SolarWinds attack proved to be one of the ‘most successful espionage operations ever discovered,’ in addition to highlighting the risks to end users who have limited agency over the software used within their networks, Nozomi Network Labs said in its latest ‘OT/IoT Security Report.’ Cyber threats in industrial and critical infrastructure are on the rise.
The SolarWinds supply chain attack led to the infection of thousands of primarily U.S.-based organizations, said Nozomi on Thursday, urging asset owners to re-evaluate the attack surfaces of their operational technology (OT) and Internet of Things (IoT) systems, and reassess supply chain risks.
Cyber threats in industrial and critical infrastructure reached new heights as threat actors doubled down on high value targets, Nozomi said. With industrial organizations ramping connectivity to accelerate digital transformation and remote work, threat actors are weaponizing the software supply chain and ransomware attacks are growing in number, sophistication and persistence.
Outlining the biggest threats and risks to OT and IoT environments, the Nozomi report lists out 18 specific threats that IT and OT security teams must examine, as they model threat vectors and evaluate risks across OT systems.
“This report leaves no doubt that the time for action is now,” said Moreno Carullo, Nozomi’s co-founder and CTO in the press statement. “The recent Oldsmar, Florida, water system attack and the ongoing SolarWinds investigation are dramatic reminders that the critical infrastructure and other systems that we rely on are vulnerable and at constant risk of attack. Understanding the effectiveness of defenses against the emerging threat and vulnerability landscape is vital to success.”
The SolarWinds attack also reflects the most important recent vulnerability trend, which is supply chain research and exploitation. It is an example of a threat actor very carefully selecting a widely used software as its supply chain target, wrote Alessandro Di Pinto in a company blog post. “This attack highlights the risks to end users who have limited agency over the software used within their networks,” he added.
Apart from the SolarWinds attack, Nozomi identifies the software supply chain threat from embedded components, as exemplified by the Ripple20 vulnerabilities identified in the TCP/IP stack from Treck. Attack surface reduction and network segmentation are ideal to counter supply chain risks, the Nozomi report said. In addition, OT and IoT network monitoring is a key technology that helps define the attack surface and detect anomalous activity indicative of an advanced threat.
Nozomi also emphasized that ransomware threat actors dominate the threat landscape, doggedly targeting organizations they believe can pay lucrative ransoms. Apart from demanding financial payments, these cyber attackers are exfiltrating data and compromising networks for future nefarious activities. The sophistication of ransomware criminals is increasing, as more are using combinations of strategies and threat vectors. A prime example is the Ryuk ransomware group, which is estimated to be behind a significant percentage of all ransomware attacks last year.
Nozomi also investigated 151 industrial advisories published by ICS-CERT and classified them into Common Weakness Enumeration (CWE) categories. Memory corruption errors are the dominant type of vulnerability for industrial devices, and Nozomi expects this situation to continue as many industrial control systems (ICS) assets lack intrinsic security and receive limited security oversight. CWE refers to the universal online dictionary of weaknesses identified in computer software.
In a threat landscape where ransomware organizations are attacking companies indiscriminately, it is vital to understand the vulnerabilities under active exploitation. The risk is heightened by the fact that nation state groups are utilizing non-zero-day vulnerabilities to conduct sophisticated attacks, the Nozomi report said. Organizations should focus on identifying unpatched software and implementing update or mitigation policies. Subscription to threat intelligence services helps by providing current OT and IoT threat and vulnerability intelligence.
Moving beyond 2020, a year of unprecedented change, Nozomi expects OT and critical infrastructure systems to be more important than ever to healthcare, economies, and societies. Companies that move forward with improving OT/IoT visibility, security, and threat intelligence are best able to ensure the availability, safety and confidentiality of their operational systems.
With increasing and evolving cyber threats, understanding the effectiveness of defenses against the emerging threat and vulnerability landscape is vital. By providing current threat and vulnerability analysis, with recommendations, the OT/IoT Security Report aims to help organizations assess and enhance their security posture.