ICS 2022 in Review: The Rise of PIPEDREAM and Ransomware Attacks
Threat actors targeting industrial control systems (ICS) broke new ground in 2022, escalating their capabilities to create the seventh ICS-impacting malware and increasing attacks against manufacturing, utilities, and the energy sector, according to an annual report by industrial cybersecurity firm Dragos.
The seventh malware, named PIPEDREAM, was created by a new threat actor group that appeared last year, called CHERNOVITE, and its toolkit is unique because it is the first reusable cross-industry capability that can impact native functionality in industrial protocols and a wide variety of devices—meaning it could potentially impact more than 51,000 industrial vendor systems.
Dragos assesses with high-confidence that CHERNOVITE is a state actor and PIPEDREAM was created to target electric and natural gas companies in the United States and Europe. Dragos worked with an undisclosed third-party to discover and analyze the malware before it was used against a target.
“This is the closest we’ve ever had U.S. infrastructure go offline,” said Dragos CEO Robert M. Lee in a media briefing, emphasizing that CHERNOVITE is still active, working on the toolkit, and that Dragos expects to see it deployed in the future.
PIPEDREAM is the first malware that can be “disruptive and destructive” in control system environments across industry because the rise of digitization means that these environments are now more homogeneous, Lee explained.
Along with PIPEDREAM, Dragos also tracked an increasing number of ransomware attacks targeting manufacturing sectors. Seventy percent of the ransomware attacks the firm followed targeted manufacturers, up from 65 percent in 2021. One high-profile incident involved a Conti-related ransomware attack in February 2022 targeting Toyota plastic parts and electronic components supplier, Kojima.
“The incident suspended Toyota plant operations for several days,” the report explained, adding that during the incident Dragos saw recording and transmission of a Conti-controlled Emotet Tier 2 node with networks of other global automakers. “Dragos observed numerous automotive organizations across North America and Japan frequently communicating with the Emotet C2 servers. Emotet is a malware strain and cybercrime operation that has precipitated ransomware events.”
Ransomware also affected energy, agriculture, water, mining, and metals sectors, and was carried out by several different threat actor groups—some of which may have formed after Conti shut down its operations in May 2022. The Lockbit ransomware group, however, was responsible for the largest number of incidents targeting industrial organization and infrastructure—28 percent of all attacks.
“Dragos assess with moderate confidence that Lockbit 3.0 will continue to target industrial organizations and will pose a threat to industrial operations into 2023, whether through the Lockbit gang itself, or others creating their own version of Lockbit ransomware,” according to the report.
Forty percent of the ransomware incidents that Dragos tracked in 2022 were in North America (247 incidents), followed by Europe (32 percent, 194 incidents); Asia (18 percent, 109 incidents); South America (5 percent, 28 incidents); the Middle East (3 percent, 17 incidents); and Africa and Australia (1 percent, 5 incidents).
“There were multiple reasons for the increase in ransomware activity impacting industrial organizations, including political tensions, the introduction of Lockbit Builder, and the continued growth of ransomware-as-a-service (RaaS),” according to the report. “Dragos observed ransomware trends tied to political and economic events, such as the conflict between Russia and Ukraine and Iranian and Albanian political tensions.”
Ransomware will also continue to be a problem in 2023 as more new threat actors are likely to emerge in 2023 and target higher-value, industrial entities—such as vendors and suppliers because of their interconnectivity with customers downstream.
“This is largely due to the criticality of operations and their reach into numerous OT environments, which often results in higher or more frequent ransom payouts,” the report explained.
When responding to these ransomware incidents, Lee said that limited visibility into networks remains a significant challenge. For instance, 89 percent of manufacturers Dragos worked with to respond to an incident had “zero insights” of what was happening on their manufacturing lines networks, as well as shared access and credentials between informational technology (IT) and operational technology (OT) teams.
