OT security continues to evolve, both in terms of the threat landscape and in how operators, industry groups, and nations seek to advance defenses against OT cyber threats. As we wrap up 2024, it is important that we take the time to reflect on the significant happenings in the OT world this past year, so as an industry can continue to mature critical infrastructure security and meet evolving compliance requirements. Let's take a look at some of the impactful threats and related policy news from this year:
While we didn’t see a year like 2021 with the big, singular incidents like Colonial Pipeline, (at least not disclosed or to the level of mainstream headlines) we did see nation-state movement and steady undercurrent of threats to critical infrastructure.
Notably, Volt Typhoon, an ongoing Chinese state-sponsored hacking campaign, remains a persistent threat to US security in 2024. On February 7, 2024, CISA, together with the NSA and FBI, issued a critical advisory highlighting the persistent threat posed by this group to U.S. critical infrastructure. The advisory detailed Volt Typhoon’s utilization of stealthy "living off the land" techniques to establish footholds within IT networks, urging critical infrastructure owners and operators to address these vulnerabilities. It called for elevated cybersecurity measures, emphasizing the need to treat these threats as core business risks essential to national security.
Additionally, the Salt Typhoon attacks in late September, attributed to the People’s Republic of China, compromised at least eight U.S. communications companies. These breaches exposed significant vulnerabilities within critical telecommunications infrastructure, prompting the FCC to enforce stricter security measures among telecom carriers to bolster defenses against future attacks. This heightened focus on cybersecurity continues to be a key priority in Washington, especially in countering threats from the PRC.
Washington also had its attention on the Cyber Av3ngers, a hacker group originating from Iran. This year, the US Department of State announced a reward of up to $10 million for information leading to the identification of several Iranian nationals implicated in hacking industrial control systems (ICS). Notably, in the fall of 2023, Cyber Av3ngers targeted a Unitronics Vision programmable logic controller (PLC) at the Municipal Water Authority of Aliquippa in Pennsylvania. The group also launched attacks on ICS at other water utilities across the United States. While Cyber Av3ngers claims to be a hacktivist group, the US government contends that it is a facade used by the Iranian government to carry out malicious cyber operations.
Attacks on water supply also affected the UK in 2024. These incidents were not widely publicized but were documented and reported in accordance with the Network and Information Systems (NIS) Regulation. Further details emerged through Freedom of Information Act (FOIA) requests, which revealed that there were at least six such incidents affecting the sector during the year.
In early September, Taiwan’s government, major corporations, and critical infrastructure became the victim of DDoS (Distributed Denial of Service) attacks by a pro-Russia hacker group called NoName057. This group is known to target disrupting essential services, including government websites, public utilities, and financial institutions. This wave in 2024 affected municipal governments, public offices, judicial units, and airports such as Taoyuan International and Songshan Airports. The group also claimed attacks on key government databases, showcasing the hackers’ intent to disrupt critical infrastructure in Taiwan.
While not known to affect OT specifically, we can’t forgo mentioning the CrowdStrike incident in July 2024. A faulty update to CrowdStrike's Falcon Sensor security software caused approximately 8.5 million Microsoft Windows systems worldwide to crash, leading to widespread service disruptions across various sectors, including airlines, banks, hospitals, and emergency services. While this incident did not directly impact cyber-physical processes, it serves as an important reminder of the need for rigorous verification and review of software updates before they are implemented. This is especially crucial in high-stakes OT environments, where the validation and testing of patches and software updates are essential to maintaining operational integrity.
Amidst the myriad of cyber threats emerging globally, there is a concurrent evolution of policy work and regulatory measures aimed at fortifying defenses across various sectors. Here are some that caught our eye.
In North America, for the electric sector, FERC and NERC, while one of the most mature compliance programs, continue to bolster requirements. The NERC CIP requirements for Internal Network Security Monitoring (INSM) have made significant progress. The new CIP-015-1 standard and its implementation plan were approved in the final ballot period, adopted by the NERC Board of Trustees in May, and filed with the Federal Energy Regulatory Commission (FERC) in June. This filing formally recognizes and enforces the standard under U.S. federal regulations, ensuring it aligns with broader regulatory and security objectives.
