “The OT was often shut down ‘out of an abundance of caution’ because the company was unwilling to continue running powerful and dangerous physical processes while compromising them just one or two network steps away.”
After the attack last March, for example, the German manufacturer Hahn Group GmbH shut down all its plants for security reasons. It subsequently took weeks for a complete and clean restore of its systems. Last year, several other manufacturers followed the same pattern, even when security was not at risk, in order to limit damage to other systems, sites and customers.
“OT was also often shut down because physical operations required facilities on the IT networks that ransomware had crippled, for example container tracking systems for shipping or passenger signs for large train stations,” Ginter points out.
A notable case occurred last January, when printers at the UK’s Royal Mail were disabled and hijacked to print LockBit ransom notes. Mail export services were briefly suspended nationwide, in an event that cost £42 million.
“These dependencies are something that many OT practitioners don’t think about,” explains Ginter. An IT network compromise can also affect physical operations, even if an OT network is protected, if the OT process relies on processes in the IT network.
Cyber threat to water treatment
Over half of the publicly reported cyberattacks with OT consequences in 2023 affected the manufacturing sector. But if there is one sector to worry about more than others it is probably water.
Late last November, around 180 families in the Irish villages of Binghamstown and Drum lost water for two days, due to loss of water pressure at a local pumping station. The cause was a cyber attack probably carried out by Iranian Cyber Av3ngers, part of a larger campaign targeting Unitronics pump controllers.
While such stories are still rare, water systems combine a dangerous mix of low difficulty and high impact for hackers.
“In the United States, the vast majority of the 20,000-plus drinking water treatment utilities are tiny. Tiny. The vast majority of the 200,000-plus wastewater treatment systems are the same thing. And realistically, with whatever budget these utilities have, almost all of it goes to people with trucks and backhoes digging holes in the ground,” Ginter explains. “Add to that continued pressure to automate water systems to reduce costs: many of these systems are regulated [because they’re local monopolies], and every regulator wants to reduce costs and reduce tariffs, so there is constant pressure for automation. All modern automation involves computers, which means more targets for cyber attacks.”
These systems have no security budget, so with the growing threat of hacktivist attacks and pressure to automate their operations, they are in danger, he notes, creating “a growing problem for all the nation’s small communities.”