As the technology and corporate networks of industrial enterprises become increasingly integrated, more and more cybercriminals are turning their attention to industrial enterprises as potential targets. By exploiting vulnerabilities in the networks and software used by these enterprises, attackers could steal information related to the production process or even bring down manufacturing operations. That is according to IT security product company Kaspersky Lab’s report “Threat Landscape for Industrial Automation Systems. The second half of 2016.” The top three sources of infection were the internet, removable storage devices, and malicious e-mail attachments and scripts embedded in the body of e-mails.
In the second half of 2016 malware downloads and access to phishing web-pages were blocked on over 22 per cent of industrial computers. This means that almost every fifth machine at least once faced the risk of infection or credential compromise via the Internet.
The desktop computers of engineers and operators working directly with ICS (industrial control systems) do not usually have direct access to the internet due to the limitations of their network. However, there are other users that have simultaneous access to the internet and ICS. According to Kaspersky Lab, these computers – presumably used by system and network administrators, developers and integrators of industrial automation systems and third party contractors who connect to networks directly or remotely – can freely connect to the internet because they are not tied to only one industrial network with its inherent limitations.
The danger of infected removable storage devices was another threat spotted by the company’s researchers. During the period of research, 10.9 per cent of computers with ICS software installed (or connected to those that have this software) showed traces of malware when a removable device was connected to them.
Malicious e-mail attachments and scripts embedded in the body of e-mails were blocked on 8.1 per cent of industrial computers, taking third place. In most cases, attackers use phishing e-mails to attract the user’s attention and disguise malicious files. Malware was most often distributed in the format of office documents such as MS Office and PDF files. Using various techniques, the criminals made sure that people downloaded and ran malware on the industrial organisation’s computers.
According to Kaspersky Lab, malware, which poses a significant threat to companies around the world, is also dangerous to industrial enterprises. This includes spyware, backdoors, keyloggers, financial malware, ransomware, and wipers. These can completely paralyse the organisation’s control over its ICS or can be used for targeted attacks respectively. The latter is possible because of inherent functions that provide an attacker with lots of possibilities for remote control.
Evgeny Goncharov, Head of Critical Infrastructure Defense Department, Kaspersky Lab said: “Our analysis shows us that blind faith in technology networks’ isolation from the Internet doesn’t work anymore. The rise of cyberthreats to critical infrastructure indicates that ICS should be properly secured from malware both inside and outside the perimeter. It is also important to note that according to our observations, the attacks almost always start with the weakest link in any protection – people.”
Comment
Edgard Capdevielle – CEO of Nozomi Networks said: “Kaspersky’s research is further evidence that ICS networks today face all the same security use cases as any enterprise. From malicious insiders, cyber espionage, ransomware etc, but unfortunately many lack similar security options.
“The issue is that security in control systems today is bolted on rather than designed in. These cumbersome and often manual configurations don’t naturally fit with the complexity of industrial installations that were never designed to be connected to the outside world, nor fall within the skill set of industrial engineers who find themselves tasked with managing them. We need to rethink security so it’s designed in from the outset, so as new technology is implemented in ICS and SCADA infrastructure it is secure and as new threats – such as ransomware, emerge they are thwarted. But that will take time.
“How fast ICS teams can detect and remediate a situation could mean the difference between a small incident or one that potentially has a severe impact on millions.
“While there’s no easy answer, there is some good news in that innovations – such as machine learning and Artificial Intelligence enhanced cyber-attack detection, can help companies leverage technologies to gain efficiencies in their industrial process cybersecurity programs, as well as speeding the investigation of incidents to contain attacks before significant damage can occur.”
