Kaspersky ICS CERT published a report that provided details about the threat landscape for ICS engineering and integration sector in 2020.
The experts gathered data related to the cyberthreats that were blocked on computers used to manage industrial control equipment and targeting software used in ICS engineering and integration industry, including human-machine interface (HMI), OPC gateway, engineering, control, and data acquisition software.
“A key aspect in which of the ICS engineering sector is different from other industries is that an ICS engineering computer often has direct and indirect connections to various industrial control systems, some of which may even belong to other industrial enterprises. And while an ICS engineering computer has more access rights and fewer restrictions (such as application control, device control, etc.) than the average ICS computer, it also has a wider attack surface.” reads the report published by Kaspersky.
In H2 2020, 39.3% of computers in the ICS engineering and integration sector protected by Kaspersky were targeted by malware, an increase compared with detections for H1 2020 (31.5%). Building automation, automotive manufacturing, energy and oil & gas, suffered major increases in the ICS engineering sector.
Experts pointed out that the threat landscape for computers in the ICS engineering and integration sector varies depending on multiple factors, including the geographical location, the ability to access external networks and services, and user behavior.
Latin America, the Middle East, Asia and North America were the regions with the highest number infections attempts blocked by the security solutions in H2 2020. On the other end, the number of blocked malware attacks in Africa, Russia and Europe decreased in H2 2020 compared to H1 2020.
The highest percentage increase in H2 2020 (22.8%) was observed in North America, the majority of the attacks observed by the experts involved crypto-currency miners. The second region with the highest increase was the Middle East due to an outbreak of Fast-Load AutoLISP modules that spread within infected AutoCAD projects and other self-propagating worms that spread via USB.
European ICS engineering organizations were mainly targeted by phishing campaigns attempting to deliver spyware and cryptominers.
Experts reported that the majority of computers in the ICS engineering sector are represented by desktop systems, but laptops remain more exposed to attacks via the internet, removable media devices, and email.
Computers that use VPN software are less exposed to online threats, but unfortunately, they represent only 15% of the total.
“From time to time, the various viruses and worms that have been spreading for a decade between computers in ICS environments via USB devices or network folders hit the computers of ICS engineers. Such threats were blocked more often on computers with VPN software.” continues the report.
Computers with remote access software (64.6% of the total) are less exposed to internet threats, especially when VPN software is used, but these systems are exposed to attacks leveraging network services, such as SMB, MS SQL and RDP.
“The majority of these attacks are due to worm outbreaks in a subnet (physical or virtual). Those worms use Mimikatz and spread over the network by abusing stolen credentials, exploiting an RCE vulnerability or by successfully running brute-force attacks on a network service.” states the report.
The report also provides the following recommendations to protect ICS systems:
The full report is available here.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, ICS/SCADA)