Five Trends In Attacks On Industrial Control Systems

Uploaded on 2018-12-03 in TECHNOLOGY--Hackers, NEWS-News Analysis, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Manufacturing, BUSINESS-Production-Energy

Attacks on industrial control systems are up, according to Kaspersky and Symantec

Yet, there are specific trends in the attack data: Developing countries are being hit harder than Western Europe and the United States; most attacks come via the internet, removable drives or email; and between 1 and 4 percent of IC systems are attacked by crypto-currency malware each month.

In May, a new modular malware system, dubbed VPNFilter, began running rampant among small and home office-based routers as well as network-attached storage. 

More than 500,000 devices in 54 countries were infected by the software, according to networking giant Cisco, and what's more, the malware scanned for traffic used in many industrial control systems, known as Modbus.

The attack appears to be just the latest campaign to target industrial, manufacturing and control systems, a worrisome trend that could turn purely digital threats into physical damage, especially if it uses the destructive capabilities coded into VPNFilter, researchers with Cisco's Talos Intelligence team stated in an analysis of VPNFilter.

"The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols," the researchers said. 

"Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide."

Overall, security firms are reporting an increase in attacks on industrial control networks. Gathering data from systems protected by its software, Kaspersky Lab found that 41.2 percent of systems were attacked at least once during the six months of 2018, up from 36.6 percent in the first half of 2017.

The attacks targeted Windows systems that performed supervisory control and data acquisition (SCADA) duties, acted as data storage servers or data gateways in operational networks, or were used as workstations by engineers and operators.

"The year-over-year increase of percentage of ICS computers attacked means more malware and attacks are able to get through network perimeters and to hit the ICS computers," Kirill Kruglov, security researcher at Kaspersky Lab, told eWEEK. “The primary reason is an overall increase in malicious activity."

Symantec has seen a six-fold increase in attacks year-over-year among its customers, according to the firm. Yet, the threat landscape does not consist of a single topography. Looking at the data, a variety of different trends jump out.

1. Attacks on industrial control systems are not all alike

While Kaspersky and Symantec have seen a jump in attacks on industrial control systems, it is likely that those systems are not connected to critical infrastructure, said Dale Peterson, CEO of Digital Bond, an ICS security consultancy.

"You cannot view ICS as a whole," he said. "You do have small companies or low-value industrial control systems that are sitting on the corporate network, and the reports are showing that those systems are getting attacked more. But those are not power systems, and they are not the large water systems that compose critical infrastructure."

In the large critical infrastructure providers with whom Peterson works, he rarely sees any successful attacks, although he does acknowledge that even the critical infrastructure firms have security challenges. 

The most significant attack for such companies is attackers targeting administrators who have remote access from an external workstation. Phishing attacks are often used to compromise those privileged users.

While such attacks are harder to plan and execute, they can deliver spectacular results.

"They are much harder to get into than ever before, but once you are inside, those networks are insecure," Peterson said. "Because they are insecure by design, if you are on the system, all the features and functions are there for you."

2. Attacks are not generally sophisticated

In its report for the first half of 2018, Kaspersky Lab noted that an operation that was previously known as Energetic Bear, because of its link to Russian operators and its targeting of energy companies, actually had a wider scope than first thought. 

The firm has renamed the threat “Crouching Yeti” to downplay the connection with Russia. While the attacker focused on targeting the US and Europe, the operation also compromised a variety of websites as well as various manufacturers and infrastructure companies and government agencies.

Overall, however, the attacks were not overly sophisticated, using spear phishing via PDF documents, software installers with Trojan installers and waterhole attacks through pre-compromised websites. Once a machine had been successfully exploited, the attack framework could install additional modules to expand the attackers' foothold.

"The industrial companies need to pay more attention to the level of employees’ awareness of cyber-threats, and keep up with modern cybersecurity measures starting from access and traffic control on perimeter of [operation technology] network and continue hardening ICS endpoints by removing and blocking unnecessary software, separating privileges and tightening control of compelled usage of remote administration tools when those tools are required, such as during remote maintenance," Kaspersky Lab's Kruglov said.

3. Attackers focus on specific geographies

Attackers also continue to focus on certain regions of the world. Organizations in Asian, African and Latin American nations suffered a greater percentage of attacks compared with the number of systems they have protected, as compared to North American, Western European and Australian firms.

"Presumably, this situation could be due to the amounts of funds invested by organisations in infrastructure protection solutions," Kaspersky Lab's researchers said in its analysis.

Removable media continues to be a significant threat in many of the most attacked nations, with Asian countries, Latin America and the Middle East all showing signs of a much higher rate of infection from removable media compared with Russia, Europe and North America. Meanwhile, attacks through email, while often effective, are not seen as often, perhaps because they target a small group at each firm.

