Opinion: OT security landscape in 2023

Opinion: OT security landscape in 2023

By Julien Legrand, Head of Cyber Solutions at Thales
Jul. 26, 2023 9:00PM GMT+9

A growing number of business and industry leaders are concerned about the onslaught of cyberattacks targeting the operational technology (OT) they rely on for critical operations. According to a 2023 Blackberry research report [1] involving 1,500 manufacturing IT decision-makers worldwide, 40% said they are most concerned that hackers can execute attacks via connected devices, including IoT. Also, 29% expressed concerns over malicious insiders gaining access to sensitive data, while 23% fear ransomware attacks constantly threatening crucial OT. In addition, a 2023 report [2] on OT cybersecurity found that three-quarters of OT organizations suffered an intrusion in 2022, with malware (56%) and phishing (49%) attacks leading the pack.

◇ Common types of attacks

A 2023 research report by cybersecurity firm Bridewell [3] revealed increased insider threats targeting critical national infrastructure organizations. The survey revealed a concerning surge, especially in organizations in the aerospace industry. Notably, 30% of companies that participated in the survey expect internal cybercrime to rise sharply, while 34% anticipate that tech savvy individuals will increasingly perpetrate external attacks for financial and economic gains.

Furthermore, ransomware attacks pose a huge concern among the numerous security threats targeting OT. Successful ransomware incidents can paralyze and disrupt essential daily operations impacting the availability of critical applications, data, and systems. Besides, the convergence between IT and OT means attackers can compromise OT at scale through a single vulnerable IT access point.

Hence, state-sponsored hackers and cybercriminal groups like Conti, Mythic Leopard, Berserk Bear, and Lazarus will focus more on disrupting mission-critical activities. “This yields maximum financial or political gain for the attacker,” explains [4] Simon Chassar, CRO at Claroty, “because businesses have more incentive to pay a ransom when their means of production are at stake, which can have a long-term impact on revenue and the supply chain.”

Also, supply chain attacks are prevalent in most industries, including healthcare, finance, and aerospace. The aviation sector, for instance, has one of the most interconnected supply chains. As a result, it is an enticing target for numerous threat actors. 47% of aerospace and defense organizations [5] reported supply chain disruptions within the last twelve months, costing an average of $184 million per disruption.

“Supply chain attacks continue to evolve for both ICS hardware and software,” notes [6] Pascal Ackerman, GuidePoint Security’s senior security consultant for operational technology. Threat actors use implants for automation equipment to compromise service providers and suppliers to establish an initial foothold to carry out larger targeted attacks on specific ICS owners.

◇ Who are the threat actors?

Various threat actors highly target OT. It is a prime target for threat actors due to its strategic importance, technological advancements, and sensitive information. Threat actors include:

  • State-sponsored actors: Nation-states engage in cyber espionage to gain strategic advantages. They target OT and ICS to steal classified information, trade secrets, and sensitive military technologies. Countries like China, Russia, North Korea, and Iran are known to have active state-sponsored cyber capabilities. Adlumin security researchers recently discovered malware that suspected nation-state threat actors [7] use to target the US aerospace industry to maintain persistent remote access and exfiltrate data to a command-and-control server.

  • Cybercriminal groups: These are organized criminal entities that operate for financial gain. They target OT organizations for various reasons. Some motivations for cybercrime groups are stealing intellectual property, conducting ransomware attacks to extort money, or engaging in identity theft and fraud. Most cybercrime groups often have advanced technical skills and sophisticated hacking techniques. Cybercrime groups like Babuk [8] and Grief [9] have been known to launch ransomware attacks targeting companies in various industries, including healthcare, manufacturing, and aviation sectors.

  • Hacktivists: Hacktivist groups carry out cyber-attacks to promote their political or ideological agenda. They may target OT organizations involved in controversial projects, military contracts, or environmental issues. In addition, their motivations range from activism to protesting against perceived injustices. For example, Killnet, a hacktivist group, launched multiple DDoS attacks targeting multiple airport websites [10] in 2022. The attacks stemmed from the Ukraine and Russia crisis and targeted websites owned by NATO member countries.

  • Insiders: Insider threats are the most dangerous actors since they have authorized access to sensitive systems, networks, or data. As such, they usually abuse their privileges in order to steal sensitive data or collaborate with external malicious actors to commit cybercrimes. Insiders may be current or former employees, contractors, or business partners. Unlike other threat actors, insider threats can be particularly damaging as they already have authorized access and insider knowledge.



About the author

Covering the Asia region, Julien Legrand is the Head of Cyber Solutions at Thales, and a highly experienced industrial cybersecurity professional passionate about staying at the forefront of technology and cybersecurity. With over twelve years of experience in the field, he has a proven track record of designing, implementing, and continuously improving security controls that align with best practices and risk appetite. He has worked across various industries, including but not limited to aviation, energy, manufacturing, and transportation, and has a deep understanding of these industries’ cybersecurity challenges. In addition to his work as a cybersecurity professional, Julien is a regular speaker at external conferences in Asia and is a technology writer for international newspapers. He holds a master's degree in computer science, cryptography, and network security. He is studying for a Master of Business Administration (MBA) at the University of Hong Kong.