Full Report
Claroty reported on Tuesday that threats to operational technology (OT) infrastructure within critical infrastructure installations are increasingly getting... The post Claroty exposes OT security crisis, reveals insecure Internet connections amid rising ransomware threats appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Escalating Threats and Exposure in Operational Technology (OT) Environments
## Executive Summary
Research conducted by Claroty's Team82 indicates a significant and escalating threat landscape targeting Operational Technology (OT) infrastructure across critical sectors, driven by sophisticated state actors and criminal organizations engaging in ransomware and espionage. The primary risk factor identified is the insecure, internet-facing exposure of OT assets, many of which contain Known Exploited Vulnerabilities (KEVs) or run on end-of-life systems. The reported progression suggests initial access via insecure connectivity, leading to lateral movement and potential real-world physical safety impacts, necessitating an immediate shift from traditional vulnerability management to a focused exposure management strategy.
## Incident Details
- **Discovery Date:** Tuesday (Date of Claroty Report Publication: 'State of CPS Security: OT Exposures 2025')
- **Incident Date:** Ongoing, representing the current state of observed threats.
- **Affected Organization:** Multiple organizations across critical infrastructure sectors analyzed (Manufacturing, Telecommunications, Internet Service Providers, Logistics, Transportation, Natural Resources).
- **Sector:** Critical Infrastructure, Manufacturing, Telecommunications, Energy (implied by power grid references).
- **Geography:** Primarily U.S. military and corporate networks targeted by Chinese adversaries; Ukraine's power grid targeted by Russian hackers; Israel/U.S. targets mentioned regarding Iranian activity.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing observation period covered by the 'OT Exposures 2025' report.
- **Vector:** Insecure connectivity practices, specifically OT devices being insecurely connected to the internet, and direct online connections without secure access technology.
- **Details:** Organizations demonstrate a pervasive lack of segmentation; 40% of studied organizations had assets insecurely connected to the internet.
### Lateral Movement
- **Date/Time:** Following initial foothold establishment.
- **Vector:** Exploitation of vulnerabilities or configuration weaknesses in engineering software, HMIs, or OT communication protocols.
- **Details:** Once an attacker gains a foothold via an exposed OT asset, the opportunity for lateral movement across both OT and enterprise networks exists.
### Data Exfiltration/Impact
- **Date/Time:** Post-lateral movement.
- **Vector:** Attacks leveraging KEVs linked to known ransomware samples, leading to operational disruption, potential sabotage, and data theft/extortion.
- **Details:** The ultimate impact is the risk to availability and safety in the physical world due to process sabotage capabilities.
### Detection & Response
- **Date/Time:** Continuous assessment by Team82.
- **Vector:** Discovery via analysis of nearly one million OT devices for exposures.
- **Details:** The research highlights that current security programs often stop at asset inventory, which does not inherently reduce risk. Response must focus on exposure management.
## Attack Methodology (Inferred from Threat Landscape Analysis)
| Category | Method Described |
| :--- | :--- |
| **Initial Access** | Insecure connectivity, direct internet exposure of OT devices. |
| **Persistence** | Not explicitly detailed, but likely achieved via compromised credentials or backdoors established through exploited vulnerabilities. |
| **Privilege Escalation**| Exploiting configuration weaknesses or vulnerabilities in engineering workstations/HMIs. |
| **Defense Evasion** | Implicitly leveraging inherent trust relationships within OT networks or deploying known malware/ransomware variants tied to KEVs. |
| **Credential Access** | Not explicitly detailed, but necessary for lateral movement once initial foothold is established. |
| **Discovery** | Reconnaissance on connected assets, identifying vulnerable HMIs, and protocol weaknesses. |
| **Lateral Movement** | Moving between OT and enterprise networks utilizing established footholds. |
| **Collection** | Gathering data relevant for extortion or intelligence purposes, potentially targeting data managed by engineering workstations. |
| **Exfiltration** | Implied in ransomware/extortion-based attacks targeting enterprises. |
| **Impact** | Sabotage of critical physical processes, causing operational downtime, potential personal injury, and financial damage via ransomware. |
## Impact Assessment
- **Financial:** High risk due to ransomware and extortion attacks; increased operational costs due to deployment of non-enterprise-grade security tools.
- **Data Breach:** Specific data types not detailed, but espionage objectives suggest sensitive corporate or operational data is targeted by state actors.
- **Operational:** Significant risk to availability and safety, particularly in sectors like manufacturing, where 96,000+ devices had confirmed KEVs, 68% linked to ransomware groups.
- **Reputational:** Risk associated with large-scale critical infrastructure disruption.
## Indicators of Compromise
*(Note: Since this is a summary of a threat landscape report rather than a single incident forensic analysis, specific IOCs are generalized based on findings.)*
- **Network Indicators (Defanged):** OT assets communicating with malicious domains (12% of organizations showed this activity).
- **File Indicators:** Known ransomware samples linked to exploited OT vulnerabilities.
- **Behavioral Indicators:** Exploitation of KEVs on internet-facing OT assets; use of insecure protocols for device management.
## Response Actions
- **Containment:** Not explicitly detailed for a past incident, but implied need to immediately isolate internet-exposed OT assets.
- **Eradication:** Patching KEVs, remediating misconfigurations, and replacing end-of-life (EOL) operating systems/devices.
- **Recovery:** Re-establishing secure connectivity practices and validating the integrity of critical control processes.
## Lessons Learned
- **Key Takeaways:** The "mythical air-gap" is dangerously outdated; threat actors are aggressively weaponizing OT vulnerabilities. OT security cannot be treated as a "black box."
- **What could have been done better:** Organizations failed to move beyond basic asset inventory to a risk-prioritized exposure management approach. Over-reliance on non-enterprise-grade security products creates undue risk.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. **Adopt Exposure Management:** Shift focus from general vulnerability patching to prioritizing remediation based on exploitable exposure paths (scoping, prioritization, validation).
2. **Audit Connectivity:** Immediately identify and secure all OT devices connected to the internet or insecurely accessible from the enterprise network.
3. **Address EOL Systems:** Develop plans to replace or isolate systems running unsupported operating systems and devices.
4. **Improve Visibility & Tooling:** Retire non-enterprise-grade security products and implement robust data-driven asset inventory that supports vulnerability prioritization.