IBM Security reports drop in ICS vulnerabilities, as manufacturing sector victimized in 58 percent of incidents

The number of industrial control system (ICS) vulnerabilities discovered in 2022 fell to 457 for the first time in two years, down from 715 in 2021 and 472 in 2020, according to IBM Security‘s latest annual report. One explanation could be found in ICS lifecycles and how they are managed and patched in general. It also revealed that the manufacturing sector was the most targeted in 2022, accounting for 58 percent of incidents that X-Force assisted in resolving.

Attackers know that with demand for minimal downtime, long equipment lifecycles and older, less-supported software, many ICS components and OT (operational technology) networks are still at risk of older vulnerabilities. Infrastructure is usually in place for many years longer than standard office workstations, which extends the lifespan of ICS-specific vulnerabilities beyond those that can exploit IT. 

“2022 saw the discovery of two new OT-specific pieces of malware, Industroyer2 and INCONTROLLER, also known as PIPEDREAM, and the disclosure of many OT vulnerabilities called OT:ICEFALL,” IBM Security reported in its report, titled ‘X-Force Threat Intelligence Index.’ The OT cyber threat landscape is expanding dramatically, and OT asset owners and operators need to be keenly aware of the shifting landscape.

“X-Force looked more closely at OT-specific network attack and IR data to help derive insights on how threat actors are seeking to compromise clients in OT-related industries. Network attack data shows brute force attacks, use of weak and outdated encryption standards and weak or default passwords are common alerts in these industries’ IT and OT environments,” the report said. “Alerts indicating probable brute force attempts were most common among Incident Command System (ICS)-specific network attack data, followed closely by weak encryption alerts.” 

Earlier this month, Dragos said that ransomware attacks on industrial infrastructure organizations nearly doubled in 2022, with over 70 percent of all ransomware activity focused on manufacturing. Hackers also continue to target several manufacturing sectors and subsectors. As ransomware activity increases, it results in more risk for OT networks, particularly networks with poor segmentation.

The IBM report added that the most common alerts for weak encryption concerned the continued use of Transport Layer Security (TLS) 1.0, an outdated and insecure encryption method deprecated in March 2021. “Though the US government recommends reconfiguration to use TLS 1.2 or 1.3, National Institute of Standards and Technology (NIST) guidelines address in more depth the common reality. This reality is that older systems may need to continue using weaker versions of encryption to ensure continued functionality.” 

It added that weak or default password alerts were also notable, especially given these are basic vulnerabilities that make brute force attacks easier for attackers. Widespread and likely indiscriminate internal and external vulnerability scanning was the most common attack attempt against OT-related industries.

The second most common vulnerability, however, dates back to 2016—a filter bypass vulnerability in the Trihedral VTScada application, CVE-2016-4510, that could allow unauthenticated users to send HTTP requests to access files, IBM Security disclosed. “Further highlighting the risks of older threats are attack types, like WannaCry and Conficker, which continue to pose significant threats to OT,” the report added.

Looking at the subset of incidents in OT-related industries, manufacturing was the most attacked in 2022, according to the data, as it was targeted in 58 percent of incidents that X-Force assisted in remediating. Deployment of backdoors was the top action on objective, identified in 28 percent of cases in the manufacturing sector. Ransomware actors in particular find this industry to be an attractive target, likely due to these organizations’ low tolerance for downtime. 

The report also analyzed initial access vectors in OT-related industries, with spear phishing accounting for 38 percent of cases, with attachments accounting for 22 percent, links accounting for 14 percent, and spear phishing as a service accounting for 2 percent. Additionally, exploitation of public-facing applications came in second at 24%, mirroring the overall industry trend, and backdoor detection led these industries’ incidents in 20 percent of cases, followed by ransomware in 19 percent. Extortion is still the most common impact, accounting for 29 percent of all cases, with data theft coming in second with 24 percent.

“The shift towards detection and response has allowed defenders to disrupt adversaries earlier in the attack chain – tempering ransomware’s progression in the short term,” Charles Henderson, head of IBM Security X-Force, said in a media statement. “But it’s only a matter of time before today’s backdoor problem becomes tomorrow’s ransomware crisis. Attackers always find new ways to evade detection. Good defense is no longer enough. To break free from the never-ending rat race with attackers, businesses must drive a proactive, threat-driven security strategy.”

Another major vulnerability exploited in OT is lack of proper segmentation between OT and IT networks, the IBM Security report disclosed. The team at X-Force Red Adversary Simulation Services targets weak segmentation to gain access to isolated OT environments. These environments include targeting jump servers, dual-homed operator workstations and reporting servers, such as data historians that expose web and SQL services from OT to corporate IT networks. Properly segmenting these portions of the networks and closely monitoring communication across them can keep assets safe.

IBM Security reported that for the second year in a row, the Asia-Pacific region holds the top spot as the most-attacked region in 2022, accounting for 31 percent of the incidents to which X-Force IR responded. Europe followed closely behind with 28 percent of attacks and North America saw 25 percent of incidents. Asia-Pacific and Europe saw higher proportions of cases, increasing five percentage points and four percentage points respectively from 2021 figures, with a significant drop in the Middle East from 14 percent to 4 percent. 

The report also disclosed that extortion was the most common attack impact on organizations. “At 27%, extortion was the clear impact of choice by threat actors. Victims in manufacturing accounted for 30% of incidents that resulted in extortion, as cybercriminals continued the trend of exploiting a strained industry,” it added. 

Phishing remains the leading infection vector, identified in 41 percent of incidents, followed by exploitation of public-facing applications in 26 percent, the report revealed. “Infections by malicious macros have fallen out of favor, likely due to Microsoft’s decision to block macros by default. Malicious ISO and LNK files use escalated as the primary tactic to deliver malware through spam in 2022.”

IBM Security also reported an Increase in hacktivism and destructive malware. Russia’s war in Ukraine opened the door to what many in the cybersecurity community expected to be a showcase of how cyber enables modern warfare. Although the direst cyberspace predictions haven’t come to fruition as of this publication, there was a notable resurgence of hacktivism and destructive malware. X-Force also observed unprecedented shifts in the cybercriminal world with increased cooperation between cybercriminal groups, and Trickbot gangs targeting Ukrainian organizations.

Earlier this month, Forescout Technologies’ Vedere Labs rolled out research on deep lateral movement, looking into how attackers can move between devices and access OT networks at the controller or L1 level.

It details how attackers can cross security perimeters in interfaced Basic Process Control Systems (BPCS)/Safety Instrumented Systems (SIS) architectures or perform detailed manipulation of equipment in fieldbus networks nested behind PLCs (Programmable Logic Controllers). The move bypasses functional and safety constraints that would otherwise prohibit cyber-physical attacks with the most serious consequences.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.