Fotolia RAW - stock.adobe.com

Cyber attacks targeting industrial control systems on the rise

Malicious cyber activity increased to almost half of the industrial infrastructure protected by Kaspersky Lab in 2018, but the UK is among the most secure countries, the security firm reports

Malicious activity targeting industrial control systems (ICS) affected 47.2% of computers protected by security firm Kaspersky Lab in 2018, up from 44% in 2017.

This increase indicates the cyber threat against computers defined as part of organisations’ industrial infrastructure is rising, according to the latest Threat landscape for industrial automation systems report by Kaspersky Lab’s ICS computer emergency response team (Cert).

The Cert is aimed at coordinating the efforts of automation system suppliers, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyber attacks.

Malicious cyber activities on ICS computers are considered an “extremely dangerous threat”, the company said, because they could potentially cause material losses and production downtime in the operation of industrial facilities, which can include systems that form part of countries’ critical national infrastructure.

The financial impact of the recent ransomware attack affecting industrial systems at Norwegian aluminium producer Norsk Hydro could be up to nearly $41m, according to preliminary estimates.

The top three countries in terms of the percentage of ICS computers on which Kaspersky Lab prevented malicious activity were Vietnam (70%), Algeria (69.9%) and Tunisia (64.5%).

The most secure countries in the ranking are Ireland (11.7%), Switzerland (14.9%), Denmark (15.2%), Hong Kong (15.3%), the UK (15.7%) and the Netherlands (15.7%).

Read more about ICS security

“Despite the common myth, the main source of threat to industrial computers is not a targeted attack, but mass-distributed malware that gets into industrial systems by accident, over the internet, through removable media such as USB-sticks or e-mails,” said Kirill Kruglov, security researcher at Kaspersky Lab ICS Cert.

“However, the fact that the attacks are successful because of a casual attitude to cyber security hygiene among employees means they can potentially be prevented by staff training and awareness – this is much easier than trying to stop determined threat actors,” he said.

In August 2018, researchers at security firm Cybereason concluded there was a distinct set of cyber attackers who specialise in targeting ICS computers, based on a study that analysed the data collected in a honeypot that was designed to look like a power transmission sub-station of an electricity supplier.

The attackers who accessed the honeypot appeared to have been specifically targeting the ICS environment from the moment they got into the environment, the researcher said, demonstrating non-commodity skills, techniques and a pre-built playbook for pivoting from an IT environment towards an OT environment.

Accessing the OT environment is the ultimate goal of these specialised attackers, the researchers said, because these systems operate the pumps, monitors, breakers and other hardware found in utility providers that could be used to control or disrupt services.

Kaspersky Lab ICS Cert recommends

  • Regularly updating operating systems, application software on systems that are part of the enterprise’s industrial network.
  • Applying security fixes to PLC (programmable logic controller), RTU (remote terminal unit) and network equipment used in ICS networks where applicable.
  • Restricting network traffic on ports and protocols used on edge routers and inside the organisation’s OT (operational technology) networks.
  • Auditing access control for ICS components in the enterprise’s industrial network and at its boundaries.
  • Deploying dedicated endpoint protection systems on ICS servers, workstations and HMIs (human-machine interfaces).
  • Ensuring security systems are up-to-date and that systems to defend against targeted attacks are in place and enabled.
  • Providing dedicated training and support for employees as well as partners and suppliers with access to the organisation’s network.
  • Using ICS network traffic monitoring, analysis and detection systems to protect against attacks potentially threatening technological process and main enterprise assets.

Read more on Hackers and cybercrime prevention