Six reasons for successful APT attacks
by Tina Siering
Enhanced EU Cybersecurity Regulation for CRITIS
Cyber attacks are a major problem for industrial companies in today's digital societies. In Germany alone, 203 billion euros in damage was caused to commercial enterprises last year. Even though APTs are not carried out frequently in terms of numbers compared to classic cyber attacks, the expected damage is usually much higher. In addition to the financial losses, companies have to deal in particular with reputational losses, leakage of secret knowledge and, of course, the dangers of direct access to OT networks. In the following, we have compiled the most important reasons for successful APT attacks. Right at the top: the human factor.
Reason 1: Human error
Remote maintenance programmes are used in industrial companies to simplify communication between employees and contractors. TeamViewer and Anydesk, for example, simplify processes by providing direct access to OT networks. The problem: Most of these programmes are only intended for temporary use - and are forgotten afterwards. Without reliable security concepts such as the Zero Trust approach, forgotten remote maintenance access is a welcome invitation for cyber criminals. And are accordingly readily exploited.
Reason 2: Non-isolated OT networks
In many industrial companies, there is no separation between IT and OT networks. Production machines or workstations that are integrated into OT networks are connected to both networks. Cyber criminals exploit this negligence to infiltrate malware into networks or control malware traffic that are considered isolated and thus secure from a corporate security perspective.
Reason 3: Insufficiently protected OT resources
Outdated databases, deactivated security components, missing licence keys: APT actors know very well that especially security solutions in the area of operational technology are often maintained far too carelessly. If the security net is full of holes, professional cybercriminals in particular have an easy time evading detection.
Reason 4: No cyber security for endpoints
Even more fatal than poorly maintained cyber security protection is - no security protection at all. In many OT networks, endpoints are not integrated into the company's security concept at all. The background is the assumption that OT networks are safe from attacks if they are not connected to the internet or completely separated from other networks. What companies do not take into account: Cyber criminals can still gain access, for example through social engineering and the use of USB sticks in removable drives.
Reason 5: Poorly configured security solutions
For a security solution to work, it must be configured correctly. This is the only way to sustainably prevent APT actors from abusing the security solutions. What not all companies are aware of: Many security solutions store network information that can be exploited by cyber criminals to move laterally and invisibly in the network or to penetrate other parts of the system. APT actors are increasingly attacking the management servers of security solutions in order to achieve a wide variety of goals.
Reason 6: Industrial control systems
While updates and patches can be applied quickly, easily and "on the side" on normal workstation computers, in the industrial environment even small security updates must be tested extensively before installation. In some cases, an update requires subsequent adjustments to the special software used - which can be really expensive. The result is sporadic updates in fixed time windows during upcoming maintenance work and outdated industrial control systems. If systems connected to the internet - which would be comparatively easy to update - remain unpatched for long periods of time, the entire OT sector becomes vulnerable, especially for the highly professional APT threat actors.
Conclusion: Most important protective measures
Although APTs are undoubtedly among the most dangerous threats to industrial companies, the required level of protection can be effectively increased by taking some measures. Among the most important security measures is the separation of the deployed OT systems and critical infrastructures from the corporate network. If this is not possible or desired, unauthorised connections of any kind should be closed immediately - keyword Zero Trust. In order to uncover weaknesses in the security solutions used, we recommend conducting regular security audits, both for the IT networks and for the OT systems. Any technical security solution is only as good as the human cyber security teams that monitor the technical measures. With special training courses, on the one hand, employees in companies can be prepared for the new cyber threats in OT networks, and on the other hand, IT security teams or OT engineers are enabled to implement well-founded and thus effective measures to defend against APTs.
If you would like to learn more about the solutions secion offers in the area of OT security for companies, or if you would like to develop concrete measures to defend against APTs together with our experts, please contact us!