Operational Technology (OT) systems have become prime targets for cyber attackers. These systems are essential to industrial processes, and when compromised, they can disrupt critical infrastructure and essential services, lead to significant financial losses, and jeopardize public safety.
Waterfall Security Solutions released their 2024 Threat Report. In 2023, they documented 68 cyberattacks that crippled over 500 physical operations, a 19% increase from the previous year. While a 19% increase might not seem alarming, there's more to the story...
Although ransomware attacks causing physical damage appear to have slightly decreased, Waterfall's report suggests this may be due to underreporting rather than an actual reduction in incidents. Hacktivist attacks remain constant, while other types of attacks are increasing. The report's authors believe the 19% increase may just be a temporary fluctuation, and they are anticipating a much larger surge in 2024 and beyond—potentially a 90% to 100% increase.
Fortinet’s 2024 State of Operational Technology and Cybersecurity Report surveyed over 500 OT professionals to identify the top security concerns for the future. Three major trends emerged:
-
Intrusions and their impacts on organizations have worsened over the past year.
-
Responsibility for OT cybersecurity is elevating within executive leadership ranks.
-
OT security postures are maturing in key areas, but this remains a work in progress.
Bottom line: OT security is becoming increasingly complex. As NIST points out, “While security solutions have been designed to deal with these issues in typical IT systems, special precautions must be taken when introducing these same solutions to OT environments. In some cases, new security solutions that are tailored to the OT environment are needed.” 1
Both Waterfall and Fortinet’s reports highlight future concerns in OT security. Now, let's focus on five recent and notable OT cyber breaches. We’ll examine how these attacks unfolded, the actions taken by the attackers, and offer strategies for organizations to defend against similar threats.
1. Tata Power Cyber Attack (2022)
How the Attack Occurred: In October 2022, Tata Power, one of India's largest power generation and distribution companies, suffered a significant cyberattack orchestrated by the Hive ransomware group. The Hive ransomware group targeted Tata Power's IT systems, encrypting data and demanding a ransom for decryption. The attack disrupted internal operations but did not affect the power supply to customers.
The attackers first gained access to Tata Power's IT infrastructure and deployed ransomware. They proceeded to encrypt critical data and systems, making them inaccessible. In addition to encrypting the data, the attackers exfiltrated sensitive information, including employee records, customer details, financial documents, engineering drawings, and private keys. When Tata Power did not meet the ransom demand, the attackers released a portion of the stolen data on the dark web. Private keys are one of the most sought after credentials now on the Dark Web.
2. Oldsmar Water Treatment Plant Attack (2021)
How the Attack Occurred: In February 2021, attackers targeted a water treatment plant in Oldsmar, Florida, attempting to poison the water supply by increasing the levels of sodium hydroxide (lye). The attackers gained access via a remote desktop application used for managing the plant’s systems.
The attackers initially exploited a weak password to gain access to the remote desktop software. Once inside, they attempted to manipulate the water treatment process by increasing the sodium hydroxide levels to dangerously high levels. Fortunately, an alert operator detected these changes in real-time and promptly reverted them, preventing any potential harm. Again another example of poor credential hygiene.
3. Toyota Motors Manufacturing Plant Attack (2022)
How the Attack Occurred: In February of 2022, an attack on Toyota Motor parts and components supplier Kojima Industries forced the automaker to suspend operations in 28 production lines across 14 plants in Japan for at least a day. The fallout from the attack – which also affected Hino and Daihatsu Motors – was massive, with Toyota announcing that it had to temporarily reduce production by 5% – a third of its global output.
The attackers initially infiltrated Kojima Industries by deploying ransomware, which compromised critical systems essential for production management. This breach led to a disruption in Toyota's supply chain, forcing the automaker to halt operations at 14 domestic plants. As a result, approximately 13,000 vehicles were affected due to the interruption in the just-in-time manufacturing process.
4. Bridgestone Tire Facilities Attack (2022)
How the Attack Occurred: In February 2022, Bridgestone, a global leader in tire manufacturing, experienced a significant cyberattack executed by the LockBit 2.0 ransomware group. The attackers infiltrated Bridgestone’s network, encrypted data, and demanded a ransom for decryption. The cyberattack forced Bridgestone to shut down its computer network across multiple manufacturing and retreading facilities in North America and Latin America. This resulted in operational disruptions, affecting the company’s ability to manufacture and distribute products.
The attackers encrypted critical operational and business data, making it inaccessible. This ransomware attack caused Bridgestone to shut down its computer network across multiple facilities. The attackers then demanded a ransom for decryption, threatening to release sensitive information if the payment was not made.
5. Danish State Railways (2022)
How the Attack Occurred: On November 5, 2022, all trains operated by Danish State Railways (DSB), the country's largest rail operating company, were halted for several hours. This incident, rooted in a security breach at one of DSB’s service providers, underscores the interconnected vulnerabilities within the transportation sector. The security incident originated at Supeo, a Danish company that provides services to railway companies, including DSB. Supeo supplies DSB with a train driver application critical for accessing operational information. Following a cyberattack on Supeo, the service provider decided to shut down its servers, blocking the services they provide to DSB and forcing all trains to stop.
The attackers targeted Supeo, exploiting vulnerabilities within its systems. This breach compromised the train driver application used by DSB for operational information. In response, Supeo shut down its servers to contain the breach, which led to DSB halting all train operations and causing several hours of service disruption.
Conclusion
The past few years have really shown how OT systems are facing more and more sophisticated and coordinated cyber attacks. By digging into how these attacks happened and what the attackers did, organizations can gear up to better protect their critical infrastructure. Key steps like implementing multi-factor authentication for users and machines, network segmentation, real-time monitoring, and thorough employee training are crucial for defending against these evolving threats. Embracing a comprehensive security strategy and fostering a strong culture of cybersecurity awareness will go a long way in ensuring that operational technology systems remain resilient and secure against future attacks.
At Corsha, we make it simple to secure the automated communication that powers operational systems. Our patented machine-identity platform is purpose-built for operational systems, continuously discovering, verifying, and controlling every connection across controllers, sensors, robots, and industrial workloads. By establishing trusted identity and ensuring real-time verification for machines, Corsha strengthens resilience, reduces lateral-movement risk, and helps scale automation and modernization programs. Get a demo to see how it works in your environment.
1 NIST SP 800-82 Rev. 3*
