As a SANS Certified Instructor working in the ICS and OT Security fields, I've made three predictions for what I think we could see in EMEA as we head into the new year.
Ransomware targeting ICS/OT environments
I expect to see more ransomware targeting ICS/OT environments, whether unintentionally or intentionally. Operational Technology (OT) is where companies make their money, and some ransomware gangs (e.g. Lockbit) have been very vocal recently on trying to increase their revenue. In addition to this, as digitization of industrial environments increases, we will see a lot more intended and unintended accessibility of ICS/OT networks, leading to more frequent ransomware infections even when the adversary did not intend that.
State-backed, targeted intrusions and attacks against critical infrastructure
Along with more ransomware, expect to see more state-backed, targeted intrusions and attacks against critical infrastructure. The recent SektorCERT report from Denmark very clearly shows what a dedicated, state-backed/sponsored attacker can accomplish. Northern European countries are, from my experience, much better prepared to deal with these types of attacks than most other European countries. Every country in Europe and beyond should closely study this report and understand this case study as a demonstration of capabilities and how state-level adversaries are advancing their capabilities, “preparing the battlefield,” and quickly executing attacks - potentially with physical effects, if they get the order.
Commoditization of ICS/OT technology
Commoditization of ICS/OT technology, increasing digitization on the one hand, and increased use of sophisticated toolkits by adversaries on the other hand, will lower the bar for attacking a wide swath of industrial processes across many industry verticals. What Dragos designated PIPEDREAM in 2022 is a good case study of where we might be headed, resulting in toolkits available to state-backed adversaries that do not require much training and knowledge of specific industrial environments and processes to achieve low- to medium-level effects. And "effects" does not mean a bunch of computers go down, but otherwise the environment is unharmed. By "effects" against industrial environments I mean disruption, degradation, or even outright destruction of industrial equipment down to the physical level, leading to potentially very harmful effects on industrial processes, should they go out of control. This is what especially state-backed adversaries are after. It is probably too early for these toolkits to proliferate to criminal groups, but this is what we have to start to prepare for while there is still time.