Ransomware, data breaches inundate OT & industrial sector

Three-quarters of industrial firms suffered a ransomware attack in the past year, with far more compromises affecting operational technology (OT) than ever before — representing a surge in attacks driven by both the industrial sector’s vulnerability and propensity to pay ransoms in order to remain operational.

In the past 12 months, more than half of industrial firms (54%) suffered a ransomware attack that impacted their operational technology, whether directly or because a linked IT system had been attacked, according to a report released by cyber-physical defense company Claroty on Dec. 6. The impact of the attacks on OT systems is a notable increase from the firm’s last report in 2021, when 47% of companies had ransomware impact their operations.

Indeed, attacks on industrial firms and critical infrastructure providers have become downright common. The Aliquippa Municipal Water Authority, located in Pittsburgh, recently suffered a site defacement after an Iranian-linked threat group known as Cyber Av3ngers forced it to shut down a water-pressure monitoring system and changed the site’s landing page. That incident turned out to be part of a wider spate of cyberattacks on water facilities across the US that started in late November. But it’s not just utilities in the sights: in February 2022, tire maker Bridgestone had to shut down its manufacturing networks for several days after the LockBit 2.0 ransomware group successfully breached its network.

While the Claroty survey shows that direct targeting of OT systems remained consistent over the two time periods, with more than a third of companies (37%) suffering attacks that affected both IT and OT systems in 2023, there has been a significant increase from the 27% of organizations suffering dual-impact attacks in 2021, say Grant Geyer, chief product officer at Claroty.

“The numbers — as astounding as they were last year — they continue to not only show the severity of the problem, but the fact that it’s an extremely viable business model and puts operations at risk, not just IT,” he says. “Because so many OT systems are Windows-based, the ransomware often spills over from the IT environment into the OT environment, because of poor or no segmentation.”

While the number of ransomware incidents against industrial firms has increased, they consistently account for a third of all attacks. Source: NCC Group.

Overall, the industrial sector has remained the top ransomware target every month for the past year, according to data from the NCC Group, a cybersecurity services firm. Ransomware attacks were up 81% in October, compared to the same month the previous year, and attacks on the industrial sector routinely represent a third of all ransomware incidents.

Threat activity has also increased overall because of recent geo-political conflicts, leading to industrial attacks by both state-sponsored actors and hacktivists, says Sean Arrowsmith, head of Industrials for the NCC Group.

“The ability to disable, and or cripple energy infrastructure can result in limited to no access for its consumers, adding to the instability and chaos that war and conflict bring,” he says. “These acts of sabotage play into the all-important power dynamics of international security issues.”

Industrials to Attackers: “Hey, We’ll Pay”

One reason for the attractiveness of attacking industrial companies: disruptions to operations result in a greater likelihood of pay ransoms. Typically, companies’ propensity to pay ransomware depends heavily on their revenue — smaller companies pay up 36% of the time, instead relying on backups, while larger companies pay 55% of the time, according to Sophos’ annual State of Ransomware report.

To read the complete article, visit Dark Reading.