Daniel Ehrenreich posited in a LinkedIn comment that the number of ICS-OT directed attacks in a year is in the two digits range (10 – 99). My definition, not Daniel’s, of an ICS-OT directed attack is an attack that is designed to compromise the availability or integrity of the ICS. An attack specifically designed to prevent the asset owner from monitoring and controlling a physical process. 

General purpose ransomware that finds it’s way into an OT environment is not an ICS-OT directed attack. General purpose attack code intentionally aimed at the ICS, because something more tailored is not required, to take it out would be. The latter is a gray area because we need to know attacker motivation. How many ICS-OT directed attacks occurred last year?

Ralph Langner has repeatedly highlighted that the number of publicly disclosed successful ICS-OT directed cyber attacks that succeed is tiny, certainly single digits. Robert M. Lee has told me, and stated it in a variety of ways in his speeches, that there is a lot more ICS-OT directed attack activity that is unseen by most. My experience leans to Ralph’s view, and I have to admit my sample size and visibility on this issue is quite limited. Rob/Dragos, Mandiant and a few others would have a better view since they are monitoring many systems and get called to respond to ICS related cyber incidents.

I don’t know the answer. If forced to answer, I’d say it is most likely triple digits (100 – 999). Why, given the dearth of published incidents? There is the usual case that companies are disincentivized to make this info public. Less obvious are the following three reasons ICS-OT directed cyber attacks appear to be so low.

  1. The majority of the ICS asset owners are early in their ICS security program maturity. There could be incidents caused by a cyber attack that they don’t identify as a cyber attack. Think of the first Triton caused outage that was not recognized as a cyber attack. This would be a small number unless the attacker stops on their own. Even 20+ years ago Maroochy Shire finally figured it out is was a cyber attack that was causing the sewage spills.
  2. There are likely a number of ICS-OT directed attacks that are prevented. Either through security controls or dumb luck. A good OT security perimeter would stop a lot of attackers who lack the skill or motivation to try harder. I believe this is the biggest contributor to the small numbers.
  3. My contention since 2012, see article on this, is that state actors will want access and persistence in the ICS-OT environment. This is required to be able to cause the impact when the leaders say ‘take down x now’. The attack team can’t ‘say ok boss, give me 6 – 12 months to do this’. I believe today there is a non-small amount of access and persistence on ICS-OT environments by US, China, Russia, Israel and others. These “sophisticated actors” likely have the most ICS and physical process specific attack tools. Tools designed to cause a long term outage or damage to expensive, long lead time physical equipment.

Even if the number of ICS-OT directed cyber attacks is in triple digits, this is dwarfed by the number of attacks that unintentionally find their way to the ICS or ICS security perimeter. This is reflected by the limited published data where most ICS outages due to a cyber attack are caused by ransomware or some mass market malware / attack code.