According to a new report from cybersecurity company FireEye, cybersecurity attacks against operation technology (OT) and control systems are increasing, but the attack methods are not all that sophisticated.
The company says it has observed simple attacks in which threat actors with varying levels of skill and resources use common IT tools and techniques to gain access to and interact with internet-accessible OT systems as they continue to increase.
In the blog, the company highlighted several public and non-public attacks, but didn’t specify victim names. However, the blog comes after several OT-related cyber incidents, including the Colonial Pipeline ransomware attack and the compromise of a Florida city water system.
“Although none of these incidents have appeared to significantly impact the physical world, their increasing frequency and relative severity calls for analysis on their possible risks and implications,” the company’s blog said.
FireEye’s Mandiant Threat Intelligence group says such activity typically doesn’t target specific organizations, but instead is driven by threat actors “motivated to achieve ideological, egotistical or financial objectives by taking advantage of an ample supply of internet-connected OT systems.”
The company says it has monitored threat actors that claim to share or sell access to internet-exposed OT systems since at least 2012, and the frequency and severity of these incidents has picked up in the last few years.
This activity impacts a broad range of industries, including solar energy panels, water control systems, building automation systems and security systems.
These systems are typically compromised through unsecure remote access services like virtual network computing connections. Graphic user interfaces also become “low-hanging fruit” of process-oriented OT attacks as they provide a user-friendly representation of complex industrial processes, enabling actors to modify control variables without prior knowledge of a process.”
The motivations for these attacks are also just as broad, with some purely opportunities while others appear to be politically motivated.
One such attack included accessing the building automation system of a major international hotel chain location in Australia.
Since these attacks don’t require a great deal of sophistication, FireEye warns that threat actors are learning more about OT systems after each attack is publicly disclosed.
To help prevent them, FireEye advises organizations to:
- Remote OT assets from public-facing networks, deploy access controls and monitor for unusual activity
- Apply common network-hardening techniques to remotely accessible and edge devices
- Determine if relevant assets are discoverable using online scanners
- Maintain situational awareness on threat actors’ interest in cyber physical systems and the development of OT exploits
- Configure HMIs and other control system assets to enforce acceptable input ranges and prohibit hazardous variable states.