Cyber attacks targeting OT a pivotal shift for Australian organisations

Dragos has released its Australian 2023 OT Cybersecurity Year in Review report, providing an overview of the significant cybersecurity trends impacting industrial infrastructure organisations.

Of the 905 global ransomware incidents impacting industrial organisations last year, 13 incidents involved Australian organisations. Several incidents, such as DP World Australia, brought into focus the possibility of cascading effects and impacts of ransomware on industrial operations, supply chains and consumers.

“With each passing year, the number of ransomware incidents globally climbs even higher, leading to cascading impacts for virtually every industrial sector, particularly manufacturing,” said Hayley Turner, Area Vice President of Dragos Asia Pacific. “Meanwhile, the number of vulnerabilities present in industrial control systems continue to grow exponentially, along with the adversaries’ appetite to exploit them.”

Based on Dragos customer engagements across various industries within the past year, electric, oil and gas, water, and manufacturing sectors made moderate improvements in their ICS/OT cybersecurity posture on average, but industrial organisations still struggle with passwords and still more are unable to detect threats to their ICS/OT environment.

“Now is time to take bigger strides,” Turner said. “Addressing this challenge requires coordinated efforts from partners across Australia’s cybersecurity community and, when necessary, emergency measures to mitigate adverse effects on critical business operations and the communities they serve.”

Key vulnerability findings

In 2023, Dragos saw the emergence of three new threat groups, including VOLTZITE linked to Volt Typhoon, and found that ransomware continued to be the most reported cyberthreat among industrial organisations with a nearly 50% increase in reported incidents. Globally, Dragos now tracks 21 threat groups engaged in OT operations in 2023.

Of the three new groups, VOLTZITE targets electric power generation, transmission and distribution, and has also been observed targeting research, technology, defence industrial bases, satellite services, telecommunications and educational organisations. The group overlaps with Volt Typhoon, a group that the US Government publicly linked to the People’s Republic of China. The group’s threat activities include living-off-the-land techniques, prolonged surveillance, and data gathering aligned with Volt Typhoon’s assessed objectives of reconnaissance and gaining geopolitical advantage in the Asia–Pacific region. They have traditionally targeted US-based facilities but have been seen targeting organisations in Africa and South-East Asia.

Additional global findings include:

• 80% of vulnerabilities reside deep within the ICS network.
• 16% of advisories were network exploitable and perimeter facing.
• 53% of the advisories analysed could cause both a loss of view and loss of control, up from 51% in 2022.
• 31% of advisories contained errors and Dragos provided mitigations for 49% of the advisories that had none.

Key ransomware findings

Ransomware remains the number one attack globally in the industrial sector, increasing 50% from 2022. Globally, Lockbit caused 25% of total industrial ransomware attacks, with ALPHV and BlackBasta accounting for 9% each. The manufacturing sector continues to be the primary target of ransomware and accounted for 71% of all ransomware attacks. Ransomware groups do not explicitly target ICS and OT, but risks to these environments are introduced by precautionary operations shutdowns to limit the impact of an attack, flattened industrial networks, and the integration of ICS/OT kill processes into ransomware strains.

The Lockbit 3.0 compromise of DP World Australia in November, which handles 40% of goods coming in and out of Australia, led to the shutdown of land-side port operations for three days while the incident was contained. Though no ransomware was deployed in this case, it was not until 10 days after first detecting the incident that DP World Australia was able to clear 100% of the backlog, comprising 30,137 containers.¹

Threats to Australian infrastructure escalated

Australia’s Cyber and Infrastructure Security Centre (CISC) and a joint effort by agencies from the Five Eyes intelligence alliance shed light on the intensifying OT cyberthreat landscape, with a sharp focus on foreign espionage and interference as prime threats to critical infrastructure.²

The Australian Signals Directorate’s Annual Cyber Threat Report³ revealed a 50% jump in cyber incidents targeting such infrastructure, highlighting the alarming trend that these sectors are increasingly preyed upon out of motivation to gain geopolitical advantage. The involvement of sophisticated threat groups underscores the critical necessity for robust cybersecurity measures and the importance of private and public partnerships in Australia and internationally. Reinforcing cybersecurity defences and forging strong international alliances are paramount for safeguarding national interests and ensuring the resilience of critical infrastructure in the face of complex escalating threats.

Key steps taken to ensure security of Australia’s critical infrastructure

In 2023, the CISC has advanced its efforts to bolster national cybersecurity and resilience, particularly in ICS/OT environments where the challenge of detecting sophisticated threats is increasingly paramount. Key initiatives include the publication of critical infrastructure asset class definition guidance on 12 May 2023, aimed at enhancing operational resilience across 22 sectors, and the activation of the Critical Infrastructure Risk Management Program. The program, part of a trio of security obligations introduced by recent amendments to the Security of Critical Infrastructure Act 2018, alongside Mandatory Cyber Incident Reporting and the Critical Infrastructure Asset Register, marks a strategic endeavour to elevate Australia’s critical infrastructure security.

“These steps signal the urgency and importance of robust asset monitoring, intelligence-based detections for sophisticated threats, and a coordinated response to safeguard essential services that Australians rely upon,” Turner concluded.

The Dragos Australian 2023 OT Cybersecurity Year in Review report, and the accompanying executive summary, can be downloaded here.

^{1. DP World 2023, Media Statement: Update on Cybersecurity Incident, <<https://www.dpworld.com/australia/news/releases/media-statement-update-on-cybersecurity-incident/>>}

^{2. Cyber and Infrastructure Security Centre 2023, Critical Infrastructure Annual Risk Review: First Edition November 2023, Department of Home Affairs, <<https://www.cisc.gov.au/resources-subsite/Documents/critical-infrastructure-annual-risk-review-first-edition-2023.pdf>>}

^{3. Australian Signals Directorate 2023, ASD Cyber Threat Report 2022-2023, <<https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/asd-cyber-threat-report-july-2022-june-2023>>}

Image credit: iStock.com/TkKurikawa