Malicious cyber activities on Industrial Control System (ICS) computers are considered an extremely dangerous threat as they could potentially cause material losses and production downtime in the operation of industrial facilities.

Attack workflow

In 2018, the share of ICS computers that experienced such activities grew to 47.2 percent from 44 percent in 2017, indicating that the threat is rising.

According to the new Kaspersky Lab ICS CERT report, the top three countries in terms of the percentage of ICS computers on which Kaspersky Lab prevented malicious activity were the following: Vietnam (70.09%), Algeria (69.91%), and Tunisia (64.57%). The least impacted nations were Ireland (11.7%), Switzerland (14.9%), and Denmark (15.2%).

“Despite the common myth, the main source of threat to industrial computers is not a targeted attack, but mass-distributed malware that gets into industrial systems by accident, over the internet, through removable media such as USB-sticks, or emails,” said Kirill Kruglov, security researcher at Kaspersky Lab ICS CERT.

“However, the fact that the attacks are successful because of a casual attitude to cybersecurity hygiene among employees means that they can potentially be prevented by staff training and awareness – this is much easier than trying to stop determined threat actors.”

Kaspersky Lab ICS CERT recommends implementing the following technical measures:

Regularly update operating systems, application software on systems that are part of the enterprise’s industrial network.

on systems that are part of the enterprise’s industrial network. Apply security fixes to PLC, RTU and network equipment used in ICS networks where applicable.

used in ICS networks where applicable. Restrict network traffic on ports and protocols used on edge routers and inside the organization’s OT networks.

used on edge routers and inside the organization’s OT networks. Audit access control for ICS components in the enterprise’s industrial network and at its boundaries.

in the enterprise’s industrial network and at its boundaries. Deploy dedicated endpoint protection solutions on ICS servers, workstations and HMIs.

on ICS servers, workstations and HMIs. Make sure security solutions are up-to-date and all the technologies recommended by the security solution vendor to protect from targeted attacks are enabled.

and all the technologies recommended by the security solution vendor to protect from targeted attacks are enabled. Provide dedicated training and support for employees as well as partners and suppliers with access to your network.

for employees as well as partners and suppliers with access to your network. Use ICS network traffic monitoring, analysis and detection solutions for better protection from attacks potentially threatening technological process and main enterprise assets.

Possible initial infection paths

“The Kaspersky report shows a continued interest in industrial targets, and shows that attacks on small cloud vendors are pivoting into large enterprise targets. As the Industrial Internet of Things (IIoT) gathers momentum, we are predicting that these two trends will converge – that compromised IIoT cloud providers will provide a new way to pivot into industrial systems,” Andrew Ginter, VP Industrial Security, Waterfall Security Solutions, told Help Net Security.