Mining, Quarrying, Oil & Gas Extraction + Utilities

Summary

Breaches are composed of a variety of actions, but Social attacks such as Phishing and Pretexting dominate incident data (no confirmation of data disclosure). Cyber-Espionage-motivated attacks and incidents involving OT assets are also concerns for these industries.

Frequency 

194 incidents, 43 with confirmed data disclosure

Top Patterns 

Everything Else, Web Applications and Cyber-Espionage represent 74% of breaches.

Threat Actors

External (75%), Internal (28%), Multiple (2%) (breaches)

Actor Motives

Financial (63%—95%), Espionage (8%—43%), Convenience/Other/Secondary (0%—17% each), Fear/Fun/Grudge/Ideology (0%—9% each) (breaches)

Data Compromised 

Credentials (41%), Personal (41%), Other (35%), Internal (19%) (breaches)

Top Controls 

Secure Configurations (CSC 5, CSC 11), Boundary Defense (CSC 12), Implement a Security Awareness and Training Program (CSC 17)

Data Analysis Notes

Actor motives are represented by percentage ranges, as only 21 breaches had a known motive.

It’s an NAICS mashup

This new section combines the Mining, Quarrying, and Oil and Gas Extraction (NAICS 21) with the Utilities (NAICS 22) industries for a joint view of the incidents and breaches that affected them. We really dug deep, but we were unable to strike oil for an exclusive section for NAICS 21 on this year’s report. (There must be a minimum number of incidents for the statistics to be valid.) However, we believe that this blended section with NAICS 22 will be an electrifying read and hopefully not too dry.

If you review Figure 80, you can see that while Everything Else, Web Applications and Cyber-Espionage seem to be the top three patterns in breaches, it is statistically impossible to tell which one is more prevalent—they simply overlap too much. It’s exciting to have such a diversity of breaches in a brand-new industry section, but it also makes it difficult to focus on precise recommendations beyond “Note to all CISOs: Secure all the things!”.

Even so, it is important to point out that the Everything Else pattern, both in incidents and breaches, is dominated by Phishing with mostly financial gain as a motive, including pretexting attacks that were clearly FMSEs.

If I closed my eyes, was it still a breach?

Since the Everything Else pattern is the largest for incidents (cases in which there was potential data disclosure but it was not confirmed), special attention is needed here. There were about as many incidents with potential data disclosure as there were confirmed breaches in these industries. This is especially concerning for a vertical with a broad range of possible percentages for Espionage- motivated breaches (between 8% and 43%), while in all incidents it accounts for 10% of the motives.

Wrapping up the top patterns, Web Applications is filled with the Use of stolen creds that were gathered by Phishing. Meanwhile, Miscellaneous Errors favors Misconfiguration and Publishing Errors, both action varieties that can be mitigated with stronger processes and personnel training.

Unpatched vulnerabilities in your web application infrastructure may lead to them being found by someone with a set of tools to exploit them in an automated fashion. Keeping your infrastructure patches up to date is certainly a security best practice. In looking at our non-incident data surrounding time to patch (Figure 81), we found the Utilities sector had a better-than-average score. This is good news because our research has found that the patches that do not get applied within the first quarter of being released frequently don’t get applied at all. This gives the adversaries time to build tools that will make it easy even for a novice to attack the infrastructure that remains vulnerable. 

Also, as these industries have become a focus of our reporting, we have added OT-specific fields to track incidents involving OT equipment in the latest version of VERIS. The total number of cases we have for this year are few, but they are mainly concerned with this sector along with Manufacturing (NAICS 31—33).