Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems

Attacks against industrial-control systems (ICS) and operational technology (OT) systems are increasing, as adversaries find weaknesses in IT networks that allow them to move into OT networks, according to a recent report from the SANS Institute.

The "State of ICS/OT Cybersecurity 2024" report is based on responses from cybersecurity professionals in various critical-infrastructure sectors. More non-ransomware incidents (74.4%) were reported than ransomware (11.7%) over the past year, according to the report.

Other initial attack vectors involved in OT/ICS incidents include compromising these systems by use of external remote services (23.7%) or Internet-accessible devices (23.7%), compromising employee workstations (20.3%) and removable media (20.3%), and a supply chain compromise (20.3%). It's worth noting that 18.6% of respondents said attackers attempted spear-phishing with an email attachment for the initial compromise.

Nearly one out of five (19%) of respondents reported one or more security incidents over the past year.

While only 12% of respondents reported being the targets of ransomware attacks in the past 12 months, the impact on the OT/ICS environment remains "potentially catastrophic," SANS said in the report. Of the organizations that reported a ransomware incident, 38% said only their IT network systems were impacted, while 28.6% said their OT/ICS networks were affected. Just 21% said both networks were impacted, and 38.1% said reliability and safety were compromised during those attacks.

"Although the overall trend [of ransomware] seems to have decreased, the impacts are still potentially catastrophic and should be considered for all ICS/OT-specific incident response programs," SANS said.