Rockwell Automation, Inc. has announced the findings of its “Anatomy of 100+ Cybersecurity Incidents in Industrial Operations” report. Particularly, it noted rising incidents, majority of them are state-affiliated actors.

Accordingly, the global study conducted by Cyentia Institute analyzed 122 cybersecurity events. This included a direct compromise of operational technology (OT) and/or industrial control system (ICS) operations, collecting and reviewing nearly 100 data points for each incident.

The first edition of the report finds state-affiliated actors committed nearly 60% of cyberattacks against the industrial sector. Oftentimes, unintentionally enabled by internal personnel (about 33% of the time). This corroborates other industry research showing OT/ICS security incidents are increasing in volume and frequency. Consequently, it targets critical infrastructure, such as energy producers.

“Energy, critical manufacturing, water treatment, and nuclear facilities are among the types of critical infrastructure industries under attack,” said Mark Cristiano, commercial director of Global Cybersecurity Services at Rockwell Automation.

In addition, Cristian said, “Anticipating that stricter regulations and standards for reporting cybersecurity attacks will become commonplace. The market can expect to gain invaluable insights regarding the nature and severity of attacks and the defenses necessary.”

Based on incidents analyzed, key findings include:

• OT/ICS cybersecurity incidents in the last three years have already exceeded the total number reported between 1991-2000.
• Threat actors are most intensely focused on the energy sector (39% of attacks). Thus, over three times more than the next most frequently attacked verticals, critical manufacturing (11%) and transportation (10%).
• Phishing remains the most popular attack technique (34%). Hence, underscoring the importance of cybersecurity tactics such as segmentation, air gapping, Zero Trust and security awareness training to mitigate risks.
• In more than half of OT/ICS incidents, Supervisory Control and Data Acquisition (SCADA) systems are targeted (53%). On the other hand, Programmable Logic Controllers (PLCs) as the next most common target (22%).
• More than 80% of threat actors come from outside organizations. Yet, insiders play an unintentional role in opening the door for threat actors in approximately one-third of incidents.

Strengthening Security of IT Systems

In the OT/ICS incidents studied, 60% resulted in operational disruption and 40% resulted in unauthorized access or data exposure. However, the damage of cyberattacks extends beyond the impacted enterprise. It impacts 65% of the time the broader supply chains.

The research indicates strengthening the security of IT systems is crucial to combatting cyberattacks on critical infrastructure and manufacturing facilities. More than 80% of the OT/ICS incidents analyzed started with an IT system compromise. Particularly, attributed to increasing interconnectivity across IT and OT systems and applications.

The IT network enables communication between OT networks and the outside world and acts as an entryway for OT threat actors. Deploying proper network architecture is critical to strengthening an organization’s cybersecurity defenses. Furthermore, it is no longer enough to simply implement a firewall between IT and OT environments. Because networks and devices connect daily into OT/ICS environments, this exposes equipment in most industrial environments to sophisticated adversaries.

For that reason, having a strong, modern OT/ICS security program must be a part of every industrial organization’s responsibility. That is, to maintain safe, secure operations and availability.

The full findings of the report is available here.

Methodology

For this report, Rockwell Automation commissioned the Cyentia Institute to analyze data from 122 cybersecurity events across the globe. Particularly, those that occurred from 1982-2022. The Cyentia Institute’s team collected and analyzed nearly 100 data points surrounding individual incidents. The resulting report aims to share instructive insights about actual OT/ICS cybersecurity attack activity.