IBM X-Force Provides Insights into the Rapidly Changing OT Threat Landscape

IBM X-Force has analyzed data from its incident response and managed security services (MSS) and has provided valuable insights into the rapidly expanding operational technology (OT) cyber threat landscape. This year, cybersecurity agencies have issued multiple alerts about threats to OT and the potential for attacks on critical infrastructure, new malware threats have been identified that target OT, and many new vulnerabilities have been discovered.

The manufacturing industry was the most targeted sector in 2021, and that trend has continued in 2022, with manufacturing accounting for 23% of all cases and 65% of cases at OT-related industries. Electric utilities placed second out of all OT-heavy industries (13%), followed by oil and gas (8%).

According to the report, the majority of incidents IBM X-Force responded to in 2021 have stemmed from phishing emails that deliver malware, with Emotet being the main malware threat followed by remote access Trojans and ransomware. That trend has continued in 2022, with 78% of the incidents so far this year involving phishing as the initial infection vector. Defending against phishing attacks requires a defense-in-depth approach that should include spam filters/email security solutions, email sandboxing, multifactor authentication, allowlisting/Attack Surface Reduction Rules, and regular security awareness training for the workforce.

In H1, 2022, malspam was involved in 44% of engagements, with Emotet the most common malware threat. 19% of malspam incidents involved remote access Trojans, 19% involved ransomware, and 6% of attacks involved BEC attacks, with a further 6% involving server access attacks.

11% of attacks in 2021 involved the exploitation of vulnerabilities. “Proactively identifying and managing the external attack surface of IT and OT networks is essential to understanding what ports, services, and applications may be exposed to attackers externally and may require further hardening, patching, or isolation,” suggests IBM X-Force. Patching can be difficult in OT environments, as that typically involves downtime which can be challenging to schedule. Given the problem with patching, it is important to ensure that OT systems are not exposed to the Internet and OT networks are separated from other IT networks, to prevent threat actors from pivoting from IT to OT networks in the event of a successful attack.

11% of incidents, involved removable media as the initial access vector, especially flash drives. Flash drives can easily transfer malware to OT networks, so the use of these devices should be prohibited and autorun should be disabled. IBM says the use of personal laptops in the field is a security risk. USB devices are used to transfer data from laptops to operator workstations, and those devices can be easily infected with malware. IBM says 57% of alerts generated in monitored OT environments came from outdated TLS 1.0 encryption, and 2% of all OT alerts came from attempted brute force attacks.

“The threat to OT permeates across a nation’s entire economy and infrastructure. Organizations across all verticals must take full responsibility for protecting their own assets and consumers,” explained IBM X-Force. “The best way to keep adversaries out of an ICS is to implement simple safeguards, best practices, and risk management solutions.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of