Enhancing Industrial Cybersecurity: Insights From Analyzing Threat Groups and Strategies in Operational Technology Environments
Authors: Mukund Bhole; Thilo Sauter; Wolfgang Kastner
Extended abstract:
In recent years, concepts and components of information technology (IT) have increasingly made their way into the shop floor, now commonly referred to as operational technology (OT). The growing interconnection and convergence of IT and OT have exposed industrial infrastructures to cyber attacks and significantly increased their vulnerability to advanced persistent threats. Systems that were once isolated are now connected to corporate networks and external services, broadening the attack surface of industrial environments.
This article examines real-world cyber incidents affecting OT systems, focusing on the complex landscape of threat groups that actively target industrial environments. It analyzes the tactics, techniques, and procedures employed by these threat actors across different stages of the attack lifecycle, including initial access, persistence, lateral movement, and impact on industrial operations. The analysis highlights that OT-focused attacks differ from traditional IT attacks in terms of objectives, technical constraints, and potential physical and safety consequences.
The need for increased vigilance in protecting OT environments is emphasized through the use of open-source threat intelligence platforms and databases. These include the Thai Computer Emergency Response Team (ThaiCERT), Malpedia maintained by the Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE), the MITRE ATT&CK framework with its dedicated ICS knowledge base, and resources provided by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Correlating information from these sources enables a more comprehensive understanding of attacker behavior and recurring attack patterns.
The objective of this work is to provide relevant stakeholders—including manufacturers, asset owners, system integrators, and Chief Information Security Officers (CISOs)—with insights into emerging threat groups, attack victims and their geographical distribution, attack origins, tools and types of tools used, and the motivations behind these attacks. This understanding is essential for improving defensive strategies aligned with relevant standards and frameworks and for strengthening the protection and resilience of OT environments against evolving cyber threats.
Additional Information:
Data were collected from publicly available sources, including Threat Group Cards by ThaiCERT, Malpedia maintained by Fraunhofer FKIE, the MITRE ATT&CK framework, and reports from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The compiled dataset includes information on threat actor groups, reported attacks (up to June 2023), targeted ISA-95 levels, affected sectors and countries, attacker origins, motivations, and tools used.
Using this approach, information on 120 threat groups targeting OT/ICS environments across sectors such as manufacturing, energy, oil and gas, petrochemical, and critical infrastructure was analyzed. The resulting dataset is available at:
https://doi.org/10.48436/ewmb8-3ad52