Electricity, oil and gas and other critical infrastructure vital to our everyday lives is increasingly at risk from cyber attackers who know that successfully compromising industrial control systems (ICS) and operational technology (OT) can enable them to disrupt or tamper with vital services.
A report from cybersecurity company Dragos details ten different hacking operations which are known to have actively targeted industrial systems in North America and Europe – and it's warned that this activity is likely to grow in the next 12 months.
The list includes several state-backed hacking operations, such as Electrum – also known as Sandworm – which is linked to the Russian military, Covellite, which is linked to North Korea's Lazarus Group, and Vanadinite, which is lined to APT 41, a hacking operation working on behalf of China.
As more critical infrastructure is connected to the internet or accessible to staff by remote desktop protocols and VPNs, it's increasingly becoming a target for nation-state backed hackers and cyber criminal gangs interested in breaching and examining OT networks to lay the groundwork for future campaigns.
"A lot of this is increasing appetite to be in those places – typically from state-sponsored operations – where they want capability where they could have an impact in future," Magpie Graham, principal adversary hunter and technical director at Dragos told ZDNet.
After hackers enter industrial networks, it's unlikely to have an immediate impact on the systems controlling operational processes because it could take years for attackers to understand everything – but it's about laying the foundations for this for the future.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The campaigns being tracked by Dragos have a variety of aims - some are around stealing information, or there could potentially be plans to cause disruption – for example, cyber criminals looking to launch ransomware attacks. The nature of operational technology and a reliance on older software and protocols means any evidence of compromise can be missed, proving hackers with ample time to move around, understand and gain control of networks.
It's this what researchers describe as "the biggest cybersecurity weakness" facing industrial networks, because without having a full picture of what needs to be protected from cyber attacks, it's not possible to fully defend networks from hackers.
Cybersecurity weaknesses in industrial networks aren't necessarily new, but as more threat groups become interested in infiltrating them, it could lead to significant problems.
The also paper warns that activity related to cyber attacks targeting industrial infrastructure has been observed since Russia's invasion of Ukraine and western cybersecurity agencies have issued warnings on the need to protect networks from attacks.
In addition to having a good understanding of what's on the network, many standard cybersecurity practices can help secure OT networks. These include applying security updates to patch known vulnerabilities in software, and applying multi-factor authentication whenever possible.
It's hoped that by drawing attention to the hacking groups, campaigns and the risk to the industrial sector, that organisations involved will heed the warnings and apply the necessary protections to protect themselves from cyber espionage, disruptive attacks and other potential cybersecurity threats.
"It can work in a more positive light, where we have seen these attacks, it can work just a reminder for organisations to protect themselves," said Graham.
According to Dragos, the most active threat groups targeting critical infrastructure are:
MORE ON CYBERSECURITY