Connect with us

Hi, what are you looking for?



The Impact of Recycling on Industrial Cyber Security

In the decade since the Stuxnet worm was discovered, multiple attacks that have been launched against operational technology (OT) networks including Shamoon, Havex, Wannycry, and Lockergoga. Looking back, a disturbing trend has emerged. Industrial attacks are being recycled.

In the decade since the Stuxnet worm was discovered, multiple attacks that have been launched against operational technology (OT) networks including Shamoon, Havex, Wannycry, and Lockergoga. Looking back, a disturbing trend has emerged. Industrial attacks are being recycled.

Consider LockerGoga, which crippled Norsk Hydro, one of the largest aluminum manufacturers in the world, in March of 2019.  Like Stuxnet, this incident was a watershed moment in OT security because it not only impacted OT operations by taking aluminum production offline, but it also impacted IT security. For the first time, an attack moved laterally between once air-gapped IT and OT networks. 

More concerning however is how industrial malware is being recycled. LockerGoga made global headlines in March, but it was neither the first nor the last time the malware was used to attack industrial organizations. In fact, LockerGoga first surfaced in January 2019 when it compromised Altran Technologies, a global industrial engineering consulting company located in France. The company shut down its IT network and all applications to protect the infection from spreading to the networks of its industrial clients.

LockerGoga then hit Norsk, and shortly thereafter impacted chemical companies Hexion and Momentive among others. This is perhaps the most well publicized incident of a recycled attack, but it is certainly not the only example. Wannacry, Petya and Shamoon were all attacks which made multiple appearances either in their original form or as a variant of the original.  

The writing is on the wall, OT security threats are following the familiar path taken by IT attacks which recycle existing malware code. In fact, security firm RiskSense recently released a report that found the top enterprise ransomware families used the same 15 vulnerabilities to target companies. 

Since OT is facing the same security challenges as IT, the same best practices apply with an ICS twist. Here are the top four.

1. VISIBILITY – Remediating a new vulnerability is impossible without knowing the model numbers, patch levels or firmware versions of the devices in the network. Deploying a continuously updated inventory management system will pinpoint devices that are at risk. 

2. PRIORITIZATION – Due to non-stop production requirements, scheduling downtime to apply necessary patches and updates in OT environments is much more challenging than in IT networks. Having the ability to actively query individual devices at a very granular level including serial number, patch level, firmware version, etc. takes the guesswork (and potential errors) out of remediation processes. With this knowledge, updates can be performed in much shorter windows and will ensure all affected devices are covered. 

Advertisement. Scroll to continue reading.

3. OT SPECIFIC THREAT INTEL – Despite the advancing level of convergence between IT and OT, there are still distinct differences between the signatures for each environment. Live update options now exist for OT malware signatures and should be considered. The sooner vulnerabilities are addressed, the smaller the window of compromise. 

4. REMOTE SECURITY – Many large organizations with distributed environments may be unwilling or unable to deploy  OT security at all their remote locations. Similarly, small and medium sized industrial companies may not have the resources or inclination to protect their operations because they consider themselves a “small target”. New cloud-based Industrial Cyber Security as a Service (ICSaaS) alternatives have emerged that can secure these remote locations without deploying on-premises hardware or personnel. 

Recycled cyber attacks may be a fairly new development in ICS security, but they have been a staple in IT environments for years. While many of the same measures used for protecting against them in IT apply in OT networks, there are differences. Using ICS specific tools for visibility, prioritization, threat intelligence and remote security will ensure OT environments are resilient to attacks regardless of whether they originate on the industrial network or migrate laterally from the IT side of the house.

Related: Learn More About the Impact of Recycled Cyber Attacks on Industrial Environments at SecurityWeek’s ICS Cyber Security Conference. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.