Dragos Fingers Four Distinct New ICS Activity Groups

February 25, 2021

Dragos released its annual ICS 2020 Year in Review (YIR) report. The Dragos YIR report is an annual analysis of ICS/OT focused cyber threats, vulnerabilities, assessments, and incident response insights.

“In 2020, the industrial community performed amazing feats to keep civilization running under challenging circumstances through a global pandemic.” said Robert M. Lee, Chief Executive Officer and Co-Founder of Dragos, Inc. “A universal impact of this effort is the acceleration of businesses operating in a hyperconnected industrial environment. Data from our YIR report shows that this trend corresponds with a 3X rise in ICS-focused threats. The convergence of an increasingly ICS-aware and capable threat landscape with the trend towards more network connectivity means that the practical observations and lessons learned contained in our 2020 YIR report are timely as the community continues to work to provide safe and reliable operations.”

Dragos’s annual YIR report has been designed since its inception in 2017 to share data-informed observations and lessons learned with the industrial community for their independent analysis and consideration. For many years, the community has struggled with a lack of publicly available insights into cyber threats, vulnerabilities, assessments, and incident response incidents, which has made it difficult to have a meaningful dialog on how best to address these issues. To make the YIR report conclusions accessible to as wide an audience as possible, an all-new, interactive ICS Cybersecurity Year in Review web page has been developed and launched for 2020. This resource will enable the industrial community to better visualize the data and key takeaways.

Details of 2020 Year in Review:

ICS Threat Landscape Highlights: ICS threat activity continues to rise – both in terms of the number of distinct groups Dragos is tracking and the industries and regions that they are targeting. Dragos analysts identified four distinct new ICS Activity Groups primarily targeting energy and manufacturing, known as KAMACITE, STIBNITE, TALONITE, and VANADINITE. The eleven previously identified Activity Groups were also observed expanding their targeting to new sectors and regions, as well as modifying their behaviors with many seeking to exploit the tectonic shift to remote work to gain access to industrial networks.

ICS Vulnerability Highlights: Dragos researchers analyzed 703 ICS/OT vulnerabilities in 2020, a 29 percent increase over 2019, demonstrating the rise in publicly known flaws in systems supporting industrial operations. Analysis of these vulnerabilities and related advisories found that a slim minority could be classified as flaws that require immediate actions, such as critical vulnerabilities with perimeter-facing and network exploitable vulnerabilities.

Lessons Learned from the Front Lines: Based on a growing set of data gathered from annual service engagements conducted by Dragos’s cybersecurity experts across multiple industries (electric, oil and gas, food and agriculture, manufacturing, chemical, transportation, water and wastewater, building automation equipment, mining, etc.), Dragos found that 90% of its services clients had little to no visibility into their ICS environments. While most clients demonstrated a focus on an enhanced asset inventory, this effort is only the foundation for asset visibility. Many customers only monitored the IT to OT boundary without monitoring activity inside the ICS network.

Recommendations for Improvement:

As organizations strategize a path forward, Dragos recommends five key OT cybersecurity initiatives to improve in 2021 and beyond. These are based on the empirical evidence provided throughout the report.

The top 5 recommendations to enhance the security of an ICS environment are:

Increase OT Network Visibility

Identify & Prioritize Crown Jewels

Boost Incident Response Capabilities

Validate Network Segmentation

Secure Credential Management