Dragos has released its 2025 OT/ICS Cybersecurity report (registration required), looking back at 2024. Unsurprisingly, the findings show that the number of threat groups and attacks grew throughout the year. What will concern many organisations is how many vulnerabilities exist in their network and are perimeter-facing. Similarly, it shows that there are problems with incorrect advisories and that ransomware has risen significantly in the manufacturing sector.
A bigger concern from the report is the convergence of state actors, adversaries and hacktivists. This triple threat sees them sharing data and tools. As they all have different agendas, it makes spotting attacks harder for defenders because the attack routes differ. That problem is amplified as geopolitical conflicts continue to grow, and groups seek to take advantage of it to press their agendas.
Robert M Lee, CEO of Dragos, commented, “Civilian infrastructure, and the geopolitical climate is driving a lot of that targeting. 2024 also saw an expansion of new adversaries that were targeting infrastructure, but also very interesting connections between state and non-state actors.”
2024 saw the emergence of new threat groups
In a one-hour briefing, Lee talked about the challenges that new threat groups bring. Last year, two new threat groups, Graphite and Bauxite, were seen. This takes the number it tracks to 23, although only nine were active over the year. Of those nine, four were of serious concern because they had already achieved ICS Cyber Kill Chain Stage 2 capability.
To put that in context, Stage 1 is about surveillance and gathering intelligence on the target. Stage two sees the attacker develop their attack. That includes building and delivering, installing and executing an attack. One of those groups is Bauxite which has just appeared. Another is Voltzite, which is linked to Volt Typhoon, the Chinese threat actor who successfully penetrated multiple US companies.
Dragos lists Voltzite as the most critical threat to critical infrastructure. It has successfully penetrated networks around the world and continues to do so. Of concern to all organisations is the claim that it uses stolen ICS-focused data to craft malicious OT-specific tools capable of operational disruption.
The impact of geopolitical tensions is also clear in the report and in Lee’s comments where he gave two examples. The first was the attack by pro-Ukrainian hacktivist Blackjack. He deployed the Fuxnet malware against Moskollektor, who manages Moscow’s municipal infrastructure. The second was the use of the Frostygoop malware to disrupt the energy supply to heating systems affecting 600 apartment buildings in Ukraine.
The report details other groups that Dragos tracks involved in the Russo-Ukrainian war. Kamacite and Electrum are Russian groups targeting critical infrastructure in Ukraine. The two work together with Kamacite breaching organisations and then handing that to Electrum. Kamacite is also targeting European Oil and Natural Gas organisations.
How one threat actor compromises systems
According to the report, “65% of Dragos Services clients had insecure remote conditions. This includes insecure configurations, unpatched systems and poor network architecture related to remote access appliances and applications.”
That is a disturbingly high number. New threat actor Bauxite feeds off this lack of defence. 100% of its targets were accessible from the Internet. This includes the compromise of VPNs, firewalls and PLCs using brute force SSH attacks. Organisations need to rethink how they spot such attacks and make sure they keep on top of alerts and patching.
Once inside it overwhelms PLCs and HMIs with denial-of-service (DoS) attacks. The biggest risk is the wiping of firmware on affected devices. This requires backups and protection in place to be able to restore the firmware.
Dragos says that 45% of OT Watch customers have SSH communicating with publicly routable addresses. 5% talk to external addresses using PPTP. Both require a rethink of how communication is carried out and alternative solutions put in place. If that is not possible, a risk assessment is required to decide what risk appetite the organisation can accept.
Bauxite’s targets are oil and gas, electric, wastewater and chemical manufacturing in the US, Europe, Australia and West Asia. It is closely aligned with the pro-Iranian group CyberAv3ngers and, again, is motivated by politics and conflict. In this case, the Israel-Hamas conflict.
The report also looks at the behaviour of Graphite.
Ransomware still a major threat
Several cybersecurity vendors have recently issued reports highlighting lower ransom payments and suggesting ransomware attacks are down. Dragos says that is not the case for the industrial sector with manufacturing being the most affected. It saw an 87% increase in ransomware attacks in 2024.
The list of affected sectors includes manufacturing, government, water, mining, transportation, renewables, oil & gas, data centers, communications, and electric. 984 attacks were recorded against the US, which was the most affected (58%). By comparison, Europe saw 419 attacks (25%).
