Kaspersky solutions were triggered on 41.6 percent of industrial control system (ICS) computers in the energy sector globally in the first six months of 2019. This was followed by automotive manufacturing (39.3 percent) and building automation (37.8 percent). These are among the main findings of the Kaspersky ICS CERT report on the industrial threat landscape in the first half of 2019.
Industrial cyber incidents are among the most dangerous as they may result in production downtime and tangible financial losses and are quite hard to overcome. This is especially the case when the incident occurs in critical, life-supporting sectors, such as energy.
Among the malicious programs which were blocked, the greatest danger was posed by cryptocurrency miners (2.9 percent), worms (7.1 percent), and a variety of versatile spyware (3.7 percent). Infection with such malware can negatively affect the availability and integrity of ICS and other systems that are part of the industrial network.
Other findings of the report include:
- On average, ICS computers do not operate entirely inside a security perimeter typical of corporate environments, and are, to a large extent, protected from many threats, using their own measures and tools. In other words, tasks related to protecting the corporate segment and the ICS segment are to some extent unrelated.
- In general, the level of malicious activity inside the ICS segment is connected with the ‘background’ malware activity in the country.
- On average, in countries where the situation with the security of the ICS segment is positive, the low levels of attacked ICS computers are attributable to protection measures and tools that are used rather than a generally low background level of malicious activity.
- Self-propagating malicious programs are very active in some countries. In the cases analysed, these were worms (malicious Worm class objects) designed to infect removable media (USB flash drives, removable hard drives, mobile phones, etc.). It appears that infections with worms via removable media is the most common scenario that could happen to ICS computers.
Kaspersky ICS CERT recommends implementing the following technical measures:
- Regularly update operating systems, application software and security solutions on systems that are part of the enterprise’s industrial network.
- Restrict network traffic on ports and protocols used on edge routers and inside the organisation's OT networks.
- Audit access control for ICS components in the enterprise’s industrial network and at its boundaries.
- Provide dedicated regular training and support for employees as well as partners and suppliers with access to your OT/ICS network.
- Deploy dedicated endpoint protection solutions on ICS servers, workstations and HMIs to secure OT and industrial infrastructure from random cyberattacks; and network traffic monitoring, analysis and detection solutions for better protection from targeted attacks.