At Scanautomatic and Process Technology 2024, experts from Plantvision and Truesec gathered to discuss the changing threat landscape and how industry can strengthen its defenses. Josef Forsman, Consultant at Plantvision, spoke with Kevin Widlund, Lead OT Analyst at Truesec SOC, and Nicklas Keijser, Threat Research Analyst at Truesec, about how threat actors operate today and what companies need to do to protect themselves.
"It doesn't matter if you are a large or small company - everyone is a target today. We see daily how threat actors are looking for vulnerabilities to exploit," notes Nicklas Keijser.
How do cyber attacks happen? - an organized crime
In the past, cyber attacks were often random and targeted at individuals through simple viruses or phishing emails. Today, it is an organized crime with a clear structure, where different groups have specialized in specific parts of an attack.
The attack is often launched by an Initial Access Broker - an actor whose only job is to find a way into the company's system. This can be done through phishing (emails with malicious links or attachments), exploiting vulnerable applications or remote control services that have poor security settings. Once the intruders get a foot in the door, access is resold on illegal marketplaces to other criminal actors who carry out the attack themselves.
"There is an illegal market where access to companies is sold. Cybercriminal groups operate as organized businesses, with some specializing in breaches, others in extortion and ransomware, and some solely in encryption and publishing stolen data," explains Kevin Widlund.
Once an attack starts, it can escalate quickly. Some advanced threat actors can encrypt an entire company's system in just a few hours from the first breach.
The most common breaches - and how to protect yourself
Despite the growing threat landscape, many industrial companies still have a weak cybersecurity strategy. Some of the most common security gaps are:
- Lack of segmentation between IT and OT - IT systems (administrative systems, email, cloud services) and OT systems (control and production systems) are often interconnected without clear separation. If an attacker gains access to the IT network, he can easily spread to sensitive OT systems and thus gain control over critical infrastructure.
- Poor visibility and monitoring - Many businesses lack the tools to monitor network traffic and identify suspicious activity in real time.
- Inadequate backups - Not having a well-structured backup plan means that businesses cannot recover from an attack without paying the ransom.
Protecting yourself requires a multi-layered approach. The three main measures are:
- Monitoring and surveillance - By analyzing network traffic and detecting anomalies, threats can be identified and stopped before they cause damage.
- Exposure and vulnerability management - Businesses need to identify which systems and services are exposed to the internet and ensure that these are protected and updated.
- Backup and recovery - Having backups that are isolated from the rest of the network (air-gapped backups) is crucial to restore operations in the event of an attack.
"Having a strong security strategy is not just about technology - it's about creating awareness throughout the organization and implementing structured processes," says Widlund.
Do not pay the ransom
Once an attack has occurred, businesses can find themselves in a tight spot where the threat actor demands a ransom to unlock encrypted systems. Many companies consider paying to get their data back quickly, but this is rarely a long-term solution.
"Our strong recommendation is never to pay the ransom. Partly because it encourages crime, but also because there are no guarantees that you will actually get your data back," says Keijser.
In many cases, data can be recovered through alternative methods, and succumbing to extortion only strengthens the threat actors' business model. In addition, companies that pay a ransom may become priority targets for future attacks.
The future of cyber threats - and how we face them
Cyber threats are evolving rapidly and attacks are becoming more sophisticated. But at the same time, defences are also improving, and businesses that take a proactive approach to cybersecurity can minimize the risk of breaches.
One of the biggest challenges ahead is supply chain attacks, where attackers target the supply chain to gain access to multiple companies through a single breach. Therefore, it is increasingly important to have clear security requirements also for external partners and suppliers.
Industry also needs to get better at incident management - having a clear action plan on how to act if an attack occurs can be crucial to minimize damage.
But the question remains: is your business ready to face the cyber threats of the future - or is it only a matter of time before you become the next target?
