Critical infrastructure

Who Is Targeting Industrial Facilities and ICS Equipment, and How?

Pierluigi Paganini
December 1, 2018 by
Pierluigi Paganini

Industrial Control Systems (ICS) Equipment Under Attack

Industrial Control Systems (ICS) are expected to be installed and left isolated for a long time. Technical changes and the necessity of reducing operating costs led to this equipment being left in operation longer than expected, exposing it to a broad range of cyber-threats.

Malware designed to compromise corporate systems can affect ICS systems with unpredictable impacts on the real world. Last year, Kaspersky Lab conducted a survey of 359 industrial cybersecurity practitioners and uncovered some discrepancies between the perception and reality of ICS cybersecurity incidents. 83 percent of respondents felt prepared to handle an ICS cybersecurity incident, while 50 percent suffered at least one cybersecurity incident in the year before. 74 percent of participants in the survey believed that their industrial infrastructure would be targeted in the coming year, and the top concern was conventional malware affecting control systems.

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

One of the biggest issues when dealing with ICS systems relates to the patch management in the life cycle of the products. In many cases, it is quite hard to update software running on ICS systems. This means that operators and vendors fail to provide regular patches, forcing companies with ICS equipment to consider other security tools.

According to the survey, companies are responding to the threats with anti-malware, network monitoring and device access controls. Over half of the respondents aren’t considering vulnerability scanning and patch management.

The findings of the Kaspersky survey show a worrisome scenario. Experts believe that there will be many cybersecurity incidents in the coming months. What should industrial organizations prepare for? The survey highlights the top three concerns as:

  1. Damage to product and service quality
  2. Loss of proprietary or confidential information
  3. Reduction or loss of production at a site

The challenges for operators managing an ICS environment are different than traditional, stand-alone control systems and highly connected corporate networks. For this reason, it is necessary to properly address associated risks.

“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams. They need a solid understanding of the threat landscape, well-considered protection means and they need to ensure employee awareness,” said Andrey Suvorov, Head of Critical Infrastructure Protection, Kaspersky Lab. “With cyber threats on the ICS shop floor, it is better to be prepared. Security incident mitigation will be much easier for those who have leveraged the benefits of a tailored security solution built with ICS needs in mind.”

Let’s take a look at what has happened in the cyber-threat landscape in H1 2018, who the main threat actors are and how they targeted ICS equipment.

H1 2018 – ICS Threat Landscape

The number of cyber-attacks against industrial control systems is rapidly growing. Nation-state actors, cybercriminals and hacktivists threaten them. In September, security experts from Kaspersky Lab published a report titled “Threat Landscape for Industrial Automation Systems” for H1 2018 which includes data related to attacks against ICS systems in the first six months of the year. The number of malware samples detected by Kaspersky is over 19,400, belonging to roughly 2,800 malware families, most of which were not threats specifically designed to this category of devices. Experts revealed that the majority of the infections were caused by random attacks.

According to Kaspersky, the number of attacks against the ICS systems protected by the company reached of 41.2 percent. Compared to the first half of 2017, experts observed an overall increase of 5 percent in the number of attack attempts.

Most of the attacks hit computer systems in countries with a low per-capita GDP in Asia, Latin America, and North African, while the in the United States, only 21.4 percent of ICS systems were hit.

However, several regions suffered repeated and destructive attacks on their industrial control systems. In South-East Asia, more than 60 percent of ICS were attacked during the first half of 2018; Africa stood at just under 60 percent of ICS attacked, with South Asia around 55 percent, Central Asia approximately 53 percent, and Russia 45 percent.

The geographical distribution of attacks on industrial automation systems revealed that the countries with the highest number of attacks by percentage were Vietnam (75.1 percent), Algeria (71.6 percent) and Morocco (65 percent), while the safest regions for ICS systems were Denmark (14 percent), Ireland (14.4 percent) and Switzerland (15.9 percent).

Figure 1: Geographical distribution of attacks on industrial automation systems, H1 2018, percentage of ICS computers attacked in each country (Source: Kaspersky Lab)

While most of the attacks came from the Internet, 27 percent of attacks came from Web sources, 8.4 percent leveraged removable storage media, and just 3.8 percent came from email clients.

“This pattern seems logical: modern industrial networks can hardly be considered isolated from external systems. Today, an interface between the industrial network and the corporate network is needed both to control industrial processes and to provide administration for industrial networks and systems,” Kaspersky added.

In H1 2018, attackers used to compromise legitimate websites to host malware components on them. Researchers associated the increase in the percentage of ICS computers attacked through browsers to the increase in the number of attacks that involved JavaScript cryptocurrency miners.