In September, FERC also proposed new critical infrastructure protection (CIP) standards aimed at enhancing grid-related cybersecurity. These proposed standards would require entities to identify their current supply chain risks at specified intervals, assess and take steps to validate the accuracy of information received from vendors during the procurement process, and document, track, and respond to these risks. Additionally, the Commission would direct NERC to extend the applicability of the supply chain standards to include a category of products known as protected cyber assets, or "PCAs." This proposal is still under comment and is expected to proceed into the rulemaking process at the time of this writing.
On the TSA side of things, the Transportation Security Administration (TSA) recently proposed the creation of new rules seeking to mitigate cyber risk for certain surface transportation sects such as pipeline and railroad owners and operators. The original Security Directive was published in 2021 following the Colonial Pipeline incident which caused gas shortages across the southeastern United States, then updated and reissued in 2023. The currently proposed new rules would formalize the pipeline security directive and expands the scope of cyber requirements more broadly across surface transportation, including rail.
For other sectors, as alluded to earlier, attention remains focused on strengthening security for water/wastewater and telecommunications. While official regulations have not yet been established, we will be watching for developments for these sectors and beyond.
In other parts of the world, members of the European Union (EU) were required this year to transpose NIS2 into national law. Member states were to officially adopt and publish the measures necessary to comply with the NIS 2 directive by October 17. Only four of the 27 member states (Belgium, Croatia, Italy and Lithuania) fully met the deadline. As an EU “Directive” – NIS2 requires member states to meet goals by a certain date, but it’s left to those countries on how to implement. On November 28, the European Commission started infringement procedures against the remaining member states, giving them two months to complete transposition, so they all still need to meet NIS2, but enforcement is complicated by shifted timelines.
Meanwhile, the EU Cyber Resilience Act, which focuses on elevating cybersecurity standards for digital products across Europe, went into effect on December 10th. The EU Cyber Resilience Act has been officially published in the Official Journal of the European Union, initiating the countdown for implementing cybersecurity regulations. The legislation establishes comprehensive cybersecurity standards for products with digital components, focusing on connected devices, as a secure internet is ‘indispensable’ for the functioning of critical infrastructures and society as a whole. It outlines the conditions for developing secure digital products by ensuring that hardware and software are marketed with minimal vulnerabilities. Additionally, the regulation mandates that manufacturers prioritize security throughout the product life cycle. The Council of the European Union enacted on Monday new legislation to enhance cybersecurity capabilities across the EU. Aiming to bolster the EU’s solidarity and its ability to detect, prepare for, and respond to cybersecurity threats and incidents, the Council adopted two significant laws as part of the cybersecurity legislative package. These include the ‘Cyber Solidarity Act’ and a targeted amendment to the Cybersecurity Act (CSA).
In Australia, on December 4th, the government rolled out a Cyber Security Legislation Package to enhance the security and resilience of Australia’s cyber environment and critical infrastructure. Subject to the passage of the ‘Cyber Security Bill 2024’ legislation as of time of this writing, Australia will have its first standalone CyberSecurity Act to ensure strong laws and protections through a clear legislative framework. Additionally, the Australian Cyber and Infrastructure Security Centre (CISC) announced the designation of 46 additional critical infrastructure assets as Systems of National Significance on December 3rd. The initiative is part of the Australian government’s ongoing efforts to enhance the cyber resilience of the nation’s vital infrastructure. With this latest declaration, the total number of such systems now exceeds 200, spanning sectors like energy, communications, transport, financial services, food and grocery, and data storage or processing. This collaboration between the government and businesses aims to strengthen national security.
This year also marked the deadline for implementing an approved "cybersecurity framework." Responsible entities had until August to develop, implement, manage, and maintain a cybersecurity framework under Section 8 of the Security of Critical Infrastructure (SOCI) CIRMP Rules, which outlines five designated cybersecurity frameworks, including the AESCSF.
In the Middle East, the National Cyber Security Agency (NCSA) in Qatar has released recommendations for securing operational technology (OT) in the electricity and water sectors. These recommendations are based on industrial cybersecurity standards ISA 62443. The NCSA will collaborate with the Qatar General Electricity and Water Corporation (Kahramaa) to implement these standards.
-
As we reflect on the numerous OT incidents and policy developments from around the world this year, this surely isn’t an exhaustive list. What did we miss? What notable OT events or policy changes have you been following? In this dynamic and evolving landscape, we’re proud to partner in securing OT environments and critical infrastructure. OT security requires teamwork, and together, we can build stronger, more secure systems. Let’s keep pushing forward with practical solutions that enhance our security posture.
