Industrial networks of energy and ICS integration companies hit by more cyberattacks than any other industry

Almost 40% of all industrial control systems (ICS) in energy organizations protected by Kaspersky Lab solutions were attacked by malware at least once during the last six months of 2017, closely followed by 35.3% of engineering & ICS integration networks. That’s one of the key findings of the latest report from Kaspersky Lab, ‘Threat Landscape for Industrial Automation Systems in H2 2017’, which found thatthe number of attacks on these two sectors noticeably exceeds those on other industries. Other sectors experiencedan average of between 26% and 30% of ICS computers attacked. The vast majority of detected attacks were accidental hits.

The cybersecurity of industrial facilitiesremains an issue that can lead to very serious consequencesaffecting industrial processes, as well as businesses losses. While analyzing the threat landscape in different industries,Kaspersky Lab ICS CERTrecorded that nearly all industries regularly experience cyberattackson their ICS computers.

However, two industries wereattacked more than others- energy organizations (38.7%) and engineering & ICS integration businesses (35.3%). The sector that demonstrated the most noticeable growth of ICS computers attacked during H2 2017 (compared to H1 2017) wasconstruction,with31.1%. For all other industries in question (manufacturing, transportation, utilities, food, healthcare etc.) the proportion of attacked computers ranged from 26% to 30% on average.

According to experts, the energy sector was one of the first industries thatstarted to widely use various automation solutions and is now one of the most computerized. Cybersecurity incidents and targeted attacksover the past couple of years, along with regulatory initiativesmake a strong case for the power and energy companies to start adopting cybersecurity products and measures for their operational technology (OT) systems.

Moreover, the modern power grid is one of the most extensive systemsof interconnected industrial objects,with a large number of computers connected to the network and a relatively high degree of exposure to cyberthreats, as demonstrated by Kaspersky Lab ICS CERT statistics. In turn, the high percentage of attacked ICS computers in engineering and ICS Integration businesses is another serious problem given the fact that the supply chain attack vector has been used in some devastating attacks in recent years.

The relatively high percentage of attacked ICS computers inthe construction industry compared to H1 2017 could indicate that these organizations are not necessarily mature enough to pay the required attention to the protection of industrial computers. Their computerized automation systems might be relatively new and an industrial cyber security culture is still to be developed in these organizations.

The lowest percentage of ICS attacks has been found in enterprises specializing in developing ICS software – 14.7%, meaning that their ICS research / development laboratories, testing platforms, demo stands and training environment are also being attacked by malicious software, although not as often as the ICScomputers of industrial enterprises.Kaspersky Lab ICS CERT experts point to the significance of ICS vendors’ security, because the consequences of an attack spreading over the vendor’s partner ecosystem and customer base could be very dramatic, as was seen during the exPetr malware epidemic, for instance.

Percentage of ICS computers attacked in different industries*, H1 vs H2 2017

Among the new trends of 2017, Kaspersky Lab ICS CERTresearchers have discovered a rise inmining attacks on ICS. This growth trend began in September, along with an increase inthe cryptocurrency market and miners in general. But in the case of industrial enterprises, this type of attack can pose a greater threat by creating a significant load on computers and, as a result, negatively affecting the operation of the enterprise’s ICS components and threatening their stability. Overall,during the period from February 2017 to January 2018, cryptocurrency mining programs attacked 3.3% of industrial automation system computers, in most cases accidentally.

Other highlights from the report include:

• Kaspersky Lab products blocked attempted infections on 8%of ICS computers protected by them. This is1.4 percentage points less than in the second half of 2016.
• The internet remains the main source of infection with 7% of ICS computers attacked. Thisis 2.3% higher than in the first six months of the year. The percentage of blocked web-borne attacks InEurope andNorth America is substantially lower than elsewhere.
• The top five countries by percentage of ICS computers attacked has remained unchanged since H1 2017 and includes Vietnam (69.6%), Algeria (66.2%), Morocco (60.4%), Indonesia (60.1%), and China (59.5%).
• In the second half of 2017, the number of different malware modifications detected by Kaspersky Lab solutions installed on industrial automation systems increased from 18 thousand to over 9 thousand.
• In 2017, 8% of all ICS systems were attacked by botnet agents, a malware that secretly infects machines and includes them in a botnet network for remote command execution; the main sources of attacks like this were the internet, removable media and email messages.
• In 2017,Kaspersky Lab ICS CERT identified 63 vulnerabilities in industrial systems and IIoT/IoT systems, and 26 of them have been fixed by vendors.

“The resultsof our research intoattacked ICS computers in various industrieshave surprised us. For example, the high percentage of ICS computers attacked in power andenergy companiesdemonstrated that the enterprises’ effort to ensure cybersecurity of their automation systems after some serious incidents in the industry is not enough, and there are multipleloopholes still therethatcybercriminals can use,” said Evgeny Goncharov, Head of Kaspersky Lab ICS CERT.

“Overall, in comparison with 2016 we have seen a slight decline in the number of ICS attacks. Thisprobably indicatesthat, generally, enterprises have startedto pay a bit more attention to ICS cybersecurityissues, and are auditing the industrial segments of their networks, trainingemployees, etc. It is a good sign, because it’s highly important for businessesto take proactive measures in order to avoid firefighting in future,” he adds.