Industrial sector faced supply chain attacks and ransomware offensives in 2021

Looking back at the key cybersecurity trends, 2021 was undoubtedly the year when the industrial sector had to reckon with serious ransomware offensives and supply chain attacks. The surging cybersecurity threat landscape has demonstrated that operational and production disruption is possible. Several times, these cybersecurity attacks came reasonably close, once too often, to impacting the operational technology (OT) and industrial control systems (ICS) environments.

Ransomware offensives have emerged as the number one threat to national security, with continuous attacks launched against businesses, including government, healthcare, and across the critical infrastructure sector. Moreover, hackers have made significant strides in 2021, as the number of high-profile ransomware offensives on industrial enterprises exceeded that for all previous years combined.

Supply chain cyberattacks are expected to quadruple in 2021 compared to last year, with the increasing impact of these attacks such as downtime of systems, monetary loss, and reputational damage. These attacks also appear to have become particularly attractive to cybercriminals, given the chain reaction one attack on a single supplier can trigger on the entire network of providers. In many instances, such attacks may even go undetected for a long time.

While the SolarWinds supply chain attack stands out in 2021 due to its sheer scale and influence, other serious supply chain attacks have occurred during the year, such as Codecov in April and Kaseya in July. Ransomware offensives on fuel pipeline company Colonial Pipeline, food cooperative NEW Cooperative, and meat processing company JBS Foods are amongst the numerous other attacks faced in 2021. The Colonial Pipeline attackers targeted the IT network, but operators stopped ICS operations for protection.

Going into 2022, an increase in data breaches will be far more significant. Moreover, these breaches may cost organizations and governments more to recover.

The ransomware incident set off policy initiatives within the U.S., with President Joe Biden issuing an Executive Order to strengthen cybersecurity. 2021 will also be looked back on as the year when the industrial sector was made to evaluate its cybersecurity position in the wake of executive orders, federal laws, and security directives. The administration also grappled to deal with the escalating threat level, and it did bring about some initiatives to deal with the escalating threat landscape.

When it comes to attacking ICS networks, there has been an increase in public and non-public ransomware events affecting ICS environments. Ransomware families like EKANS, Megacortex, and Clop203 have already developed ICS-aware functionality to stop industrial processes.

Hackers have chosen the ransomware form of attack since victims are forced to pay the ransom amount to reduce operational downtime and safeguard reputation. Thus, adversaries are not likely to abandon launching ransomware offensives, thereby making such attacks a severe threat to national cybersecurity, especially for the critical infrastructure sector. In addition, the hackers collect the ransom but don’t always release the appropriate keys to their victims or may even choose to release confidential data on public sites.

Ransomware offensives have reached an ‘existential level’ as earlier ransomware attacks did not target the OT sector. It was also assumed that nation-states carried out such attacks. However, that image changed in 2021, with hacker groups often changing their attack techniques to launch attacks on the supply chain sector and then move into the organizational environment laterally to exploit other weaknesses. In addition, skills that were assumed only to lie with nation-states have regularly been used to wreak havoc over the years.

Organizational demands for remote visibility into industrial operations have largely contributed to the convergence of IT and OT systems. However, the digital transformations that enabled sought-after business advantages, including remote access and predictive maintenance, created new vulnerabilities to cyberattacks. Now, less sophisticated attackers could prey on infrastructure assets.

In a two-part series, Industrial Cyber has collected insights from the industrial cybersecurity sector and examines the role played by these events in 2021.

​​Instrumentation, controls, and control system cybersecurity expert Joe Weiss told Industrial Cyber that there had been a plethora of reports that the manufacturing and other critical infrastructures are being targeted. “For OT network security like IT network security, the obvious trends have been a cascade of malware and ransomware attacks. These cyberattacks were identified because network cyber monitoring is available, and network cyber security personnel are trained to find network cyberattacks.” Weiss is also a managing partner at Applied Control Solutions.

The same can’t be said for cyberattacks against control system devices, according to Weiss. “There are minimal control system cyber forensics and minimal cyber security training at this level.”

2021 continued to be dominated by ransomware attacks on critical infrastructure, John Cusimano, a managing director with Deloitte Risk & Financial Advisory, told Industrial Cyber. “What’s been different in 2021, is the swift regulatory response to industrial cybersecurity incidents. Other industry sectors–particularly maritime, air, and rail transportation–have also seen new regulatory requirements for cyber programs issued in the past year,” he added.

