Analyzing OT Cyberattack Stats: Find your “Why”

I believe in lifelong learning. If I am not working directly on a project, I am searching for ideas for the next one by looking for a spark of inspiration and devouring any piece of content I can find. This week, while researching, I stumbled across a report from Rockwell Automation called “Anatomy of 100+ Cybersecurity Incidents in Industrial Operations,” which I had not seen yet (and I highly recommend). It was done in collaboration with Cyentia Institute, a cybersecurity industry research firm. 

Before I continue, let me just say I LOVE statistics. Give me a bunch of statistics, and I will always seek to understand “Why?” Simon Sinek popularized the “Find Your Why” concept, but I have always wanted to understand. You know those annoying kids who constantly ask, “Why?” when you are explaining something? I was one of those kids…

In our recent webinar on GenAI, I discussed state-sponsored attacks and the dangers to critical infrastructure. The findings of the Rockwell report confirmed many of the things we have been talking about in the OT world and the webinar specifically:

1. Critical Infrastructure attacks are increasing, and 60% are targeted for disruption rather than financial gain.
2. Nearly 60% of attacks are nation-state-sponsored.
3. Phishing is the most popular attack technique (PASSWORDS BAD!)

There were some new statistics in the report that confirmed some of my beliefs and educated me with new data:

1. SCADA systems are the ultimate target 49% of the time, with PLCs being second at 20%.
2. Most OT incidents start with attackers gaining access to IT networks (80%).
3. Attacks are intensely focused on energy (60%).
4. 2022 saw a 2000% increase in reconnaissance targeting Modbus/TCP port 502, a commonly used industrial protocol.
5. Broader Supply chains are affected 65% of the time, i.e., other plants or facilities close because of the failure of one facility.

So….Why?

The stats above are technically interesting, but statistics alone are not enough. Let me build a causality chain for you based on the above statistics that would be what an analyst might present to an executive who doesn't need to know the details but what is happening and what to do.

What is happening:

“State-sponsored hackers are using phishing to compromise the IT accounts of critical infrastructure facilities, primarily energy, to attack the OT networks and disrupt their operations.”

What to do:

“We need to move to a phishing-resistant solution like passwordless MFA, prevent reconnaissance of OT devices and protocols, and separate the OT security solution/network from the IT security solution/network to minimize impact across our critical infrastructure.”

See what I did there ;-)?

I do have some good news for you….BlastWave can help accomplish these things. Check out the webinar, where we discuss some of these issues and demonstrate our solution.