We present our eyesight of what challenges industrial cybersecurity will soon be( or already is) facing, and what to expect from cybercriminals in 2021.

Random infections

Infections will tend to be less random or have non-random follow-ups, as cybercriminals have invested the past several years profiling arbitrarily infected computers that are connected to industrial networks or have periodic access to them. Access to such computers will be — and is perhaps already being — resold to more sophisticated groups with specific strategies for monetizing strikes on industrial facilities already in place. For several years, various groups have specialized in attacks against industrial enterprises with the express aim to steal money — through BEC schemes or advanced hackers to gain access to victims’ financial and accounting systems. Through years of criminal operations, they have come to understand the business processes of industrial enterprises and gained access to a large amount of technical information about network assets and operational technologies. We is expecting new and unconventional scenarios of onslaughts on OT/ ICS and field devices, coupled with ingenious monetization schemes. Cybercriminals have had more than enough time and opportunities to develop them. End of support for Windows 7 and Windows Server 2008, which are popular in ICS around the world, and, especially, the leak of the source code of Windows XP, which is still very common on industrial networks, pose a significant threat to the security of industrial enterprises. There is a high chance that a WannaCry-like scenario will be repeated in the near future. And industrial enterprises may be among the hardest hit.

Ransomware attacks

Ransomware is becoming more technically advanced and sophisticated. Cybercriminals will continue to employ hacker and APT techniques, painstakingly exploring and probing the network of the target organization to locate the most valuable/ vulnerable systems, hijack administrator reports, and launching simultaneous blitz attempts applying standard admin tools. Cybercriminals have developed a fondness for industrial companies, because they tend to pay ransom. This means that the attacks will continue. There will be hybrid attacks involving document steal with the threat to publish the documents or sell them on the darknet in case of refusal to pay up. The ideas implemented in Snake for ransomware attacks targeting OT/ ICS will gain traction. It is highly probable that we will see attacks disguised as ransomware but pursuing completely different goals — a repeat of the ExPetr technique.


Cybercriminals will figure out( some already have) that inside the OT perimeter secrets are not guarded as well as in office networks and that OT networks may be even easier to break into, since they have their own perimeter and attempt surface. The flat network topology and other access control issues in OT networks can attain them an attractive entering phase into the intimate recess of the corporate network and a springboard into other related organizations and facilities. The longing of many countries for technological independence, alongside with global geopolitical and macroeconomic upheaval, means that attack targets will include not only traditional antagonists, but likewise tactical and strategic partners — menaces can come from any guidance. We have already seen examples of such attacks.


The number of APT groups will continue to grow — we will see more and more new performers, including ones that attempt various industrial sectors. The activity of these groups will correlate with local conflicts, including those under the hot phase, with cyberattacks on industrial enterprises and other facilities used as a warfare tool, alongside drones and media-driven misinformation. In addition to data theft and other piecemeal functionings, some group is likely to get down to more serious business in 2021, perhaps in the vein of Stuxnet, Black Energy, Industroyer and Triton.

COVID outcomes

Against the backdrop of economic refuse, lockdowns, slower growth and ruin for small and medium-sized companies, the ranks of cybercriminals are sure to swell as skilled people seek alternative employment, and groups associated with national governments will strengthen as well. The online existence of municipal services and utilities and the increased digitization of government and public services will build them more vulnerable to attacks of cybercriminals and make more opportunities for cross-agency strikes and assaults on central and local government functions and the systems that support and implement them. For example, a threat actor could use a governmental or municipal web service as an entering phase, compromise the victim’s internal infrastructure and use the communication channels and supply chain connecting various governmental, municipal and even private organizations to reach their final target( such as shutting down transportation systems ). Restrictions on on-site work, which prevented new equipment from being installed and configured, have slowed down the efforts of many industrial enterprises to beef up their perimeter security. Together with the increasing number and variety of remote sessions, you are able to even reduce the different levels of perimeter the protection offered by industrial networks. This being the case, the safety of industrial facilities will largely depend on the performance of endpoint answers and the security awareness of employees. At the same time, cyberattacks aimed at industrial companies are maturing. As a outcome, despite the currently observed drop in assaults on OT/ ICS computers, the number of serious incidents is not going to decrease. The reduction in on-site personnel who are able to promptly transfer systems and installings to manual control in the event of a successful cyberattack on the industrial network is contributing to the wider spread of malware and lead to more severe consequences.

Read more: securelist.com