Dragos 2021 Industrial Control System (ICS)/Operational Technology (OT)
Industry: Critical Infrastructure | Level: Tactical | Source: Dragos
Dragos provides insight on the impact of cybersecurity in Industrial Control System (ICS)/Operational Technology (OT) during the 2021. The report identified within the ICS sector as the manufacturing sector being the most targeted, having 211 ransomware compromises, followed by food and beverage with 35, and transportation with 27. The most heavily impacted manufacturing group by subsector involved metal products, automotive and plastics technology. Overall attacks have largely been attributed to LockBit 2.0 and Conti, accounting for 51% of all attacks and 70% of the attacks targeting manufacturing. Targeting of the manufacturing sector is often due to a lack of information security practices with Dragos citing poor perimeter security, external connectivity and use of shared credentials. Dragos engagement with an electric operator identified a compromise that was made simplified due to poor network controls, "Because of a weak security posture and no network segmentation, the adversary gained access to the domain controller and other key systems at the plant." The attacker’s initial tactic involves a smash and grab, exfiltrating data of interest until laying low for a week. Following a week's silence, steps for ransomware deployment were implemented as attackers "deployed scripts and tools to weaken the company’s defenses, such as Microsoft Defender, and deployed ransomware through the Group Policy, WinRM, and PSExec-as-a-service to most systems on the network," as well as attempting to hinder forensics analysis by clearing Windows logs and disabling logging.
- Anvilogic Use Cases:
- Modify Group Policy
- WinRM Tools
- Remote Admin Tools
- Clear Windows Event Logs