The Red Flags of Network Anomalies

A new report showcases the leading areas of OT and IIoT concern.

General Cyberattack

The latest Nozomi Networks Labs OT & IoT Security Report finds that network anomalies and attacks were the most prevalent threat to OT and IoT environments. Vulnerabilities within critical manufacturing also surged 230 percent, as threat actors have far more opportunities to access networks and cause these anomalies.  

Unique telemetry from Nozomi Networks Labs, collected from OT and IoT environments covering a variety of use cases and industries across 25 countries, finds network anomalies and attacks represented the most significant portion (38 percent) of threats during the second half of 2023. The most concerning of these network anomalies, which can indicate highly sophisticated threat actors being involved, increased 19 percent over the previous reporting period.

“Network scans” topped the list of Network Anomalies and Attacks alerts, followed closely by “TCP flood” attacks which involve sending large amounts of traffic to systems aiming to cause damage by bringing those systems down or making them inaccessible. “TCP flood” and “anomalous packets” alert types exhibited significant increases in both total alerts and averages per customer in the last six months, increasing more than 2x and 6x respectively.  

Alerts on access control and authorization threats jumped 123 percent over the previous reporting period. In this category “multiple unsuccessful logins” and “brute force attack” alerts increased 71 percent and 14 percent respectively. This trend highlights the continued challenges in unauthorized access attempts, showing that identity and access management in OT and other challenges associated with user-passwords persist.

Below is the list of top critical threat activity seen in real world environments over the last six months:

  • Network Anomalies and Attacks – 38  percent of all alerts
  • Authentication and Password Issues – 19  percent of all alerts
  • Access Control and Authorization problems – 10  percent of all alerts
  • Operational Technology (OT) Specific Threats – seven percent of all alerts
  • Suspicious or Unexpected Network Behavior – six  percent of all alerts

With this spike in network anomalies top of mind, Nozomi Networks Labs has detailed the industries that should be on highest alert. Manufacturing topped the list with the number of Common Vulnerabilities and Exposures (CVEs) rising 230 percent over the previous reporting period. Manufacturing, Energy and Water/Wastewater remained the most vulnerable industries for a third consecutive reporting period – though the total number of vulnerabilities reported in the Energy sector dropped 46 percent and Water/Wastewater vulnerabilities dropped 16 percent

Nozomi Networks Labs also analyzed a wealth of data on malicious activities against IoT devices, revealing several notable trends for these industries to consider. According to the findings, malicious IoT botnets remain active this year, and botnets continue to use default credentials in attempts to access IoT devices. From July through December 2023, Nozomi Networks honeypots found:

  • An average of 712 unique attacks daily (a 12  percent decline in the daily average we saw in the previous reporting period) – the highest attack day hit 1,860 on October 6.
  • Top attacker IP addresses were associated with China, the United States, South Korea, India and Brazil.
  • Brute-force attempts remain a popular technique to gain system access – default credentials remain one of the main ways threat actors gain access to IoT.
  • Remote Code Execution (RCE) also remains a popular technique - frequently used in targeted attacks, as well as in the propagation of various types of malicious software.
More in Cybersecurity