Operational Technology (OT) systems have become prime targets for cyber attackers. These systems are essential to industrial processes, and when compromised, they can disrupt critical infrastructure and essential services, lead to significant financial losses, and jeopardize public safety.
Waterfall Security Solutions recently released their 2024 Threat Report. In 2023, they documented 68 cyberattacks that crippled over 500 physical operations, a 19% increase from the previous year. While a 19% increase might not seem alarming, there's more to the story...
Although ransomware attacks causing physical damage appear to have slightly decreased, Waterfall's report suggests this may be due to underreporting rather than an actual reduction in incidents. Hacktivist attacks remain constant, while other types of attacks are increasing. The report's authors believe the 19% increase may just be a temporary fluctuation, and they are anticipating a much larger surge in 2024 and beyond—potentially a 90% to 100% increase.
Fortinet’s 2024 State of Operational Technology and Cybersecurity Report surveyed over 500 OT professionals to identify the top security concerns for the future. Three major trends emerged:
- Intrusions and their impacts on organizations have worsened over the past year.
- Responsibility for OT cybersecurity is elevating within executive leadership ranks.
- OT security postures are maturing in key areas, but this remains a work in progress.
Bottom line: OT security is becoming increasingly complex. As NIST points out, “While security solutions have been designed to deal with these issues in typical IT systems, special precautions must be taken when introducing these same solutions to OT environments. In some cases, new security solutions that are tailored to the OT environment are needed.” 1
Both Waterfall and Fortinet’s reports highlight future concerns in OT security. Now, let's focus on five recent and notable OT cyber breaches. We’ll examine how these attacks unfolded, the actions taken by the attackers, and offer strategies for organizations to defend against similar threats.
1. Tata Power Cyber Attack (2022)
How the Attack Occurred: In October 2022, Tata Power, one of India's largest power generation and distribution companies, suffered a significant cyberattack orchestrated by the Hive ransomware group. The Hive ransomware group targeted Tata Power's IT systems, encrypting data and demanding a ransom for decryption. The attack disrupted internal operations but did not affect the power supply to customers.
The attackers first gained access to Tata Power's IT infrastructure and deployed ransomware. They proceeded to encrypt critical data and systems, making them inaccessible. In addition to encrypting the data, the attackers exfiltrated sensitive information, including employee records, customer details, financial documents, engineering drawings, and private keys. When Tata Power did not meet the ransom demand, the attackers released a portion of the stolen data on the dark web. Private keys are one of the most sought after credentials now on the Dark Web.
2. Oldsmar Water Treatment Plant Attack (2021)
How the Attack Occurred: In February 2021, attackers targeted a water treatment plant in Oldsmar, Florida, attempting to poison the water supply by increasing the levels of sodium hydroxide (lye). The attackers gained access via a remote desktop application used for managing the plant’s systems.
The attackers initially exploited a weak password to gain access to the remote desktop software. Once inside, they attempted to manipulate the water treatment process by increasing the sodium hydroxide levels to dangerously high levels. Fortunately, an alert operator detected these changes in real-time and promptly reverted them, preventing any potential harm. Again another example of poor credential hygiene.
3. Toyota Motors Manufacturing Plant Attack (2022)
How the Attack Occurred: In February of 2022, an attack on Toyota Motor parts and components supplier Kojima Industries forced the automaker to suspend operations in 28 production lines across 14 plants in Japan for at least a day. The fallout from the attack – which also affected Hino and Daihatsu Motors – was massive, with Toyota announcing that it had to temporarily reduce production by 5% – a third of its global output.
The attackers initially infiltrated Kojima Industries by deploying ransomware, which compromised critical systems essential for production management. This breach led to a disruption in Toyota's supply chain, forcing the automaker to halt operations at 14 domestic plants. As a result, approximately 13,000 vehicles were affected due to the interruption in the just-in-time manufacturing process.
4. Bridgestone Tire Facilities Attack (2022)
How the Attack Occurred: In February 2022, Bridgestone, a global leader in tire manufacturing, experienced a significant cyberattack executed by the LockBit 2.0 ransomware group. The attackers infiltrated Bridgestone’s network, encrypted data, and demanded a ransom for decryption. The cyberattack forced Bridgestone to shut down its computer network across multiple manufacturing and retreading facilities in North America and Latin America. This resulted in operational disruptions, affecting the company’s ability to manufacture and distribute products.
The attackers encrypted critical operational and business data, making it inaccessible. This ransomware attack caused Bridgestone to shut down its computer network across multiple facilities. The attackers then demanded a ransom for decryption, threatening to release sensitive information if the payment was not made.
5. Danish State Railways (2022)
How the Attack Occurred: On November 5, 2022, all trains operated by Danish State Railways (DSB), the country's largest rail operating company, were halted for several hours. This incident, rooted in a security breach at one of DSB’s service providers, underscores the interconnected vulnerabilities within the transportation sector. The security incident originated at Supeo, a Danish company that provides services to railway companies, including DSB. Supeo supplies DSB with a train driver application critical for accessing operational information. Following a cyberattack on Supeo, the service provider decided to shut down its servers, blocking the services they provide to DSB and forcing all trains to stop.
The attackers targeted Supeo, exploiting vulnerabilities within its systems. This breach compromised the train driver application used by DSB for operational information. In response, Supeo shut down its servers to contain the breach, which led to DSB halting all train operations and causing several hours of service disruption.
Conclusion
The past few years have really shown how OT systems are facing more and more sophisticated and coordinated cyber attacks. By digging into how these attacks happened and what the attackers did, organizations can gear up to better protect their critical infrastructure. Key steps like implementing multi-factor authentication for users and machines, network segmentation, real-time monitoring, and thorough employee training are crucial for defending against these evolving threats. Embracing a comprehensive security strategy and fostering a strong culture of cybersecurity awareness will go a long way in ensuring that operational technology systems remain resilient and secure against future attacks.
1 NIST SP 800-82 Rev. 3*
About Robert Birdsong
Robert Birdsong serves as Corsha's Chief Marketing Officer. He has twenty years of go-to-market leadership experience with over a decade in early stage SaaS startups. Robert frequently contributes to blogs covering tech and non-tech subjects.
About Corsha
Corsha is an Identity Provider for Machines that allows an enterprise to securely connect, move data, and automate with confidence from anywhere to anywhere.
Corsha’s mission is to secure data in motion and bring zero trust to machines, systems, and services. Today Ops and security teams often are forced to compromise by using static, long-lived API keys, tokens, and certificates as weak proxies for non-human identity and access. Corsha helps teams move past static secrets and generates dynamic identities for trusted machines, bringing innovation like automated, single-use MFA credentials, scheduled access, and deep discovery to machine-to-machine communications. The Identity Provider also offers visibility and control over automated API traffic and enables real-time revocation and rotation of identity without disrupting other workloads.
Whether it is across hybrid cloud infrastructure, data centers, or manufacturing shop floors, Corsha reimagines machine identity to keep pace with the scale of data and automation needed today. We ensure automated communication from anywhere to anywhere is pinned to only trusted microservices, workloads, server, controllers, and more. The use of API keys, token, and certificates for authentication is a weak proxy for machine identity today, proving to be costly, risky, and incomplete. Corsha’s Identity Platform helps an organization move past these outdated secrets management approaches and unlock secure connectivity and data movement at scale.