Of the 905 global ransomware incidents impacting industrial organisations last year, 13 incidents involved Australian organisations. Several incidents, such as DP World Australia, brought into focus the possibility of cascading effects and impacts of ransomware on industrial operations, supply chains, and consumers.
“With each passing year, the number of ransomware incidents globally climbs even higher, leading to cascading impacts for virtually every industrial sector, particularly manufacturing,” said Dragos Asia Pacific area vice president Hayley Turner.
“Meanwhile, the number of vulnerabilities present in industrial control systems (ICS) continue to grow exponentially, along with the adversaries’ appetite to exploit them.”
|
|
Based on customer engagements across various industries within the past year, electric, oil and gas, water, and manufacturing sectors made moderate improvements in their ICS/OT cybersecurity posture on average, but industrial organisations still struggle with passwords and still more are unable to detect threats to their ICS/OT environment.
“Now is time to take bigger strides,” continues Turner. “Addressing this challenge requires coordinated efforts from partners across Australia’s cybersecurity community and, when necessary, emergency measures to mitigate adverse effects on critical business operations and the communities they serve.”
Key vulnerability findings
In 2023, Dragos saw the emergence of three new threat groups, including Voltzite linked to Volt Typhoon, and found that ransomware continued to be the most reported cyber threat among industrial organisations with a nearly 50% increase in reported incidents. Globally, Dragos now tracks 21 threat groups engaged in OT operations in 2023.
Of the three new groups, Voltzite targets electric power generation, transmission, and distribution, and has also been observed targeting research, technology, defence industrial bases, satellite services, telecommunications, and educational organisations. The group overlaps with Volt Typhoon, a group that the US Government publicly linked to the People’s Republic of China. The group’s threat activities include living off the land techniques, prolonged surveillance, and data gathering aligned with Volt Typhoon’s assessed objectives of reconnaissance and gaining geopolitical advantage in the Asia Pacific region. They have traditionally targeted US-based facilities but have been seen targeting organisations in Africa and Southeast Asia.
Additional global findings include:
80% of vulnerabilities reside deep within the ICS network
16% of advisories were network exploitable and perimeter facings
53% of the advisories analysed could cause both a loss of view and loss of control, up from 51% in 2022
31% of advisories contained errors and Dragos provided mitigations for 49% of the advisories that had none
Key ransomware findings
Ransomware remains the number one attack globally in the industrial sector increasing 50% from 2022. Globally, Lockbit caused 25% of total industrial ransomware attacks, with ALPHV and BlackBasta accounting for 9% each. The manufacturing sector continues to be the primary target of ransomware and accounted for 71 % of all ransomware attacks. Ransomware groups do not explicitly target ICS and OT, but risks to these environments are introduced by precautionary operations shutdowns to limit the impact of an attack, flattened industrial networks, and the integration of ICS/OT kill processes into ransomware strains.
The Lockbit 3.0 compromise of DP World Australia in November, which handles 40% of goods coming in and out of Australia, led to the shutdown of land-side port operations for three days while the incident was contained. Though no ransomware was deployed in this case, it was not until 10 days after first detecting the incident that DP World Australia was able to clear 100% of the backlog, comprising 30,137 containers.
Threats to Australian infrastructure escalated
Australia’s Cyber and Infrastructure Security Centre (CISC) and a joint effort by agencies from the Five Eyes intelligence Alliance shed light on the intensifying OT cyber threat landscape, with a sharp focus on foreign espionage and interference as prime threats to critical infrastructure.
The Australian Signals Directorate’s Annual Cyber Threat Report revealed a 50% jump in cyber incidents targeting such infrastructure, highlighting the alarming trend that these sectors are increasingly preyed upon out of motivation to gain geopolitical advantages. The involvement of sophisticated threat groups underscores the critical necessity for robust cybersecurity measures and the importance of private and public partnerships in Australia and internationally. Reinforcing cybersecurity defences and forging strong international alliances are paramount for safeguarding national interests and ensuring the resilience of critical infrastructure in the face of complex escalating threats.
Key steps taken to ensure security of Australia’s critical infrastructure
In 2023, the CISC has advanced its efforts to bolster national cybersecurity and resilience, particularly in ICS/OT environments where the challenge of detecting sophisticated threats is increasingly paramount. Key initiatives include the publication of critical infrastructure asset class definition guidance on 12 May 2023, aimed at enhancing operational resilience across 22 sectors, and the activation of the Critical Infrastructure Risk Management Program. The program, part of a trio of security obligations introduced by recent amendments to the Security of Critical Infrastructure Act 2018, alongside Mandatory Cyber Incident Reporting and the Critical Infrastructure Asset Register, marks a strategic endeavour to elevate Australia’s critical infrastructure security.
“These steps signal the urgency and importance of robust asset monitoring, intelligence-based detections for sophisticated threats, and a coordinated response to safeguard essential services that Australians rely upon,” concludes Turner.
As ICS/OT cybersecurity becomes a top priority, from boardrooms to the manufacturing floor, leaders and their teams must work together to implement programs and critical safeguards. A first step in implementing critical cybersecurity controls is achieving alignment on the key priorities. Dragos recommends Australian organisations download the SANS Institute identified five critical controls for ICS/OT cybersecurity.
The Australian 2023 Dragos OT Cybersecurity Year in Review report, and the accompanying executive summary, can be downloaded here.
About Dragos
Dragos has a global mission to safeguard civilisation from those trying to disrupt the industrial infrastructure we depend on every day. The Dragos Platform offers the most effective industrial cybersecurity technology, giving customers visibility into their ICS/OT assets, vulnerabilities, threats, and response actions. The strength behind the Dragos Platform comes from our ability to codify Dragos’s industry-leading OT threat intelligence, and insights from the Dragos services team, into the software. Our community-focused approach gives you access to the largest array of industrial organisations participating in collective defence, with the broadest visibility available. Our solutions protect organisations across a range of industries, including electric, oil & gas, manufacturing, building automation systems, chemical, government, water, food & beverage, mining, transportation, and pharmaceutical. Dragos is privately held and headquartered in the Washington, DC area with regional presence around the world, including Canada, Australia, New Zealand, Europe, and the Middle East.
