The
latest Nozomi Networks
Labs OT & IoT Security Report released finds that network
anomalies and attacks were the most prevalent threat to OT and IoT
environments. Vulnerabilities within critical manufacturing also surged 230%
- a cause for concern as threat actors have far more opportunities to
access networks and cause these anomalies.
Real World Telemetry
Unique
telemetry from Nozomi Networks Labs, collected from OT and IoT environments
covering a variety of use cases and industries across 25 countries, finds network anomalies and attacks represented the most significant
portion (38%) of threats during the second half of 2023. The most concerning of
these network anomalies, which can indicate highly sophisticated threat actors
being involved, increased 19% over the previous reporting period.
"Network
scans" topped the list of Network Anomalies and Attacks alerts, followed
closely by "TCP flood" attacks which involve sending large amounts of traffic
to systems aiming to cause damage by bringing those systems down or making them
inaccessible. "TCP
flood" and "anomalous packets" alert types exhibited significant increases in
both total alerts and averages per customer in the last six months, increasing more than 2x and 6x respectively.
"These
trends should serve as a warning that attackers are adopting more sophisticated
methods to directly target critical infrastructure, and could be indicative of
rising global hostilities," said Chris Grove,
Director of Cybersecurity Strategy at Nozomi Networks. "The significant uptick
in anomalies could mean that the threat actors are getting past the first line
of defense while penetrating deeper than many would have initially believed, which
would require a high level of sophistication. The defenders have gotten better
at protecting against the basics, but these alerts tell us that the attackers
are quickly evolving in order to bypass them."
Alerts
on access control
and authorization threats jumped 123% over
the previous reporting period. In this category "multiple unsuccessful logins"
and "brute force attack" alerts increased 71% and 14%
respectively.
This trend highlights the continued challenges in unauthorized access attempts,
showing that identity and access management in OT and other challenges
associated with user-passwords persist.
Below
is the list of top critical threat activity seen in real-world environments
over the last six months:
1. Network Anomalies and
Attacks - 38% of all alerts
2. Authentication and
Password Issues - 19% of all alerts
3. Access Control and
Authorization Problems - 10% of all alerts
4. Operational Technology
(OT) Specific Threats - 7% of all alerts
5. Suspicious or Unexpected
Network Behavior - 6% of all alerts
ICS Vulnerabilities
With this spike in network
anomalies top of mind, Nozomi Networks Labs has detailed the industries that
should be on highest alert, based on analysis of all ICS security advisories
released by CISA over the past six months.Manufacturing topped the list with the number
of Common Vulnerabilities and Exposures (CVEs) in that sector rising to 621, an alarming 230% increase over the
previous reporting period. Manufacturing,
Energy and Water/Wastewater remained the most vulnerable
industries for a third
consecutive reporting period - though the total number of vulnerabilities
reported in the Energy sector dropped 46% and Water/Wastewater vulnerabilities
dropped 16%. Commercial
Facilities and Communications moved into the top five,
replacing Food & Agriculture and Chemicals (which both dropped out of the
top 10). Of note, Healthcare & Public Health, Government Facilities,
Transportation Systems and Emergency Services all made the top 10. In the second
half of last year:
- CISA released 196 new ICS
advisories covering 885Common Vulnerabilities
and Exposures (CVEs)- up 38% over the previous
six-month period
- 74 vendors were impacted -
up 19%
- Out-of-Bounds Read and
Out-of-Bounds Write vulnerabilities remained in the top CWEs for the second
consecutive reporting period-both are susceptible to several
different attacks including buffer overflow attacks
Data from IoT Honeypots
Nozomi
Networks Labs also analyzed a wealth of data on malicious activities against
IoT devices, revealing several notable trends for these industries to consider.
According to the findings, malicious IoT botnets remain active this year, and botnets continue to use default
credentials in attempts to access IoT devices.
From
July through December 2023, Nozomi Networks honeypots found:
- An average of 712 unique
attacks daily (a 12% decline in the daily average we saw in the previous
reporting period) - the highest attack day hit 1,860 on October 6.
- Top attacker IP addresses
were associated with China, the United States, South Korea, India and Brazil.
- Brute-force attempts
remain a popular technique to gain system access - default credentials remain
one of the main ways threat actors gain access to IoT.Remote Code Execution (RCE) also
remains a popular technique-frequently used in targeted
attacks, as well as in the propagation of various types of malicious
software.
Nozomi
Networks Labs "OT & IoT Security Report: Assessing the Threat Landscape"
provides security professionals with the latest insights needed to re-evaluate
risk models and security initiatives, along with actionable recommendations for
securing critical infrastructure.