Ransomware attacks on the operational technology (OT) and industrial control systems (ICS) that run industrial facilities almost doubled in 2024. According to Washington DC-based industrial cybersecurity company Dragos, ransomware attacks on industrial organizations in 2024 increased by a staggering 87 percent over the previous year.
The main industries targeted were: electricity and water; industrial manufacturing; telecommunications; oil and gas; food and beverage; chemical manufacturing; mining, transportation, and logistics. Manufacturing, which accounted for 69 percent of all ransomware attacks targeting 1,171 manufacturing entities, was by far the worst hit.
The underlying problem is that industrial systems weren’t built with cybersecurity in mind, as they were originally isolated from the internet. This is no longer the case, allowing threat actors to exploit long-term vulnerabilities.
“From unpatchable flaws to design limitations, these vulnerabilities create openings for adversaries to disrupt operations or gain initial access,” says Dragos.
Barrier to entry lowers for adversaries worldwide
Another reason for the rapid rise in attacks last year is the continued lowering of the barrier to entry for adversaries targeting OT and ICS systems. Adversaries, who are frequently politically motivated, now view this as an effective attack vector to achieve disruption and have a growing choice of available tools with which to execute their attacks.
For example, Blackjack’s Fuxnet malware, discovered in April last, although rudimentary compared to more sophisticated ICS-capable malware like PIPEDREAM, signaled a growing awareness of the impact that disruptive attacks on OT networks can have. BAUXITE malware, for instance, targeted vulnerable Sophos firewalls from April 2024 to May 2024, impacting chemical, food and beverage, and water and wastewater industries. Dragos reported that it conducted an incident response to a US oil and natural gas organization where BAUXITE compromised Sophos firewalls at oil rig sites. According to Dragos, Sophos devices are found in North America in oil, natural gas, and electric utilities.
Ransomware compromises accounted for the majority of cases that Dragos responded to worldwide, with 25 percent resulting in a complete shutdown of an OT site, and 75 percent resulting in at least some disruption to operations.
Geopolitical tensions fuel rise in attacks on industry
Dragos tracked nearly 80 ransomware groups worldwide in 2024, a 60 percent increase from the 50 groups observed in 2023. Collectively, these groups attacked an average of 34 industrial organizations per week. A sharp rise in ransomware attacks against industrial organizations was observed in 2022. Since then, the number of attacks has doubled year over year, largely fuelled by rising political tensions across the world.
“The cybersecurity threat landscape in 2024 was shaped by escalating geopolitical tensions and their intersection with industrial operations globally. From persistent campaigns by mature threat groups to opportunistic attacks by hacktivists or ransomware operators, adversaries demonstrated a growing awareness of OT/ICS environments as potential attack vectors to achieve their goals,” says Dragos
It is essential that industrial organizations implement strong incident response capabilities and defensible architectures. Secure remote access protocols and robust network monitoring are far better positioned to reduce the risk of a successful attack on OT systems – even in this increasingly complex and threatening environment.
