Cyberattacks against industrial computers

In the current KasperskyCERT Report on cyber threats to industrial automation systems [1], attacks targeting such systems and specifically industrial control systems (ICS) computers were analyzed. The experts of the ICS CERT [2] highlight current cyber threats and trends for industrial systems in their latest analysis.

Energy before mechanical engineering

For example, 38.7% of analyzed ICS computers in the energy sector and 35.3% of industrial computers in the engineering and ICS integration sectors were attacked by malware at least once in the second half of 2017.

The construction industry recorded the highest increase compared to the first half of the year. Here, 31.1% of all ICS computers were affected by an attack. Automation is still a new area for this industry and cybersecurity is thus not yet given the attention it deserves. In other industries such as food, education, healthcare, telecommunications, industrial holdings, utilities, and manufacturing, the percentage was just under 30% [3]. A large majority of the attacks can be considered random hits.

The power industry is a pioneer in the widespread use of automation solutions, and is one of the industries with the highest use of computers. Modern power grids are among the most extensive systems of interconnected industrial facilities with many computers that are also relatively vulnerable. Cybersecurity incidents in recent years, as well as tighter regulations, are forcing power and energy companies to adapt the cybersecurity of their Operational Technology (OT) systems. Other serious problems in recent years have been caused by suppliers.

"The results of our investigation of attacked ICS computers from various industries surprised us. For example, the large percentage of attacked ICS computers at companies in the power and energy industries shows that their efforts to cybersecure their automation systems are not enough after some serious incidents. There are still numerous loopholes open for cyber attackers," says Evgeny Goncharov, head of ICS CERT.

Crypto-malware arrived at industrial computers

ICS computers have also been experiencing increased attacks with crypto-malware since September 2017. The experts attribute this to the general hype from Bitcom and Co. If malicious mining activities to secretly mine digital currencies on computers in an industrial environment have reached a certain volume, this has a negative impact on the performance and stability of ICS computers. From February 2017 to January 2018, mining malware attacked 3.3% of all industrial automation computers. In most cases, the attacks were purely random.

More figures from the current report:

• The Internet remains the main source of ICS infections with 22.7%. Attacks increased by 2.3 percent compared to the first half of 2017.
• The number of malware modifications found on ICS machines in the second half of the year increased from 18,000 to over 18,900.
• In 2017, 10.8% of all ICS computers were attacked by botnet agents. The attacks took place via the Internet, but also via removable media and emails.
• Kaspersky ICS CERT experts found 63 vulnerabilities in industrial and IoT systems in 2017, of which 26 were fixed by manufacturers.

"In general, we have seen a slight decrease in ICS attacks compared to 2016 - probably a sign that companies are paying more attention to ICS cybersecurity, for example, through employee training and from audits (reviews) of the industrial segments of their networks. This is a good sign, because it is of utmost importance for companies to proactively take measures that can prevent future cyber incidents," Goncharov said.

Protection recommendations

• Regular updates of operating system, application software and security solutions on all systems that are part of the industrial network in the company.
• Restrict network traffic over ports and protocols on edge routers and within the OT network.
• Audits of access controls to ICS components in the company's industrial network including its boundaries.
• Deploy endpoint security solutions for ICS servers, workstations, and HMIs to protect OT and industrial infrastructure from random cyberattacks.
• Deploy solutions to monitor network traffic and analyze and detect targeted attacks.

Source: Kaspersky Lab