Most industrial companies have a low level of protection against cyberattacks despite being the second most common target for cybercriminals after government institutions, according to analysis by Russian cybersecurity provider Positive Technologies.
In a report published last week, the company said that its analysis of industrial companies’ IT networks revealed low levels of protection for Internet-connected networks and industrial systems, poor network segmentation, device configuration and password management, and the use of outdated software.
As a result, an external hacker could penetrate 91% of industrial companies’ networks, it found. Once inside, hackers could obtain full control of industrial systems in 100% of cases, and steal sensitive data in 69%.
Why do cybercriminals target industrial companies?
The potential impact of cyberattacks on industrial companies has been evident this year. The Colonial Pipeline hack in May disrupted fuel supplies to several states in the US, triggered a spike in fuel prices, and caused huge queues for petrol stations. In June, a ransomware attack against JBS, the world’s largest processor of fresh pork and beef, halted operations in Australia, the US and Canada. In both cases, the affected companies paid millions in ransom and the incidents prompted US president Joe Biden’s administration to escalate government measures against cybercrime.
Positive Technologies’ analysis revealed that data theft, not direct financial gain, is the most common objective of cyberattacks on industrial companies: data theft was identified as the objective in 84% of cyberattacks in 2020, with direct financial gain a distant second at 36%. That said, one motivation for stealing data might be to extract a ransom from target companies: ‘double extortion’, in which criminals threaten to publish their victims’ data online, is an increasingly common tactic among ransomware groups.
Are industrial companies soft targets?
Cyberattacks on all industries have increased during the pandemic, as cybercriminals have exploited anxieties about Covid-19 and the shift to remote working. But the susceptibility of industrial companies also reflects the vulnerability of industrial control systems used to operate equipment.
According to industrial cybersecurity company Claroty, the number of disclosed vulnerabilities in industrial control systems (ICS) has been rising steadily over recent years, with the first half of 2021 seeing 637 ICS vulnerabilities, almost as many as the entire number in 2018.
The majority of vulnerabilities discovered in the first six months of this year (71%) were deemed high severity or critical in H1 2021, according to Claroty. And the industrial sector is highly dependent on external support to identify these vulnerabilities: 81% were identified by sources outside the affected industrial companies, such as research organisations, third-party businesses and academics.
What can industrial companies do to improve cybersecurity?
Although it is not possible to eliminate the risk of cyberattack, the measures that industrial companies take to protect networks – such as blocking certain ports or updating outdated protocols – are insufficient to address common vulnerabilities and exploits (CVEs), according to the Claroty report. The most impactful measures are network segmentation (ensuring that critical systems are isolated from vulnerable networks) and securing remote access, the company finds.
As an example of the importance of remote access security, Claroty points an incident at a water treatment facility in Oldsmar, Florida, in February 2021, in which an intruder was able to increase the levels of sodium hydroxide in drinking water to 111 times the amount used for water purification – a level dangerous to human health if consumed. The intruder used a legitimate remote desktop connection via TeamViewer to tamper with the chemical levels until his access was cut off by operators. Thanks to safeguards typical of water-treatment plants, the contaminated water never reached consumers.
Positive Technologies argues that industrial companies put “blind faith in the reliability of security automation tools, and do not put infrastructure robustness to the test”. It advocates for external security assessments – a service it provides, but one that cybercriminals themselves recommend too. An alleged member of the LockBit ransomware gang, interviewed by cybersecurity intelligence provider Ke La, advised companies to employ full-time 'red teams' to test their defences.
Home page image by Leungchopan/Shutterstock