Dragos published its 2022 ICS/OT Cybersecurity Year in Review this week. In its sixth edition, this comprehensive report contains the latest threat intelligence on adversary activity targeting operational technology (OT) and recent ICS-specific malware discoveries, data to inform vulnerability management practices, and cybersecurity benchmarks for industries. Dragos shares predominate insights, poignant lessons learned, and proactive recommendations in this annual data-driven analysis of Industrial Control System (ICS)/Operational Technology (OT) focused cyber threats and vulnerabilities. Explore the interactive executive summary before diving into the 70-page report based on Dragos’ extensive experience, assessments, and incident response engagements.

In addition to the comprehensive findings and observances captured in the “year in review,” since 2019 Dragos has tracked four specific benchmarks to consistently identify trends across a common set of criteria among critical infrastructure sectors. Those four key findings, which include data on water and wastewater systems are:

• Limited or No OT Network Visibility
• Poor Security Perimeters
• External Connections to OT Environments
• Lack of Separate IT and OT User Management

The findings for the water and wastewater systems sector are mixed (both positive and room for improvement) and are largely not representative of the sector as a whole. Nonetheless, the data is valuable in assessing against your utility’s current ICS/OT cyber posture and strategy.

Limited or No OT Network Visibility. Room for improvement. Based on Dragos’ data set, there was a 0% change in water and wastewater’s OT network visibility. Specifically, throughout Dragos’ engagements with water and wastewater entities, none had any OT network visibility in 2021 and 2022.

Poor Security Perimeters. Most improved. Despite the lack of OT visibility, the water and wastewater systems were the most improved industry overall. Systems showed marked progress. After 100% of engagements demonstrating poor network segmentation in 2021, the water and wastewater clients improved by 75% in 2022. According to Dragos, the 75% shift in the water industry is not from a new regulator but is a combination of improvements made in the wake of the Oldsmar incident.

External Connections to OT Environments. Took a downturn. Data reveals that water and wastewater entities experienced a slight increase (8%) in 2022 over 2021, with 83% of clients having undocumented or uncontrolled external connections to OT environments. According to Dragos (on many occasions), many OT environments are believed to be fully segmented and even appear so on their network diagrams. However, in most cases, when analyzed with the Dragos Platform, external connections are identified.

Lack Separate IT and OT User Management. Most improved. Similar to leading the industries in improved network segmentation and presumed to be in the wake of the Oldsmar incident, after finding 100% of clients sharing credentials across IT and OT networks in 2021, WWS saw a 71% improvement in 2022.

For much more insight and analysis on threats to ICS/OT, members are encouraged to access the full 70-page "2022 ICS/OT Cybersecurity Year In Review" and sign up for the 3-part 2022 YIR Webinar series at Dragos.

For additional resources and assistance in OT/ICS cybersecurity strategy, members are encouraged to check out Dragos OT-CERT. WaterISAC Partners with New Dragos OT-CERT to Help Underserved Water and Wastewater Systems