An average of two in five computers related to the technological infrastructure of industrial enterprises were exposed to malicious software and targeted cyberattacks in the second half of 2016, says cybersecurity multinational Kaspersky Lab head of the Critical Infrastructure Defence Department Evgeny Goncharov.
Every fourth targeted attack detected by the company in 2016 was aimed at industrial targets and the frequency increased to almost 40% during the second half of the year. The top three sources of infection were the Internet, removable storage devices, and malicious email attachments and scripts embedded in the body of emails.
“By exploiting vulnerabilities in the networks and software used by these enterprises, attackers can steal information related to the production process or even bring down manufacturing operations, leading to technogenic disasters,” he explains.
Kaspersky Lab’s industrial computer systems (ICS) computer emergency response team of specialists discovered that, in the second half of 2016, malware downloads and access to phishing Web pages were detected and blocked on more than 22% of industrial computers.
This means that every fifth machine faced the risk of infection or credential compromise through the Internet at least once. About 20 000 different malware samples were revealed in industrial automation systems belonging to over 2 000 different malware families in 2016.
“The desktop computers of engineers and operators working directly with ICS do not usually have direct access to the Internet owing to the limitations of the technology network in which they are located. However, there are other users that have simultaneous access to the Internet and ICS.”
During the period of research, 10.9% of computers with ICS software installed (or connected to those that have this software) showed traces of malware when a removable device was connected to them, says Goncharov.
Malicious email attachments and scripts embedded in the body of emails, as the third most frequently detected attacks on ICS, were blocked on 8.1% of industrial computers.
In most cases, attackers use phishing emails to attract the user’s attention and disguise malicious files. Malware was most often distributed in the format of office documents using Microsoft Office and portable document format files to entice people to download and run malware on the industrial organisation’s computers.
“Our analysis shows us that blind faith in technology networks’ isolation from the Internet is not effective. The rise of cyberthreats to critical infrastructure indicates that ICS should be properly secured from malware inside and outside the perimeter,” emphasises Goncharov.
“It is also important to note that, according to our observations, the attacks almost always start with the weakest link in any protection – people,” he emphasises.
To protect the ICS environment from possible cyberattacks, Kaspersky Lab security experts advise that industries conduct a security assessment to identify and remove security loopholes, with external intelligence from reputable vendors helping organisations to predict future attacks on their industrial infrastructure.
“Train your personnel and provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response, [and] to block an attack before it reaches critically important objects,” he says.