Real Cyberthreats to Your Operational Technology

By Richard Springer, Director of Marketing, OT Solutions, Fortinet

When controls for physical equipment connect to enterprise computer networks and the cloud, the digital attack surface expands, allowing cyberattackers to penetrate industrial organizations in new ways. As a result, the process of digital transformation (DX) increases cyberthreat vectors through the interconnection with IT and the addition of cloud-based Industrial Internet of Things (IIoT).

This means that industrial breaches — by either attacking IT systems in the operational technology (OT) network or targeting OT-specific devices — are more frequent, with bad actors aggressively scouting their next targets.

IBM Security X-Force reports a 2,204% increase in reconnaissance against OT. Manufacturers have been a particularly enticing target, with a full 75% of all ransomware attacks in the first quarter of 2022 targeting the manufacturing sector. Future attacks are expected to continue the disruption by incorporating “OT kill” processes into new strains of ransomware. Learn more by downloading our white paper, “A Solution Guide to Operational Technology Cybersecurity,” at fortinet.com/ot.

The fact is there are no safe havens — today’s targets (and threats) are global in scope. And while motivation for attacks varies from monetary to political and everything in between, the result is nearly always crippling for the affected organization. Let’s examine some real examples.

Supplier Breach Shuts Down Toyota Plant Operations

Kojima Industries is a key Toyota parts supplier, providing parts for seats and other vehicle components. When Kojima was hit by a cyberattack in March 2022, it forced Toyota to shut down 28 production lines at 14 of its Japanese plants.

The attack is thought to be the result of Emotet malware, possibly entering the Kojima system using authentication information stolen from infected devices of Toyota employees. The virus — and a threatening message — were discovered through a file server error and confirmed after a server reboot.

An ominous fact is that 80% of Kojima’s staff had undergone in-house training on information security.

With the lack of parts disrupting Toyota’s just-in-time manufacturing model, the breach is said to have caused a serious 5% dip in the company’s monthly production capability.

Danish Infrastructure Attacked

In May 2023, Danish critical infrastructure was attacked in a large-scale cyber event involving 22 different companies over several days. In addition to causing alarm and distress, the bad actors gained access to some of the individual company industrial control systems, which resulted in these companies disconnecting from the Internet.

SektorCERT, a nonprofit cybersecurity center funded by Danish critical infrastructure companies with 270 infrastructure network sensors, first detected the attack. The incident followed a released vulnerability for a security appliance used to protect critical infrastructure networks and devices. Although SektorCERT warned its members to patch these devices, it became a race between patching and anyone exploiting the vulnerability.

On May 11, 16 different Danish targets were attacked leveraging the vulnerability. Despite having detected the attack, several devices were still vulnerable as the second attack occurred on May 22. The second attack exhibited DDoS characteristics, and at this point, the member companies began to disconnect from the Internet.

Later, additional vulnerabilities were discovered, and follow-on waves of attacks continued to the point that several companies had to replace their security appliances.

Although some companies were offline for six days, there was not an interruption to infrastructure service delivery, but this could have ended differently if SektorCERT had not detected the initial intrusion.

Pipeline Shutdown Puts Company in Senate Hot Seat

A single stolen password — that’s all it took for hackers to launch a ransomware attack against Colonial Pipeline and disrupt fuel supplies to the entire southeastern U.S. In a Senate committee hearing following the attack, Colonial’s CEO admitted the attacker gained access through a legacy virtual private network (VPN) that didn’t require multi-factor authentication.

The breach’s impact was widespread. A jet fuel shortage caused airport disruptions, while fears of a gas shortage caused panic buying, increased prices and long lines at the pumps.

It was also expensive, as the company paid a ransom in Bitcoin worth about $4.4 million to stop the attack.

For Colonial, however, the costs went far beyond the ransom. Following the hearings, security experts roundly criticized the company for “poor cybersecurity hygiene,” and the Transportation Safety Agency (TSA) created new pipeline regulatory directives that will increase compliance costs for the entire industry.

To learn more about the Colonial Pipeline breach, check out The Journal’s “Automation Chat" podcast episode, “Lessons from the Colonial Pipeline Cyberattack & Steps to Take.” Listen on your podcast app or on the web, or watch the conversation on YouTube.

Global Attack on Farming Equipment Manufacturer

Hacker group Black Basta spared no locations in their attack on agricultural equipment and parts producer ACGO. On May 5, 2022, a ransomware attack shut down sites in the United States, Germany, China and France.

The attack, which occurred just weeks after an FBI warning about agriculture-related attacks, took the company a long and costly 15 days to fully restore their factories and parts operations. In addition to the loss of production capabilities, company data was also stolen during the attack.

With production stopped, line workers in France were forced to go home and take paid leave, while U.S. farmers found themselves without key equipment during the critical planting season.

Key Lessons from OT Cyberattacks

Sharing information about cyberattacks allows us to learn lessons that help everyone. Those lessons include the following.

• Because OT has been traditionally isolated, security is not top of mind. Thus, basic security hygiene is not implemented within many OT environments. Safety and security must be systemic within an organization to help best practice adoption.
• Ransomware crews are the biggest threat actors and have demonstrated an ability to inflict global damage.
• Spear phishing, compromised endpoints, and stolen credentials are common attack vectors. This underscores the necessity of two-factor authentication, employee security education, and continuous system monitoring for indicators of compromise (IOCs).