Forescout Technologies, Inc. has released a new report “Rise of Disruptionware: A Cyber-Physical Threat to Operational Technology Environments, that explores how the nature of cyber-attacks is changing.
The research found that, while the traditional concept of malware damaging operations for monetary gain are still present, a new breed of attacks - “disruptionware” - is wreaking havoc in networked industrial control system (ICS) and operational technologies (OT) environments.
The research, conducted in partnership with the Institute for Critical Infrastructure Technology (ICIT), examines the attack patterns targeting critical industry sectors like manufacturing, energy and transportation including ransomware, disk-wiping malware and similarly disruptive malicious code. It found that ‘bad actors’ without extensive technology know-how are targeting industrial equipment with inadequate protection mechanisms to suspend operations, disrupt continuity and disseminate deliverables in order to target productivity rather than extract money for financial gain.
These low sophistication attacks are becoming increasingly consequential to the operator community. For instance, in March 2019 Norsk Hydro, one of the largest aluminum producers in the world, disclosed that some of their systems had been infected by LockerGoga ransomware, affecting their operations worldwide. Norsk declined to pay the ransom and instead engaged its incident response procedures and reverted to backup and redundancy infrastructure but, nevertheless, a week after the attack it estimated its losses at $40 million despite reporting a full recovery.
“We see many of these challenges first-hand at Forescout because we support many of the world’s largest ICS and OT-dependent organisations,” commented Ryan Brichant, the company’s CTO for Critical Infrastructure, ICS and OT. “Our team understands that in the world of pipelines, factories and power plants, digital hazards consist of much more than just malicious intruders – any type of outage or disruption, even if due to false-positives or errors, still causes harm. But there is common ground that can be found under security and modernisation as these disruption-sensitive industries push toward new software and connectivity technologies.”
The report outlines several steps that companies need to focus on to better protect themselves, including planning for and implementing security-by-design controls, developing an incident response plan, increasing device visibility across the converged IT/OT environment and segmenting networks.