Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems

Attacks against industrial control systems and operations technology systems are increasing, as adversaries find weaknesses in IT networks that allows them to move into OT networks, according to a recent report from SANS.

The State of ICS/OT Cybersecurity 2024 report from SANS is based on responses from cybersecurity professionals in various critical infrastructure sectors. There were more non-ransomware incidents (74.4%) reported than ransomware (11.7%) over the past year, according to the SANS report.

Other initial attack vectors involved in OT/ICS incidents include compromising OT and industrial control systems by used of external remote services (23.7%) or internet-accessible devices (23.7%); compromising employee workstations (20.3%) and removable media (20.3%); and a supply chain compromise (20.3%). It's worth noting that 18.6% respondents said attackers attempted spear phishing with an email attachment for the initial compromise.

One out of five, of 19%, of respondents reported one or more security incidents over the past year.

While only 12% of respondents reported being the targets of ransomware attacks in the past 12 months, the impact on the ICS/OT environment remains "potentially catastrophic," SANS said in the report. Of the organizations who reported a ransomware incident, 38% said only IT network systems were impacted and 28.6% said OT and ICS networks were affected. Just 21% said both networks were impacted. More than a third, or 38.1%, said reliabiiy and safety was compromised during those attacks.

"Although the overall trend [ransomware] seems to have decreased, the impacts are still potentially catastrophic, and should be considered for all ICS/OT- specific incident response programs," SANS said.