Which is the Threat landscape for the ICS sector in 2020?

Pierluigi Paganini March 22, 2021

The Kaspersky ICS CERT published a report that provided details about the threat landscape for computers in the ICS engineering and integration sector in 2020.

Kaspersky ICS CERT published a report that provided details about the threat landscape for ICS engineering and integration sector in 2020.

The experts gathered data related to the cyberthreats that were blocked on computers used to manage industrial control equipment and targeting software used in ICS engineering and integration industry, including human-machine interface (HMI), OPC gateway, engineering, control, and data acquisition software.

“A key aspect in which of the ICS engineering sector is different from other industries is that an ICS engineering computer often has direct and indirect connections to various industrial control systems, some of which may even belong to other industrial enterprises. And while an ICS engineering computer has more access rights and fewer restrictions (such as application control, device control, etc.) than the average ICS computer, it also has a wider attack surface.” reads the report published by Kaspersky.

In H2 2020, 39.3% of computers in the ICS engineering and integration sector protected by Kaspersky were targeted by malware, an increase compared with detections for H1 2020 (31.5%). Building automation, automotive manufacturing, energy and oil & gas, suffered major increases in the ICS engineering sector.

Experts pointed out that the threat landscape for computers in the ICS engineering and integration sector varies depending on multiple factors, including the geographical location, the ability to access external networks and services, and user behavior.

Latin America, the Middle East, Asia and North America were the regions with the highest number infections attempts blocked by the security solutions in H2 2020. On the other end, the number of blocked malware attacks in Africa, Russia and Europe decreased in H2 2020 compared to H1 2020.

engineering integration ICS scada

The highest percentage increase in H2 2020 (22.8%) was observed in North America, the majority of the attacks observed by the experts involved crypto-currency miners. The second region with the highest increase was the Middle East due to an outbreak of Fast-Load AutoLISP modules that spread within infected AutoCAD projects and other self-propagating worms that spread via USB.

European ICS engineering organizations were mainly targeted by phishing campaigns attempting to deliver spyware and cryptominers.

Experts reported that the majority of computers in the ICS engineering sector are represented by desktop systems, but laptops remain more exposed to attacks via the internet, removable media devices, and email.

Computers that use VPN software are less exposed to online threats, but unfortunately, they represent only 15% of the total.

“From time to time, the various viruses and worms that have been spreading for a decade between computers in ICS environments via USB devices or network folders hit the computers of ICS engineers. Such threats were blocked more often on computers with VPN software.” continues the report.

Computers with remote access software (64.6% of the total) are less exposed to internet threats, especially when VPN software is used, but these systems are exposed to attacks leveraging network services, such as SMB, MS SQL and RDP.

“The majority of these attacks are due to worm outbreaks in a subnet (physical or virtual). Those worms use Mimikatz and spread over the network by abusing stolen credentials, exploiting an RCE vulnerability or by successfully running brute-force attacks on a network service.” states the report.

The report also provides the following recommendations to protect ICS systems:

  • Ensure that ICS engineering computers and especially laptops are well protected from network attacks, web-based threats and phishing campaigns, including targeted attacks. To achieve this, consider using modern threat detection technologies – both at the network perimeter and on all endpoints inside and outside the perimeter.
  • Install all OS and application software updates in a timely fashion, with particular emphasis on security updates, or apply workaround protection measures when installing updates is not an option.
  • Regularly train employees to recognize suspicious behavior by a computer or application, as well as fraudulent emails and instant messages.
  • If possible, restrict the use of any unnecessary but dangerous and/or vulnerable software that widens the attack surface, including remote access software, office solutions, PowerShell, Windows Script Host, etc.
  • Monitor the execution of files in the organization and use application control with Default Deny to limit the use of applications to only those apps that are allowed. 
  • Restrict the use of USB devices to only those that are trusted and encrypted. The implementation of such restrictions should be monitored. Many modern host protection tools include the necessary functionality.
  • Use different accounts for different users. Manage the rights of user and service accounts in such a way as to prevent an infection from spreading across the enterprise if an account is compromised. Log and monitor the use of administrator functions.
  • Restrict the rights of users on their systems, as well as corporate service access rights, leaving the minimal set of rights required for specific employees to perform their work.
  • Maximize granular access control. Limit the use of privileged accounts. When possible, admins should use accounts with local administration privileges or with administration rights to specific services and avoid using accounts with domain administration rights.
  • Audit the use of privileged accounts and regularly review access rights.
  • Use group policies that require users to change their passwords on a regular basis. Introduce password strength requirements.
  • Configure the OS to always show file extensions for all file types in order to see files with double extensions (a tactic used to trick users).

The full report is available here.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ICS/SCADA)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment