With connectivity to the outside world growing, cyber attacks on industrial computers constitute an extremely dangerous threat, as these types of incidents can cause material losses and production downtime for a whole system. Moreover, industrial enterprises knocked out of service can seriously undermine a region’s social welfare, ecology and macroeconomics. Not surprisingly, cybersecurity is, therefore, becoming more and more important across the board. Given the importance of industrial control systems (ICS) cybersecurity, it is essential to understand the trends that dominate the ICS space. To achieve a thorough understanding, we will look at these trends from both the business and the threats perspective.
The Business Perspective
On June 2018, Kaspersky Lab released the second annual report "The State of Industrial Cybersecurity 2018," a publication based on a survey of 320 worldwide professionals with decision-making power regarding ICS cybersecurity. The scope of the survey was to analyze the status quo of industrial cybersecurity. The analysis of this report reveals some interesting facts about ICS cybersecurity and how this focus area is perceived by ICS businesses.
ICS Cybersecurity Is a Major Priority, but...
As a “headline” finding, one can say that even though over three-quarters of the companies surveyed state that ICS cybersecurity is a major priority, they oftentimes don’t carry out associated security measures. For instance, despite the fact that over three-quarters of the companies surveyed state that it is very likely or at least quite likely they will become a target of a cybersecurity attack in the ICS space, only 23% are compliant with minimal mandatory industry or government guidance and regulations around cybersecurity of industrial control systems. Although more than half of the companies (51%) said that they did not experience any incident or breach in the past 12 months, the question is whether or not they would even have recognized it. Many companies do not even detect or track attacks. It is astonishing that 10% of respondents still do not measure the number of incidents and breaches they've experienced in today's day and age. Moreover, since the companies surveyed have only just started the digital transformation, it can be said that their attack surface will increase as they raise their level of digitalization.
Concerns and Challenges
The top company concerns resulting from a potential cyber attack are damage to products and services along with injury or death of employees. Most companies also see a link between cyber damage and business success on different levels. Damage to a product's quality due to incidents (54%) is directly linked to the loss of customer confidence (40%), while the loss of sensitive business information is associated with a loss of contracts or business opportunities (22%). The companies are facing significant challenges in virtually all segments. For 58% of the companies, a major challenge is to hire ICS cybersecurity employees with the right skills, which is a global issue in cybersecurity. This aspect is even more critical combined with the second challenge (54%) of integrating ICS with IT systems and IoT ecosystems, meaning they are opening up these systems to the outside world.
Disconnection Between Perception and Reality
Last but not least, there are important differences in perception and between what is happening and what is being feared. Most businesses believe that APT (66%) and data leaks and spying (59%) are top fears since their potential impact makes them very threatening. However, targeted attacks and APTs are a weakening as a challenge (only 16% of the cybersecurity incidents), while conventional malware and virus outbreaks are becoming more and more problematic. Sixty-four percent of the cybersecurity incidents that occurred during 2018 were caused by conventional malware and virus outbreaks. The same disconnection was also highlighted in the latest SANS report, “The 2018 SANS Industrial IoT Security Survey: Shaping IIoT Security Concerns.” The survey found that almost three-quarters of firms were confident or somewhat confident in their ability to maintain the security of their industrial internet of things (IIoT). Yet, companies' leadership and department managers were more likely to have a rosy outlook on their security compared to the operational technology department.
The Threat Landscape
On September 2018, Kaspersky Lab released the report “Threat Landscape for Industrial Automation Systems, H1 2018.” This publication is based on data gathered by Kaspersky Security Network, a distributed antivirus network which protects ICS computers performing one or several of the functions of supervisory control and data acquisition (SCADA) servers, data storage servers, data gateways and stationary workstations of engineers and operators. The report highlights some interesting trends relating to the threat landscape of ICS cybersecurity.
