The manufacturing sector emerged as the hardest hit by cyberattacks during the first half of 2017, with one in every three industrial cyberattacks carried out against industrial control system (ICS) computers, says global cybersecurity firm Kaspersky Lab critical infrastructure defence head Evgeny Goncharov.
The ‘Threat Landscape for Industrial Automation Systems’ report notes that Kaspersky Lab cybersecurity products blocked attack attempts on 37.6% of ICS computers during the first half of 2017, following the receipt of anonymised information from tens of thousands of ICS computers.
This represents a marginal 1.6% dip, compared with the second half of 2016. The majority of the ICS computers were in manufacturing companies that produce various materials, equipment and goods, says Goncharov.
Other highly affected industries include engineering, education and food and beverage. ICS computers in energy companies accounted for almost 5% of all industrial cyberattacks. Attempts to download malware or access known malicious or phishing Web-resources were blocked on 20.4% of ICS computers.
The reason for the high numbers of this type of infection is the result of the interfaces between corporate and industrial networks, availability of limited Internet access from industrial networks and connection of computers on industrial networks to the Internet through mobile phone operators’ networks, Goncharov explains.
In total, Kaspersky Lab detected about 18 000 different modifications of malware – belonging to more than 2 500 different malware families – on industrial automation systems in the first six months of 2017.
“During the first half of the year, the world faced a ransomware epidemic, which also affected industrial companies. Based on the research from the Kaspersky Lab ICS Cyber Emergency Response Team (CERT), the number of unique ICS computers attacked by encryption Trojans increased significantly and had tripled by June.”
In order to protect the ICS environment from possible cyberattacks, the Kaspersky Lab ICS CERT recommends that industrial companies take an inventory of running network services, with special emphasis on services that provide remote access to file system objects.
Further, they should verify the security of remote access to the industrial network as a minimum, and reduce or completely eliminate the use of remote administration tools as a maximum, and keep endpoint security solutions up-to-date.
They should also audit ICS component access isolation, the network activity in the enterprise’s industrial network and at its boundaries, and policies and practices related to using removable media and portable devices.
Additionally, the CERT recommends that industrial firms use advanced methods of protection. For example, companies should deploy tools that provide network traffic monitoring and the detection of cyberattacks on industrial networks.
Overall, experts discovered encryption ransomware belonging to 33 different families. Most of the encryption Trojans were distributed through spam emails disguised as part of the business communication, with either malicious attachments or links to malware downloaders embedded within the communication.
Further, ExPetr was a notorious encryption ransomware campaign from the first half of the year, with at least 50% of the companies attacked being from manufacturing and the oil and gas industries.
“In the first half of the year, we saw how weakly protected industrial systems are. Almost all the affected industrial computers were infected accidentally and as the result of attacks targeted initially at home users and corporate networks.
“The WannaCry and ExPetr destructive ransomware attacks disrupted enterprise production cycles around the world, caused logistical failures and forced downtime in the work of medical institutions.
“The results of such attacks can provoke intruders into further actions. Since we are already late with preventive measures, companies should think about proactive protective measures now to avoid ‘firefighting’ in future,” Goncharov stresses.