And it’s not just manufacturers. Of the organizations that Dragos worked with in 2022, 80 percent had extremely limited or no visibility into their OT environments (a slight drop from 86 percent in 2021). Fifty percent also had poor security perimeters, 53 percent had external connections to their ICS environments, and 54 percent lacked separate IT and OT user management.
“We are in some ways moving the needle, but I’d argue it’s not at the speed and velocity we need given the adversaries,” Lee said.
Along with increasing ransomware attacks, Dragos also tracked an uptick in the number of vulnerabilities impacting the industrial control sector: 2,170 common vulnerabilities and exposures (CVEs), an increase of 27 percent compared to 2021.
“One core metric, vulnerabilities that contain alternate mitigation, were very low at 24 percent,” according to the report. “The standard IT approach to vulnerability mitigation is a patch. To patch in the OT world often requires system and plant shut-downs. ICS/OT relies on alternative mitigation to both reduce risk and maintain production. The 76 percent of vulnerabilities that lack that mitigation makes maintaining operations very challenging.”
Additionally, Lee mentioned that many of the vulnerabilities discovered and shared with the ICS community provided bad guidance. Thirty-four percent of those disclosed in 2022 had incorrect data—such as the wrong software, hardware, or mitigation advice—he said.
It’s also important to keep vulnerability disclosures in perspective. Lee and his team follow the Carnegie CERT risk-based methodology—Now, Next, Never—when assessing how to approach a vulnerability.
- Now: has operational impact or known to be actively targeted by adversaries. Address as soon as practicable.
- Next: network exploitable vulnerability with no direct operational impact that could require an assessment before taking action. Use mitigation measures, such as ICS network monitoring, proper segmentation, and multi-factor authentication.
- Never: Possible threat but rarely requires action. Monitor for signs of exploit.
When assessing 2022 vulnerabilities through this lens, 68 percent fell into the Next category, 30 percent fell into the Never category, and 2 percent fell into the Now category.
A Bright Spot
While the state of ICS security might seem daunting, there was a bright spot in the 2022 assessment: new regulations that focus on performance-based standards to improve pipeline security. The Transportation Security Administration (TSA) introduced the new regulations (Pipeline-2021-02C) following listening sessions with the pipeline community, which require Cybersecurity Architecture Design Reviews (CADRs) every two years. TSA was prompted to roll out the regulations following the Colonial Pipeline ransomware incident.
“The oil and gas industry, at least those in scope of the Pipeline-2021-02C, score higher in three of the four key findings than the OT industry overall,” Dragos found when conducting CADRs for at least 20 percent of pipeline operators who are subject to the regulation. “For external connections, the oil and gas industry is on part with the OT industry overall. However, with the implementation of the Pipeline-2021-02C and its focus on identifying, limiting, and controlling external connections, Dragos expects this to improve in 2023.”
Lee added that their assumption is the regulations are having a “positive impact on oil and gas” because they are setting out goals that are attainable while allowing operators to be innovate on how to approach them. The regulations are “providing air cover that yes, you should go do security,” Lee said.
Regardless of sector, there are five critical controls practitioners can implement to enhance the security of their ICS/OT systems. The controls were crafted by Lee and Tim Conway for the SANS Institute and consist of the following measures:
- Have an ICS incident response plan
- Have a defensible architecture
- Have visibility and monitoring capabilities for your assets
- Secure remote access
- Adopt risk-based vulnerability management
The five controls “can be pursued in order and in concert with one another to create a robust ICS cybersecurity program that is tailored to the risks facing the organizations,” according to the SANS whitepaper. “These prioritized critical controls can help guide organizations seeking recommendations and guidance on what to do next based on threat-informed activities instead of over- or under-investing.”
For more information or to read the Dragos report in full, visit its website here: ICS/OT Cybersecurity Year in Review 2022. For comparison to the 2021 report, read "Meet the Latest Players in ICS Intrusions." And for analysis from the 2020 report, check out previous coverage in the Critical Infrastructure issue of Security Technology.