A new report shows that network anomalies and attacks are the most common threats to OT and IoT environments, especially in the area of critical infrastructure. Vulnerabilities in critical production areas have increased by 230 percent.
Nozomi Networks has released its latest Networks Labs OT & IoT Security Report. The experts' analysis shows that network anomalies and attacks represent the greatest threat to OT and IoT environments. Another reason for concern: vulnerabilities in critical production areas have increased by 230 percent. Therefore, cybercriminals have many more opportunities to access networks and cause these anomalies.
Collected telemetry data from 25 countries
Nozomi Networks Labs collects unique telemetry data in OT and IoT environments in 25 countries, covering a variety of use cases and industries. Analysis of this data revealed that network anomalies and attacks accounted for the largest share (38 percent) of threats in the second half of 2023. Network anomalies, which are a major concern, increased by 19 percent compared to the previous reporting period. This in turn is an indication that there are criminals at work here who have a lot of know-how.
Network scanning topped the list of alerts for network anomalies and attacks, closely followed by TCP flood attacks. Large amounts of data are sent to systems in order to paralyze them or make them inaccessible. Accordingly, TCP flood and anomalous packet alerts have increased significantly over the past six months, both in terms of total alerts and average values per customer, which have more than doubled and sixfold, respectively.
123 percent increase in alerts
The number of access control and authorization threat alerts increased by 123 percent compared to the previous reporting period. In this category, alerts for multiple failed logins grew by 71 percent and brute force attacks grew by 14 percent. This trend highlights the ongoing challenges posed by unauthorized access attempts and shows that identity and access management in OT, as well as other challenges related to user passwords, continue.
Over the past six months, Nozomi experts have observed these five critical threat activities most frequently in real-world environments:
- Network anomalies and attacks – 38 percent of all alerts
- Authentication and password issues – 19 percent of all alerts
- Access control and authorization issues – 10 percent of all alerts
- Specific operational technology (OT) threats – 7 percent of all alerts
- Suspicious or unexpected network behavior – 6 percent of all alerts
ICS vulnerabilities
Given this cluster of network anomalies, Nozomi Networks Labs identified the industries that should be on high alert based on an analysis of all ICS security alerts issued by CISA over the past six months. The manufacturing industry tops the list. Here the number of CVEs (Common Vulnerabilities and Exposures) has increased to 621, a dramatic increase of 230 percent compared to the previous reporting period.
Manufacturing, energy and water/wastewater continued to be the most vulnerable sectors for the third consecutive reporting period. However, the total number of reported vulnerabilities fell by 46 percent in the energy segment and by 16 percent in water supply/wastewater. Commercial real estate and communications moved into the top five, replacing food and agriculture and chemicals (both of which fell out of the top 5). Notably, healthcare, public administration, transportation and emergency services are all represented in the top 10. In the second half of last year:
- CISA published 196 new ICS advisories on 885 common vulnerabilities and exposures (CVEs) - an increase of 38 percent compared to the previous half of the year.
- 74 providers were affected – an increase of 19 percent.
- The Out-of-Bounds-Read and Out-of-Bounds-Write vulnerabilities remained among the top CVE for the second year in a row - both are vulnerable to various attacks, including buffer overflow attacks.
Data from IoT honeypots
Nozomi Networks Labs also analyzed a large amount of data on malicious activity against IoT devices and identified some notable trends that the mentioned industries should consider. The results show that malicious IoT botnets remain active this year and that criminals continue to use these botnets to access IoT devices using standard credentials.
From July to December 2023, Nozomi Networks was able to determine a whole series of interesting numbers through the use of honeypots:
- An average of 712 unique attacks per day (a 12 percent decrease from the daily average in the previous reporting period) - the day with the highest number of attacks was October 6th with 1.860 attacks.
- The IP addresses of the attackers with high activity come from China, the USA, South Korea, India and Taiwan.
- Brute force attempts remain a popular technique for gaining access to systems - standard credentials remain one of the main ways attackers gain access to the IoT. Remote Code Execution (RCE) also remains a popular technique, often used for targeted attacks and the distribution of various types of malware.
Nozomi Networks Labs' OT & IoT Security Report provides security professionals with the latest insights they need to re-evaluate risk models and security initiatives, as well as easy-to-implement recommendations for securing critical infrastructure.
More at NozomiNetworks.com
About Nozomi Networks Nozomi Networks accelerates digital transformation by protecting critical infrastructure, industrial and government organizations from cyber threats. Nozomi Networks' solution provides exceptional network and asset visibility, threat detection and insights for OT and IoT environments. Customers rely on it to minimize risk and complexity while maximizing operational resilience.