Increasing cyber hazards encountered in improperly configured operational technology devices
The landscape of cyber threats against U.S. industrial sites has seen a significant shift, with an increase in politically motivated attacks targeting critical infrastructure such as water and wastewater treatment systems. This trend has been on the rise since late 2023.
Industrial providers often use infrastructure that is decades old and lacks basic protections against modern threats. This vulnerability has been exploited by state-linked groups, with attacks surging by roughly 30% in 2023 and 2024. Many of these attacks have been attributed to state-sponsored groups or their affiliates, using ransomware-as-a-service and supply chain attacks.
The focus of these groups has shifted from complex exploits to more straightforward credential-based intrusions, dissolving traditional network perimeters and exposing new vulnerabilities. Water and wastewater treatment plants are key targets given their critical societal role and historically weaker OT cybersecurity.
The role of Chief Information Security Officers (CISOs) in these environments is pivotal for mitigating risks. CISOs must adopt a Zero Trust security posture, assuming breaches will happen and restricting access accordingly. They need to implement multi-layered defenses, focusing on securing not only the IT networks but also OT environments, improving threat detection, incident response, and patch management.
Coordination with government agencies for updated regulations, funding, and information sharing is also critical given the lag in federal policy adaptation to evolving industrial cyber threats.
The earliest attacks were led by threat groups affiliated with the Islamic Revolutionary Guard Corp. of Iran, targeting Unitronics programmable logic controllers, which are also widely used in U.S. facilities. The risk of malicious activity due to internet-exposed devices extends beyond the water industry, affecting a range of industries such as power plants and heating, ventilation, and air conditioning systems.
These attacks primarily target poorly secured devices that rely on outdated software or default passwords. In late May, Rockwell Automation released an advisory urging customers to disconnect devices from the internet due to heightened geopolitical tension. However, the advisory did not address whether there were any specific threats or attacks linked to it.
Corporate stakeholders are increasingly interested in understanding the risk calculus of their technology stacks, asking the question: Are we a target? Chris Grove, director of cybersecurity strategy at Nozomi Networks, stated that organizations need more people and budget to manage risks, monitor, react, and implement necessary mitigation measures.
In May, the FBI and Cybersecurity and Infrastructure Security Agency, along with foreign partner agencies, warned about pro-Russia threat groups targeting water and other critical infrastructure by manipulating human machine interfaces. Microsoft Threat Intelligence researchers have reported that these attacks were not limited to public sector facilities but also affected private companies in various countries.
As the threat landscape continues to evolve, it is crucial for industrial providers to prioritise cybersecurity measures to protect their critical infrastructure and ensure the safety and security of the public.
- To address the increasing threat of politically motivated cyberattacks on U.S. critical infrastructure, industrial providers need to adopt a Zero Trust security posture, focusing on securing both IT networks and OT environments, improving threat detection and response, and implementing multi-layered defenses.
- Given the heightened geopolitical tension, it is essential for corporations to understand their technology stack's risk calculus, as questionable devices without proper security measures could become targets for state-sponsored cyberattacks.
- With pro-Russia threat groups targeting water and other critical infrastructure through human-machine interface manipulation, both public sector facilities and private companies across multiple countries require increased threat intelligence to protect their general-news infrastructure.
