Contextualizing OT Cybersecurity: Attacks & the price of recovery

OT systems are rigid, deterministic, and complex. They are not as dynamic as IT systems. The critical infrastructure in today’s digitally connected world depends on OT networks which include several devices working together as one system. The failure of even one component is going to have a disastrous ripple effect on other systems. Industrial systems are becoming more and more connected. While this has given a competitive advantage to organizations, these technologies have exposed critical infrastructure to cybersecurity attacks.

There has been an overall increase in OT cybersecurity attacks and breaches. In 2019, IBM reported a staggering 2000% increase in cybersecurity incidents against OT and predicted a  30% increase every year.  In 2020, there were around 32,000 cyber attacks with 4000 breaches. In 2021, total attacks stood at 29,000 but breaches increased to around 5200. There were 585 attacks and 270 breaches in the manufacturing sector. By comparison, there were 48 attacks and 20 breaches in the utility sector. Large scale industrial sector is more vulnerable to being attacked as can be seen by the recent attacks on Colonial Pipeline, JBS Foods, and the Oldsmar, Florida water treatment facility. There was a high proportion of ransomware attacks on the manufacturing sector as they could not afford to have unplanned downtime, and threat actors exploited this vulnerability.

In the past, it was difficult for cyber attackers to access OT systems because of airgaps. Today, industrial systems are connected to corporate networks with the internet which use everything from connected sensors to big data analytics. The OT/IT convergence, with all the advantages on offer, has also brought about an increase in cyber risks. Moreover, hackers have become more sophisticated and resourceful with emerging technologies.

According to Claroty’s third Biannual ICS Risk & Vulnerability Report, there has been a staggering increase in ICS vulnerabilities. 637 ICS vulnerabilities were reported in the first half of 2021 and in 2020 there were 449 vulnerabilities. There has been a 41% increase in overall vulnerabilities, around 71% of these are classified as critical and 90% are of low complexity. Low complexity vulnerabilities don’t have any special conditions and can occur again.

Industrial environments keep equipment with long lifecycles, which work at full capacity and require little downtime. There are still some OT systems that have components that must be 20-30 years old. These are referred to as OT legacy systems and are the most vulnerable systems as they might be using older software that is no longer secure or supported. These systems have inadequate security measures, and it becomes increasingly difficult to integrate them with modern solutions increasing the risk for attacks.  The figure below shows that the largest number of vulnerabilities exist in operations, basic control, supervisory control, and network devices.

According to the World Economic Forum, the average cost of cyber-attacks varies with the type of attacks; the average cost of malware and web-based cyber-attacks is $1.4 million, the average cost of Denial-of-Service is $1.1 million, and the average cost of attacks due to malicious insiders is $1.2 million. A report published by Ponemon Institute shows that an average OT cybersecurity attack costs around $3 million and according to IBM this average attack cost $4.24 million. According to Cybersecurity Ventures, global ransomware damages amounted to $20 billion and are expected to reach 265 billion by 2031. In 2021 it was predicted that a ransomware attack occurred every 11 seconds and by 2031, ransomware will attack a business, device, or consumer every 2 seconds!

The table below shows that on average, it took organizations 170 days to detect an incident, 66 days to investigate it, and 80 days to remediate the incident. According to these calculations, it would cost an organization nearly $1 million in labor alone to get a team of six members to detect, investigate, and remediate an incident. With this, it will take $2 million for downtime, legal costs, regulatory fines, and equipment replacement, resulting in an average total cost of approximately $3 million.

Organizations need to realize that OT cyberattacks not only cause financial losses, but there could also be loss of property, reputational damage, permanent and irreversible damage to personnel, the environment, and even national security. It has become imperative for organizations to implement OT Cybersecurity programs before it is too late.