Experts also pointed out that the increase in the number of attacks using Microsoft Office documents as the attack vector (Word, Excel, RTF, PowerPoint, Visio and so on) was associated with phishing campaigns.

Figure 2: Main sources of threats blocked on ICS computers (percentage of computers attacked during half-year periods) (Source: Kaspersky Lab)

“In H1 2018, threat actors continued to attack legitimate websites that had vulnerabilities in their web applications in order to host malware components on these websites,” Kaspersky researchers stated in the report. “Notably, the increase in the percentage of ICS computers attacked through browsers in H1 2018 was due to the increase in the number of attacks that involved JavaScript cryptocurrency miners. At the same time, the increase in the number of ICS computers attacked using Microsoft Office documents was associated with waves of phishing emails.”

More information about the attacks against ICS systems in H1 2018 are available in the full version of the report.

Watch Out for USB Removable Storage Devices

Security experts from Honeywell recently conducted an interesting study on the vectors for malware attacks against industrial facilities. The researchers revealed that malware-based attacks against industrial facilities mostly leverage USB removable storage devices. The researchers from Honeywell analyzed data collected with the Secure Media Exchange (SMX), a product launched in 2017 which was designed to protect industrial facilities from USB-borne threats.

The experts focused their analysis on the attacks against industrial facilities in the energy, oil and gas, chemical manufacturing, pulp and paper and other sectors, collecting data from 50 locations in four continents. In 44 percent of the analyzed locations, the SMX product had blocked at least one suspicious file, and experts pointed out that of the neutralized threats, 26 percent could have caused major disruptions to ICS systems.

“While the volume of malware discovered in this research was small relative to the total sample size volume, the malware potency was significant,” states the report. “Of those threats blocked by SMX, 1 in 4 (26 percent) had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control, and 16 percent were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.”

16 percent of the malware detected by the product was specifically designed to target ICS or IoT systems, and 15 percent of the samples belonged to high-profile families such as Mirai (6 percent), Stuxnet (2 percent), Triton (2 percent) and WannaCry (1 percent). The most disconcerting data is related to the percentage of the threat blocked by Honeywell that could cause potential major disruption to ICS equipment. These threats account for 26 percent of the total.

“These findings are worrisome for several reasons. That high-potency threats were at all prevalent on USB drives bound for industrial control facility use is the first concern. As ICS security experts are well aware, it only takes one instance of malware bypassing security defenses to rapidly execute a successful, widespread attack,” continues the report. “Second, the findings also confirm that such threats do exist in the wild, as the high-potency malware was detected among day-to-day routine traffic, not pure research labs or test environments. Finally, as historical trends have shown, newly emerging threat techniques such as TRITON, which target Safety Instrumented Systems, can provoke copycat attackers.”

Experts from Honeywell also confirmed that most of the attacks involved non-targeted threats. Most of the malware detected by the Honeywell product were Trojans (55 percent), followed by bots (11 percent), hacking tools (6 percent) and potentially unwanted applications (5 percent), a data that is aligned with the findings of Kaspersky Lab’s research.

32 percent of malicious code used in the attacks had RAT features, 12 percent dropper capabilities and 10 percent DDoS abilities. Only 9 percent of the malware detected by Honeywell was designed to directly exploit flaws in the USB protocol or interface.

“Of the malware discovered, 9 percent was designed to directly exploit USB protocol or interface weaknesses, making USB delivery even more effective — especially on older or poorly configured computers that are more susceptible to USB exploits,” continues the report. “Some went further, attacking the USB interface itself. 2 percent were associated with common Human Interface Device (HID) attacks, which trick the USB host controller into thinking there is a keyboard attached, allowing the malware to type commands and manipulate applications. This supports earlier Honeywell findings that confirmed HID attacks such as BadUSB as realistic threats to industrial operators.”

Experts discovered that industrial facilities were targeted by both malware and new threats. In some cases, very old threats like Conficker were identified and blocked. Researchers estimated that approximately 10 percent of malware variants that they detected were less than one week old.

Want to read more? Check out some of our other articles, such as:

Pentesting ICS Systems

How to Become Your Own Security Champion

SCADA/ICS Security Training Boot Camp from InfoSec Institute


Threat Landscape for Industrial Automation Systems, Kaspersky Lab

Honeywell Industrial USB Threat Report, Honeywell

ICS cybersecurity: A view from the field, Kaspersky Lab Daily

ICS Companies Are Worried About Cybersecurity, But Are They Worried About the Right Things?, Security Affairs

USB drives are primary vector for destructive threats to industrial facilities, Security Affairs

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

The main source of infection on ICS systems was the internet in H1 2018, Security Affairs

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.