The manufacturing sector emerged as the hardest hit by cyberattacks during the first half of 2017, as the target of one in every three attacks on industrial control system (ICS) computers, global cybersecurity firm Kaspersky Lab said on Wednesday.
The 'Threat Landscape for Industrial Automation Systems' report noted that Kaspersky Lab cybersecurity products blocked attack attempts on 37.6% of ICS computers during the first half of 2017, following the receipt of anonymised information from tens of thousands of ICS computers.
This represents a marginal 1.6% dip when compared with the second half of 2016.
The majority of the ICS computers were in manufacturing companies that produce various materials, equipment and goods, said Kaspersky Lab critical infrastructure defence department head Evgeny Goncharov.
Other highly-affected industries include engineering, education and food and beverage. ICS computers in energy companies accounted for almost 5% of all attacks.
Meanwhile, the three countries with the most attacked industrial computers, namely Vietnam, Algeria and Morocco, remained the same, with 71%, 67.1% and 65.4% of industrial computers attacked respectively during the period under review. Researchers detected an increase to 57.1% in the systems attacked in China during the half-year under review, according to the data released by Kaspersky Lab.
Attempts to download malware or access known malicious or phishing Web-resources were blocked on 20.4% of ICS computers, Goncharov said.
The reason for the high statistics for this type of infection lie in interfaces between corporate and industrial networks, availability of limited Internet access from industrial networks and connection of computers on industrial networks to the Internet through mobile phone operators’ networks, Goncharov explained.
In total, Kaspersky Lab detected about 18 000 different modifications of malware, belonging to more than 2 500 different malware families, on industrial automation systems in the first six months of 2017.
“During the first half of the year the world faced a ransomware epidemic, which also affected industrial companies. Based on the research from Kaspersky Lab ICS Cyber Emergency Response Team (CERT), the number of unique ICS computers attacked by encryption Trojans increased significantly and had tripled by June.”
Overall, experts discovered encryption ransomware belonging to 33 different families. Most of the encryption Trojans were distributed through spam emails disguised as part of the business communication, with either malicious attachments or links to malware downloaders embedded within the communication.
A total of 0.5% of computers in the industrial infrastructure of organisations were attacked by encryption ransomware at least once and ICS computers in 63 countries faced numerous encryption ransomware attacks, including the notorious WannaCry and ExPetr campaigns.
The WannaCry epidemic ranked highest among encryption ransomware families, with 13.4% of all computers in industrial infrastructure attacked. The most affected organisations included healthcare institutions and the government sector.
Further, ExPetr was another notorious encryption ransomware campaign from the first half of the year, with at least 50% of the companies attacked being from manufacturing and the oil and gas industries.
“In the first half of the year, we saw how weakly protected industrial systems are. Pretty much all of the affected industrial computers were infected accidentally and as the result of attacks targeted initially at home users and corporate networks.
“In this sense, the WannaCry and ExPetr destructive ransomware attacks proved indicative, leading to the disruption of enterprise production cycles around the world, as well as logistical failures, and forced downtime in the work of medical institutions.
“The results of such attacks can provoke intruders into further actions. Since we are already late with preventive measures, companies should think about proactive protective measures now to avoid ‘firefighting’ in future,” Goncharov stressed.
In order to protect the ICS environment from possible cyber-attacks, Kaspersky Lab ICS CERT recommends that industrial companies take an inventory of running network services, with special emphasis on services that provide remote access to file system objects.
Further, they should verify the security of remote access to the industrial network as a minimum, and reduce or completely eliminate the use of remote administration tools as a maximum, and keep endpoint security solutions up-to-date.
They should also audit ICS component access isolation, the network activity in the enterprise’s industrial network and at its boundaries, and policies and practices related to using removable media and portable devices.
Additionally, the CERT recommends that industrial firms use advanced methods of protection. For example, companies should deploy tools that provide network traffic monitoring and the detection of cyberattacks on industrial networks.