Ted Gutierrez, co-founder and CEO of SecurityGate.io, told Industrial Cyber that in addition to ransomware attacks that have also impacted OT operations, “we continue to see insider threat as a major challenge. Also, consolidation of critical infrastructure assets, reduced travel capabilities, and the limited number of qualified personnel in the ICS security space are driving new users to the program,” he added.

Responding to whether these threats led the sectors to boost their spending on cybersecurity, particularly on OT security, in 2021, the general consensus was that it did have a positive impact.

Weiss said, “I think it has, which can be seen in the amount of spending, the acquisitions, and the valuations of OT cyber security startups. However, the other question is how much has been spent on securing the control system devices and I think you will find that is a much lower number,” he added.

“Absolutely. Many of the incidents focused on OT security in 2021 made the public aware that critical infrastructure cyberattacks, at any level, can put lives at risk,” according to Cusimano. “While some companies within the industrial sector voluntarily responded to threat activity by boosting cyber spend and further honing programs, new and heightened regulatory scrutiny of industrial cyber programs stands to increase program investments and advancements industry-wide,” he added.

Gutierrez also identified that “we are starting to see C-Suite allocate more resources on the policy, process, and personnel training side of security.”

Weiss said he did not have an estimate of the cost of the impact of the cybersecurity and ransomware attacks on the operations of industrial and manufacturing organizations during 2021. “But whatever the number is, it is too high and irresponsible. Ransomware is an IT problem that should not be affecting operations.”

“There is a solution or at least a way to lessen the pain/attractiveness of ransomware attacks against control systems,” Weiss said. “Off-line monitoring of the process sensors has been proven to be unaffected by IT malware, including ransomware. Moreover, the off-line monitoring of the process sensors continues to function even if the OT network is down for any reason. That means there is a justification to continue operation, albeit not as efficiently as with the OT networks available, regardless of the malware on the IT, or even OT networks.”

Pointing to the fact that the Israeli Water Authority recognized that any IP network (IT or OT) could be hacked and went with process sensor monitoring, Weiss wondered, “Why hasn’t the US and elsewhere adopted this approach?”

Cusimano said that ransomware events are “very disruptive particularly when industrial operations are affected. In general, it takes weeks to resolve a cyber incident and the costs like company personnel, consultant/contractor personnel, downtime/lost revenue and ransom fees can easily become costly,” he added.

Gutierrez explained that since SecurityGate.io does not “work on the incident response side of the equation, so we couldn’t estimate economic impacts on attacks. We did follow the major announced attacks closely and saw that some major companies made multi-million-dollar payouts to their attackers, some of which was recovered by the FBI.”

Companies should factor this information into business impact analysis efforts and work hard to quantify, mitigate, or transfer risk, he added.

2021 came in the middle of the raging COVID-19 pandemic, but cyber attackers did not spare even the healthcare sector by taking advantage of upheaval and disorder, looking for potential monetary gain. The pandemic brought its fair share of risk factors to healthcare delivery organizations (HDOs), with more instances of remote work, new systems to support it, staffing challenges, and high patient care requirements.

Apart from adversely impacting patient care, ransomware offensives to the healthcare sector can lead to more complications from medical procedures, delays in procedures and tests that result in poor outcomes, the upturn in patients transferred or diverted to other facilities and longer lengths of stay.

Looking into how the pandemic affected cybersecurity at industrial enterprises and critical infrastructure and the impact on these environments, Weiss said that there are direct and indirect answers. “From a people perspective, COVID-19 has caused both more remote operation and also kept those people needed for facility operation isolated for extended periods of time,” he added.

Weiss also added that there is another issue which is the manufacturing of the COVID-19 drugs. “The pharmaceutical plants have been a target of ransomware as well as the hacking of the intellectual property. What is not clear is if there have been direct cyber impacts on the manufacturing.”

“Pandemic-driven workplace closures in 2020 and early 2021 slowed many companies’ OT cybersecurity program implementation, as a great deal of assessment and implementation work must be performed on-site,” according to Deloitte’s Cusimano. “However, progress picked up substantially in 2021 starting around March as companies started to loosen restrictions.”

Gutierrez said that with reduced travel, “we see more usage of the cloud for data insights and knowledge transfer. We see this continuing long-term based on the benefits incurred for management and their teams,” he concluded.

Source: Industrial Cyber