Mass distributed malware, not targeted attacks, is the most common method to infect ICS computers with most of the threats coming from the internet, followed by removable devices and malicious email attachments.
Nearly half (47%) of the ICS computers the security specialist protects were hit with malware infections last year, a three percent climb from the prior year. Most of the activity emanated from Africa and Asia. Of the 14 geographic regions Kaspersky tracked in the second half of 2018, North America was 12th on the list for ICS infections.
While malicious malware found its way into ICS machines in a variety of ways, once again sub-par awareness and training among employees to spot potential threats didn’t help, according to the report.
“Despite the common myth, the main source of threat to industrial computers is not a targeted attack, but mass-distributed malware that gets into industrial systems by accident, over the internet, through removable media such as USB-sticks, or emails,” said Kirill Kruglov, a Kaspersky security researcher. “However, the fact that the attacks are successful because of a casual attitude to cybersecurity hygiene among employees means that they can potentially be prevented by staff training and awareness – this is much easier than trying to stop determined threat actors.”
Kaspersky issued a set of recommendations ICS operators can apply to blunt attacks:
- Regularly update operating systems, application software on systems that are part of the enterprise’s industrial network.
- Apply security fixes to PLC, RTU and network equipment used in ICS networks where applicable.
- Restrict network traffic on ports and protocols used on edge routers and inside the organization's OT networks.
- Audit access control for ICS components in the enterprise’s industrial network and at its boundaries.
- Deploy dedicated endpoint protection solutions on ICS servers, workstations and HMIs, including network traffic monitoring, analysis and detection to secure OT and industrial infrastructure from both random malware infections and dedicated industrial threats.
- Make sure security solutions are up-to-date and all the technologies recommended by the security solution vendor to protect from targeted attacks are enabled.
- Provide dedicated training and support for employees as well as partners and suppliers with access to your network.
- Use ICS network traffic monitoring, analysis and detection solutions for better protection from attacks potentially threatening technological process and main enterprise assets.
Recent ransomware attacks against Norwegian aluminum producer Norsk Hydro and two U.S. chemicals suppliers have brought more attention to threats to industrial infrastructure. According to Kaspersky's data, the percentage of ICS computers where its technology prevented ransomware infections rose slightly from 1.6 percent to 2 percent.