A quarter of attacks involved a full shutdown and three-quarters resulted in some degree of operational disruption. Once data is encrypted, organisations face the choice of paying or attempting to restore systems. For manufacturers, the response is often to pay.
Dragos says that the common attack vectors are:
- Gaining admin rights through misconfigured access.
- Exploiting unpatched VPNs with weak credentials.
- Moving from IT to OT environments due to poor segmentation.
To mitigate attacks it lists five primary approaches:
- Patch VPN vulnerabilities and enforce multi-factor authentication (MFA).
- Restrict admin privileges and monitor access.
- Implement strict IT/OT segmentation.
- Deploy OT-native threat and anomaly detection.
- Conduct tabletop exercises (TTX) and establish offline backups.
The likelihood is that most organisations have some or all of these in place. The question is, how well are they implemented? Additionally, what auditing occurs to ensure that patching and privileges are not compromised?
Patching key for IT systems but not always for ICS/OT
For attackers such as Graphite, spear-phishing and credential compromise are a major entry point. It exploits known CVEs, 2023-23397 (Outlook) and 2023-38831 (WinRAR). Organisations need to ensure that IT systems are appropriately patched.
But patching IT systems does not protect ICS/OT systems. Lee pointed out that safety and production needs make patching such environments impractical. Patching also assumes that systems can be patched, and with older systems, this is not always true.
Making things tougher for organisations are problems with advisories. For example, only 74% of advisories came with a patch. Of the remaining 26%, Dragos was able to provide a range of alternative mitigations in 47% of cases. But the more concerning number that this report throws up is that 22% of advisories in 2024 had incorrect data. This is something that needs to be addressed by vendors with some urgency.
The Now, Next, Never Vulnerability Framework
The report states that “The Common Vulnerability Scoring System (CVSS) is inadequate for prioritizing vulnerabilities in industrial control systems (ICS). CVSS relies on numerical scoring to evaluate vulnerabilities based on technical attributes, but it was not originally designed with industrial systems in mind. As a result, CVSS lacks the contextual information necessary for conducting risk assessments specific to ICS.
For example, CVSS fails to account for whether a vulnerability impacts the ICS process, or if mitigating a vulnerability will render a device inoperable for the owner. To address these situations, Dragos developed a framework for sorting vulnerabilities into three categories: Now, Next, and Never. This framework helps asset owners identify and prioritize the vulnerabilities with the highest risk to their operational process.”
Adopt a risk-based approach
There is also a need for a risk-based approach when it comes to mitigation. As IT security teams have discovered, you cannot apply every patch they are alerted to. There isn’t time to test and verify patches, let alone apply them. This is where risk-based vulnerability management comes into play.
Dragos applied that approach to all the ICS/OT vulnerabilities that were announced in 2024. What it found was:
- Only some vulnerabilities need immediate action.
- 6% of ICS/OT vulnerabilities need to be addressed immediately.
- 63% are network exploitable with no direct operational impact.
- 31% pose a possible threat but rarely require action.
It goes on to say that the 63% must be addressed but the 31% likely never need addressing. It would be interesting to see how many organisations are in a position to decide which of these two groups a vulnerability falls into. For those using MSPs/MSSPs, this is a question that should be asked of those partners. Those doing this internally, need to look at tools to make those assessments.
Enterprise Times: What does this mean?
There is too much in this report to easily encapsulate in one article. It needs to be thoroughly read through and notes taken. The sections looking at specific threat groups and behaviours must be read by security teams. They can easily extract a set of actions to review their environments to improve their defences against those groups mentioned.
The need for a risk-based approach is for the boardroom. If it doesn’t adopt this approach, it will inevitably end up under protecting the organisation. That will only lead to increased and potentially unnecessary spending on security or an increased chance of an attack. Either way, it has to make the right investment to get the best tools in place.
But perhaps the biggest warning here, and one that aligns with warnings from other security companies, is that of a merging of ideologies among attackers. Nation states, state-sponsored attackers, hacktivists and cybercrime groups are coming together. They are sharing tools, intelligence and platforms along with providing specific services. Importantly, they attack for different reasons, widening the risk of attack and damage.