Increased Cybersecurity Incidents
The percentage of ICS computers attacked at least once in H1 2018 reached 41.2%, up from 36.6% in the first half of 2017. The increase in the percentage of ICS computers attacked was due primarily to an overall increase in malicious activity.
Geography, Money, and Incidents
The geographical distribution of the attacks shows that countries in Africa, Asia and Latin America are significantly worse off in terms of the percentage of ICS computers attacked than countries in Europe, North America and Australia. Even within Europe, the figures for Eastern Europe are considerably greater than those for Western Europe, and the percentage of ICS computers attacked in Southern Europe is higher than that in Northern and Western Europe. Such substantial differences could be explained by the overall level of development in different countries and differences in the cybersecurity levels as well as the levels of malicious activity in different countries. According to IDC, from a geographic perspective, the US and Western Europe were the largest markets for information security products in 2017. All countries that had minimal percentages of ICS computers attacked were classified by the International Monetary Fund (IMF) as advanced economies. In addition, six of the 10 countries that had the lowest percentage of ICS computers attacked – the US, the UK, the Netherlands, Sweden, Switzerland, and Israel – were among the Top 20 countries according to the International Telecommunication Union (ITU) Global Cybersecurity Index 2017. Finally, the high percentages of ICS computers attacked in developing countries could be a product of these countries having had industrial sectors for a relatively short amount of time. When designing and commissioning industrial facilities, the main focus is often on the economic aspects of their operation and the physical safety of the industrial process, while information security is much lower on the list of priorities. This finding is also in accordance with the results of "The State of Industrial Cybersecurity 2018" report.
Main Sources of Threats
The main sources of infection for computers in organizations’ industrial network infrastructure are the internet, removable media and email. In H1 2017, the internet was the source of threats on 20.6% of ICS computers, while in H1 2018, the figure was as high as 27.3%. This pattern seems logical as modern industrial networks can hardly be considered isolated from external systems anymore. Today, an interface between the industrial network and the corporate network is needed both to control industrial processes and to provide administration for industrial networks and systems. The second most common source of industrial network infection was removable media. The USB threat to ICS was also the subject of the latest Honeywell’s Industrial USB Threat Report. The highest percentage of ICS computers attacked via removable media was recorded in countries with low GDP level, while the opposite happened in Western Europe and North America, where there is a higher overall level of security measures as well as less extensive use of removable media. On the other hand, the analysis of email-borne threats indicates that the information security level has virtually no effect on the number of phishing emails and malicious email attachments that get through protective measures at the network perimeter and reach ICS computers. A possible explanation is that effective tools designed to protect from email-borne attacks are either not used on the network perimeter or not properly configured.
Attacks Not Sophisticated
Overall, according to the report, the attacks were not overly sophisticated; they commonly used spear phishing via PDF documents, software installers with Trojan installers and waterhole attacks through pre-compromised websites. Once a machine had been successfully exploited, the attack framework could install additional modules to expand the attackers' foothold.
Way Forward and Recommendations
To master the ICS cybersecurity challenges, companies need to have a strategy with proper measures in place. Obviously, this organization and these measures need to have sufficient funding to work smoothly.
“The percentage of cyber attacks on ICS computers is a concern. Our advice is to pay attention to systems’ security from the very beginning of their integration, when the systems’ elements are first connected to the internet: neglecting security solutions at this stage could lead to dire consequences.” says Kirill Kruglov, security researcher at Kaspersky Lab.
In addition, "the industrial companies need to pay more attention to the level of employees’ awareness of cyber threats, and keep up with modern cybersecurity measures”, Kruglov added. It is vital that cybersecurity measures keep up with the rate of technology adoption. Industrial companies should take ICS incident response programs more seriously to minimize the risk of severe operational, financial and reputational damage. Only by developing effective incident response programs and by deploying dedicated cybersecurity solutions to manage the security of complex connected and distributed industrial ecosystems can businesses protect their services and products as well as their customers and the environment.