Hackers Could Exploit Inherent Vulnerabilities in OT Systems, Dutch NCSC Warns
Critical services in the Netherlands could be a potential target of ransomware and hacktivist attackers with ties to Russia as a means to sow large-scale disruptions in the country, according to a Dutch National Cyber Security Centre warning this week.
Although the Russian invasion of Ukraine did not immediately result in a high-level of attacks as anticipated, the Dutch NCSC said the country continues to witness a high volume of attacks compared to previous years.
These attacks include and influx of ransomware, hacktivist, espionage activities from groups with political affiliations to Russia. Though these incidents have not led to major disruptions, the agency warned the Netherlands is likely to face “dynamic, complex and broader threat,” especially against critical infrastructure in the coming years.
The country’s operational technology networks including industrial automation and control systems are particularly at risk because they tended to be “insecure by design,” the agency warned.
Information on vulnerabilities affecting OT systems is limited, and organizations are looking at huge costs to replace older OT systems. Organizations also are challenged with patching new software over concerns that the patches could disrupt the interoperability of the operating systems. These reasons are why this sector is so vulnerable to hackers, the agency warned.
“OT has become increasingly intertwined with IT in recent years,” the agency observed. “This offers attackers more opportunities to gain access to an OT network via compromised IT systems, increases the attack surface and offers attackers more opportunities to compromise other operational systems.”
The agency added that the proliferation of cyber-crime-as-a-service model could make it easier for hackers including ransomware operators to adopt more wiper malware variants such as Industroyer 2 and PipeDream to target OT networks in the Netherlands.
Such a scenario would be challenging to the nation as it lacks adequate insight into the risks posed by hackers. The problem could be compounded by the unwillingness of insurers to cover cyber incidents.
“Cyber security insurance in the Netherlands is limited in size and is in its infancy,” the agency noted. “Exclusion from the damage of many types of cyber incidents can ultimately lead to a financially healthy organizations succumbing to the damage they suffer from cyber incidents.”
To reduce risk, the agency urged organization to improve digital resilience through network segmentation and perform vulnerability management as recommended in the Dutch Cyber Security Strategy 2022-2028, and in the proposed European Cyber Resilience Act.