4. Internet-connected systems are at greatest risk

While attacks via removable media and phishing emails are often encountered, the greatest number of attacks use widespread scans of internet-facing systems to establish a beachhead within a vulnerable network, Kaspersky Lab found. 

More than 27 percent of attacks came from Internet sources in the first half of 2018, up from 20.6 percent of attacks in the same six months of 2017.

"Contrary to the conventional wisdom about control networks being isolated, in the past years the Internet became the main source of infection for computers on organisations’ industrial networks," Kaspersky Lab's report stated.

Yet, Digital Bond's Peterson stressed that the attacks seen by security firms are likely the ones hitting smaller firms that do not protect their systems as rigorously as critical infrastructure is protected in Western countries.

"What the report is really saying is that there is still a lot of low-hanging fruit," he said. "I don't see that there are a lot of high-value critical infrastructure that has Windows servers connected directly to the internet."

5. Managers think systems are more secure than operators believe

There is another disconnect in the ICS world. High-level managers tend to believe their systems are more secure than do operational engineers and other employees with "boots on the ground," according to Barbara Filkins, a senior analyst with the SANS Institute.

In its latest report, The 2018 SANS Industrial IoT Security Survey: Shaping IIoT Security Concerns, the SANS Institute found that almost three-quarters of firms were confident or somewhat confident in their ability to maintain the security of their industrial internet of things (IIoT). 

Yet, companies' leadership and department managers were more likely to have a rosy outlook on their security compared to the operational technology (OT) department.

"The closest people to the risk were less confident in their ability to defend the operational network," said Filkins, one of the study's authors. "Management is actually more confident than they should be, and they should be listening to someone down the food chain."

Companies need to get better visibility, train employees in security operations and better segment their network to limit the ability of attackers to move laterally once a beachhead is established, according to the SANS survey.

eWeek:

You Might Also Read:

Industrial Control Systems Are A Soft Target For Cyber Attackers

What is the Industrial IoT?

« Facebook's Sheryl Sandberg Is 'Tainted' By Crises
Selecting The Right SCADA Technology »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

baramundi software

baramundi software

baramundi software AG provides companies and organizations with efficient, secure, and cross-platform management of workstation environments.

qSkills

qSkills

QSkills is an independent training provider specialized high-quality IT and IT management training courses including IT security.

NITA Uganda (NITA-U)

NITA Uganda (NITA-U)

NITA-U has put in place the Information security framework to provide Uganda with the necessary process, policies, standards and guideline to help in Information Assurance.

Sothis

Sothis

Sothis is an information technology services company offering a range of solutions including cybersecurity, managed security services, information governance and compliance.

National Forensic Sciences University (NFSU)

National Forensic Sciences University (NFSU)

National Forensic Sciences University is the world’s first and only University dedicated to Digital Forensic and allied Sciences.

Department of Justice - Computer Crime and Intellectual Property Section (CCIPS)

Department of Justice - Computer Crime and Intellectual Property Section (CCIPS)

The Computer Crime and Intellectual Property Section (CCIPS) is responsible for implementing the Department's national strategies in combating computer and intellectual property crimes worldwide.

Dale Peterson

Dale Peterson

Dale Peterson, a leading ICS security and control system IT information expert, provides consulting services to assess and improve the security of SCADA and DCS.

Partnership for Conflict, Crime and Security Research (PaCCS)

Partnership for Conflict, Crime and Security Research (PaCCS)

PaCCS delivers high quality and cutting edge research to improve our understanding of current and future global security challenges in areas including cybersecurity.

Privacyware

Privacyware

Privacyware's ThreatSentry combines a state-of-the-art Web Application Firewall and port-level firewall with advanced behavioral filtering to block unwanted IIS traffic and web application threats.

Veridium

Veridium

Veridium is a leader in single step - multi factor biometric authentication, designed to safeguard enterprises’ most critical assets.

SEIRIM

SEIRIM

SEIRIM delivers cybersecurity solutions in Shanghai China specializing in Web Application Security, Network Security for SME's, Vulnerability Management, and serving as Managed Security as a Service.

Laminar

Laminar

Laminar provides the only Public Cloud Data Protection solution that provides full visibility and enforcement capabilities across your entire public cloud infrastructure.

ResilientX

ResilientX

ResilientX is an All-In-One Security Testing Platform designed to help MSPs and SMBs to perform their security testing and assessments without having to outsource IT.

c0c0n

c0c0n

c0c0n is the longest running conferences in the area of Information Security and Hacking, in India.

Domotz

Domotz

Domotz enables IT teams to monitor and manage their networks remotely, while ensuring that the security and the operational efficiency of their organizations are properly maintained.

COGITANDA Dataprotect

COGITANDA Dataprotect

COGITANDA are a group of companies focused on dealing with cyber risks, managing them and insuring them.