The 2024 Threat Report: Prioritizing Cyber Security Spending
Threat reports provide information that decision makers need to prioritize spending
Rees Machtemes, P.Eng.
For two years, I’ve been the lead threat researcher at Waterfall and co-author of our annual joint Threat Report with ICSStrive. It’s been a rewarding journey because the report helps practitioners explain to non-technical business decision makers why we need to spend money and effort on OT security. The report weeds through all recent public incidents to operational technology (OT) targets to identify only those attacks with physical consequences.
There are many cyber security threat reports published annually, each supported by an organization with some interest or stake in industry. When creating our threat report, we wanted ours to be as credible as possible. Credible is believable. To that end, we chose to use only information disclosed in public, and transparently publish our entire data set.
In my experience, too many decision-makers dismiss other threat reports because they mix-in near misses and don’t highlight attacks with real physical consequences. Likewise, decision makers tend to dismiss un-focused reports that fail to distinguish between IT and OT systems, or don’t distinguish between data breaches and operational shutdowns. Some reports go as far as counting each dropped packet at firewalls as a unique incident or report on what consequences might have happened, rather than those that did. Credibility is essential to prioritizing investments in remediation.
“…too many decision-makers dismiss other threat reports because they mix-in near misses and don’t highlight attacks with real physical consequences.”
Threat Reporting Benefits Stakeholders
What makes an incident worth including in our report? In short, we include incidents that our customers are asking for. No, I don’t mean they are asking for an incident! I mean that critical and industrial asset owners and OT cyber security practitioners are often asking for examples of real-life cyber attacks that cause physical consequences. Practically, executives are facing calls to invest to address both opportunities and risks and need to know how much trouble they are in risk-wise. Will the cyber defenses they have, or are thinking of deploying, really work? Is the expenditure required proportional to the consequences? Are the threats credible and have they impacted our peers in similar industries with the same concerns?
What Are The Incident Inclusion Criteria?
The inclusion criteria we settled on, was that cyber incidents must:
- Have occurred in or after 2010,
- Be deliberate in nature,
- Result in physical consequences,
- Have impacted manufacturing, building automation, heavy industry, or critical industrial infrastructures, including transportation of people and goods,
- Be found in the public record, and
- Pass a credibility test.
The complete data set of all such incidents is published in Appendix A of the 2024 Threat Report.
Deliberate Attacks since 2010
All incidents in the report are deliberate cyberattacks – not operational errors and omissions, nor reliability defects in hardware and software – that resulted in outages or incidents. This may seem obvious, but this criterion rules out incidents that were first reported as possible cyber attacks, but later found to be otherwise.
Choosing to report on incidents since 2010 was no accident. While there are some incidents we could have included prior to Stuxnet, like Maroochy Shire (2001), we had to have a time-bound limit on reporting. Those of us who have been around OT security long enough will know that 2010 was the year Stuxnet was discovered. Still the most sophisticated malware ever created, Stuxnet deliberately caused sabotage to industrial control systems and marked a turning point in OT/industrial cyber security.
Impacting Safe, Continuous Operations in Heavy Industries
The incidents we track are those that resulted in physical consequences including production outages, equipment damage, environmental disasters and injuries or casualties – not just data theft or clean-up costs in a group of related industries. For example, powerplants won’t see retail supermarkets as a related industry whose cyber attacks are relevant, but likely see attacks on water treatment and distribution – another critical industrial infrastructure – as something power plant owners and operators care about.
While the inclusion criteria seem clear cut, what is surprising is that there are many edge cases. Consider a hypothetical incident at a supermarket chain. If that chain shuts down retail locations because of an attack on their business point of sale (POS) systems, in an abundance of caution over the fear leaking credit card and customer data, we will not report the attack. That’s a classic attack on IT systems. If however, the main distribution center’s cold storage temperatures were tampered with, compromising food safety in their supply chain, we will count it. That would constitute an OT systems attack with a considerable cost and health and safety impact on building management systems (BMS) in the food and beverage industry.
In an actual edge case example, we counted the March 2023 cyber attack against Alliance Healthcare, which halted their operations. As the dominant pharmaceutical logistics/transportation provider for hospitals, clinics, and pharmacies in Spain’s Catalonia region, the attack severely impacted dependant health-care providers. The threat report research team ruled that Alliance was in-scope as they provide transportation and logistics, even though health care services provided by their customers were not in scope.
Insights Not Opinions
Note that while the annual report does not track consequential cyberattacks in other industries or critical infrastructures such as telecommunications outages, canceled surgeries at hospitals, or most retail store shutdowns, readers interested in these other kinds of attacks can consult the ICS STRIVE incident repository, which tracks a wider variety of incidents than is covered in the report, and/or consult the other incident data sources listed in Appendix B of the 2024 Threat Report.
Readers will recognize our report is an under-statement of the problem, because we include only incidents in the public record. Every practitioner knows of a handful of incidents that were never made public, and so we are often asked “how much have we missed?” There is no clear answer – every member of the research team has a different opinion as to what was missed. The best answer is perhaps: “It doesn’t matter.” With consequential cyber attacks nearly doubling annually, it will take only a small number of years until we see a ten-fold increase over today’s numbers, and another few years before we see a hundred-fold increase. In practice, this real insight tends to be more convincing than a wide variety of “expert opinions.”
Conclusion
Tracking and filtering through the volume of incidents arriving at all hours can be fun but also all-consuming. Lately, I find myself in-demand as contacts and colleagues around the world rush to send me new incidents. Some I’ve already seen in a scripted kludge of alerts and feeds, but I’m often surprised at those few incidents that my automation didn’t catch. I’ve also learned to tame my expectations as not every incident ends up being a big deal, or credible enough to publish, even though I know the next “big one” could come anytime. Still, there’s great satisfaction in knowing that my work informs decision makers in the trenches on the front line against criminal ransomware and rising nation-state threats. This report is credible and believable, which helps to “shake the money loose.” The time has come to do something about these very real and believable risks to industrial and critical infrastructure. You can get your own copy of our latest threat report by clicking on the following button:
I welcome any feedback or questions that you may have, so feel free to reach out to me on my LinkedIn
About the author
Rees Machtemes, P.Eng.
Share
Trending posts
The 2024 Threat Report: Prioritizing Cyber Security Spending
How Likely Is That To Kill Anyone?
Hitting Tens of Thousands of Vehicles At Once | Episode 131
Stay up to date
Subscribe to our blog and receive insights straight to your inbox