In a press release earlier today (4 Oct), Kaspersky released the findings of its ‘Industrial Control Systems Cyber Emergency Response Team (ICS CERT)’ report on the industrial threat landscape for the first half of 2019, which reveals that almost half of industrial control system (ICS) computers in the energy sector globally have been under cyberthreat.
The top three cyberthreats were worms, spyware, and cryptocurrency miners – together, they combined to make almost 14% of the share of targeted computers.
The report noted that industrial cyber incidents are among the most dangerous as they may result in production downtime and tangible financial losses and are quite hard to overcome. This is especially the case when the incident occurs in critical, life-supporting sectors, such as energy.
Statistics for H1 2019, automatically processed by Kaspersky security technologies, have shown that those who manage energy solutions should not let their guard down. Overall, during the observed period of time, Kaspersky products were triggered on 41.6% of ICS computers in the energy sector. A large number of conventional malware samples – not designed for ICS – were blocked.
Among the malicious programs which were blocked, the greatest danger was posed by cryptocurrency miners (2.9%), worms (7.1%), and a variety of versatile spyware (3.7%). Infection with such malware can negatively affect the availability and integrity of ICS and other systems that are part of the industrial network. Among these detected threats, some are of particular interest.
This includes ‘AgentTesla’, specialized Trojan Spy malware, designed to steal authentication data, screenshots, and data captured from the web camera and keyboard. In all of the analysed cases, the attackers sent data via compromised mailboxes at various companies.
Aside from malware threat, Kaspersky products also identified and blocked cases of the ‘Meterpreter backdoor’ which was being used to remotely control computers on the industrial networks of energy systems. Attacks that use the backdoor are targeted and stealthy and are often conducted in manual mode. The ability of the attackers to control infected ICS computers stealthily and remotely poses a huge threat to industrial systems.
Additionally, the company’s solutions detected and blocked ‘Syswin’, a new wiper worm written in Python and packed into the Windows executable format. This threat can have a significant impact on ICS computers due to its ability to self-propagate and destroy data.
What’s more, the energy sector was not the only one to face malicious objects and activities. Other industries, analysed by Kaspersky experts, have also shown no reason for relief with automotive manufacturing (39.3%) and building automation (37.8%) taking the second and the third places in terms of percentage of the number of ICS computers on which malicious objects were blocked.
“The collected statistics, as well as analysis into industrial cyberthreats, are a proven asset for assessing current trends and predicting what type of danger we should all prepare for,” said Kirill Kruglov, security researcher at Kaspersky.
“This report has identified that security experts should be particularly cautious about malicious software that aims to steal data, spy on critically important objects, penetrate the perimeter and destroy the data. All of these types of incident could cause lots of trouble for industry,” he added.
Hence, Kaspersky ICS CERT recommends implementing the following technical measures:
- Regularly update operating systems, application software and security solutions on systems that are part of the enterprise’s industrial network.
- Restrict network traffic on ports and protocols used on edge routers and inside the organisation’s OT networks.
- Audit access control for ICS components in the enterprise’s industrial network and at its boundaries.
- Provide dedicated regular training and support for employees as well as partners and suppliers with access to your OT/ICS network.
- Deploy dedicated endpoint protection solution such as Kaspersky Industrial CyberSecurity on ICS servers, workstations and HMIs to secure OT and industrial infrastructure from random cyberattacks; and network traffic monitoring, analysis and detection solutions for better protection from targeted attacks.