Real Life OT Security Incidents

Case 1: Colonial pipeline ransomware attack
Location: Houston, Texas
The Colonial Pipeline ransomware attack was one of the most significant attacks in 2021. The attack caused a gasoline shortage crisis. The CEO of the company testified in front of the US government that the attack was completely avoidable and only because there wasn’t a multifactor authentication applied for a VPN service, did the hackers gain access to the system. The hacker group was known as the Darkside ransomware group. This group of hackers took control over the IT systems of the Colonial Pipeline, but thanks to the network segmentation in place, the impact of this attack was minimized. When the company realized that the IT systems have been compromised, they took down their OT systems, to avoid them from being affected as well.
This is a perfect example to understand the integration of IT and OT systems, and how an affected IT system can impact the OT systems as well. Hence, it is very important for organizations to understand how the IT and OT networks and systems are linked with each other, and how this integration brings huge risks related to it.

Case 2: Attack on the water treatment plant
Location: Oldsmar, Florida
A water treatment plant employee from the IT department started to realize that sodium hydroxide levels were rapidly rising in a few reports generated over the quality of water. Later, they found out that the system has been accessed by someone remotely and over time it has been affecting the IT infrastructure of their treatment plant as well. The tool used remotely to carry out the attack was known as TeamViewer.
This incident emphasizes how important is it to secure the access provided in any organization. Due to unauthorized access, the water purity or quality was affected in this case.
In the pandemic scenario, the use of remote access tools has increased and hackers find it to be an opportunity so organizations need to ensure that only approved remote access connections are allowed by continuously monitoring communications. Luckily in this incident, the impact was reduced and the attack was under control because of smart and alert employees who detected the changes happening at a very early stage of the attack.
Case 3: The TRITON/TRISIS attack
Location: Saudi Arabia
OT threat groups have a big impact, stealing intellectual property, directly attacking people’s lives, and other things.
An attack using recently identified malware was undertaken in December 2017 against a Saudi Arabian gas plant. The malware was significant because it was created particularly to interfere with safety systems in vital facilities. The malware, known as TRITON or TRISIS, was the first to purposefully attack systems that worked to avoid major physical harm and life-threatening catastrophes. An investigation of the TRITON assault, in which malicious actors manipulated the industrial safety systems at a critical infrastructure facility and unintentionally shut down a process. The attackers’ possible access to vital parts required to create the TRITON assault architecture was studied in later studies. the intrusion activities that prompted the transfer of TRITON to a Moscow-based technological research institute owned by the Russian government.