This decade’s start has rocked the OT (operational technology) cyber security landscape. OT cyber security attacks at the beginning of this decade were rare, with just seven found on the public record. Most security professionals can recite the big ones without hesitation: Stuxnet, Triton, and Industroyer. But since 2020, it is much harder for anyone to keep track of them all. Our ongoing research shows that we are approaching one hundred publicly known cyber security incidents, having physical consequences to operations.
The following infographic reflects what we believe are the top ten most impactful attacks to operations. These attacks are chosen qualitatively, weighting the transformational value of the incident for the OT cyber security space.
Why are these OT cyber attacks so relevant?
To create this top 10 list, we dissected the OT and ICS cyber attacks on the record by evaluating the cause, the effect, and the sophistication of each one. The distinguishing trait shared by all is that they caused (or attempted to cause) physical consequences. This fact is transformative on the OT cyber attack’s impact assessment. To illustrate with a metaphor: the cyber attackers of the past were merely attempting to steal our wallet, but now they may also try to punch us in the face. In other words, the effects of the attack can be felt in our daily life. For example, the global ransomware attack on JBS Foods in May 2021 disrupted meat production in North America and Australia. This negatively impacted the supply and price of meat, and farmers with livestock operations.
Some of the attacks listed did not directly target operations, but they stopped operations as a result. This was the case at Supeo, where in Denmark, trains were indirectly brought to a standstill. This incident, is important despite the short period of operational downtime, because it shows the fragility of a critical network relying on IT dependencies for its daily functions.
Not only disruptions, but also fires and public safety
Most of the attacks were ransomware that for some reason or another affected operations. In other words, most of the reported attacks on OT can be labeled as unintended cyber-sabotage. But there were instances of deliberate sabotage, both attempted and successful. This is the case of the actions of Predatory Sparrow, a hacktivist group, who has attacked critical infrastructure in Iran. These attacks include controlling and changing rail signage, and causing a fire in the Khuzestan a Steel manufacturing plant. The latter attack was captured live on plant CCTV cameras, and the footage exfiltrated and posted to Twitter, by the Predatory Sparrow hacktivists. In 2022, a widely reported incident was the unsuccessful attempt to poison the water at Oldsmar’s treatment plant, by abusing a shared Team Viewer password. In this case an operator watched the attack unfold in real time and was able to take corrective action to prevent serious consequences to the public.
The OT Cyber Security Supply Chain
Arguably the SolarWinds attack did not cause any OT disruptions worth mentioning, and any on the public record. But all OT professionals worry about the implications of the attack because it’s a prime example of the risk in blindly trusting software supply chains. In this attack, the SolarWinds Orion product was trojanized by an unknown actor. Orion is commonly used by IT managed service providers (MSPs), which collectively serve more than 30,000 companies. According to press reports, the backdoor was inserted and delivered to 18,000 companies as part of a routine update. This is a classic software supply chain attack, and most OT security vendors and OT security programs are unable to detect it. Not long ago, OT systems were mostly immune, due to strong segmentation practices, but the increased connectivity between IT and OT networks permits a nightmare scenario were several network infrastructures can be affected at the same time.
Which three attacks on OT security are most impactful?
We already talked about the attack on the Khuzestan Steel manufacturing plant, which stands out due to the sophistication of the payload. That is also the case for the Industroyer2 malware attack, deployed during the current conflict between Russia and the Ukraine. While the attack failed to take the Ukrainian transmission grid offline, its modular framework based on the older Industroyer malware variant features a sophisticated payload, able to communicate with intelligent electric devices (IEDs) using standard electrical ICS protocols such as DNP3 and IEC61850.
But the one attack that has impacted policy, practices and even had political repercussions – that directly involved the president of the United States over gas shortages — was the Colonial Pipeline ransomware attack. The company shutdown the pipeline for five days, out of an “abundance of caution,” to ensure the malware did not spread from their IT-hosted billing system into their OT network. The attack was widely covered by the media, showing drivers across America facing long lineups at the pump caused by fears of a nation-wide gas shortage. For that reason, we place it as the number one cyber security OT incident in this list.
