Kaspersky Lab has recently released its report on the Industrial Control Systems (ICS) threat landscape, which revealed that large organisations likely have ICS components connected to the Internet that could allow cybercriminals to attack critical infrastructure systems.
In its report on the ICS threats landscape, Kaspersky Lab experts revealed 13,698 ICS hosts exposed to the Internet that more than likely belong to large organisations. These organisations include energy, transportation, aerospace, oil and gas, chemicals, automotive and manufacturing, food and drink, governmental, financial and medical institutions. 91.1 percent of these ICS hosts have vulnerabilities that can be exploited remotely. But the worse is yet to come – 3.3 percent of ICS hosts located in these organisations contain critical and remotely executable vulnerabilities.
According to Kaspersky Lab, sophisticated attacks on ICS systems are not new. In 2015, an organised group of hackers called BlackEnergy APT attacked a power company in Ukraine. In the same year two more incidents, supposedly connected with cyber-attacks, were reported in Europe: on a steel mill in Germany and on the Frederic Chopin Airport in Warsaw.
More attacks of this kind will emerge in the future since the attack surface is big. Those 13,698 hosts, located in 104 countries are only a small part of the total number of hosts with ICS components available through the Internet.
To help organisations working with ICS to identify their possible weak points, Kaspersky Lab experts conducted an investigation into ICS threats. Their analysis was based on OSINT (Open Source Intelligence) and information from public sources like ICS CERT, with the research period limited to 2015.
The major findings of the Industrial Control Systems Threats Landscape report are:
- In total, 188,019 hosts with ICS components available via the Internet have been identified in 170 countries.
- Most of the remotely available hosts with ICS components installed are located in the United States of America (30.5 percent – 57,417) and Europe. In Europe, Germany has a leading position (13.9 percent – 26,142 hosts), followed by Spain (5.9 percent – 11,264 hosts), and France (5.6 percent – 10,578 hosts).
- 92 percent (172,982) of remotely available ICS hosts have vulnerabilities. 87 percent of these hosts contain medium risk vulnerabilities and 7 percent of them have critical vulnerabilities.
- The number of vulnerabilities in ICS components has increased tenfold during the past five years: from 19 vulnerabilities in 2010 to 189 vulnerabilities in 2015. The most vulnerable ICS components were Human Machine Interfaces (HMI), Electric Devices and SCADA systems.
- 6 percent (172,338 different hosts) of all the externally available ICS devices use weak Internet connection protocols, which opens the opportunity for attackers to conduct ’man in the middle’ attacks.
“Our research shows that the larger the ICS infrastructure, the bigger the chance that it will have severe security holes. This is not the fault of a single software or hardware vendor. By its very nature, the ICS environment is a mix of different interconnected components, many of which are connected to the Internet and contain security issues. There is no 100 percent guarantee that a particular ICS installation won’t have at least one vulnerable component at any single moment in time. However, this doesn’t mean that there is no way to protect a factory, a power plant, or even a block in a smart city from cyber-attacks. Simple awareness of vulnerabilities in the components used inside a particular industrial facility is the basic requirement for security management of the facility. That was one of the goals behind our report: to bring awareness to interested audiences,” said Andrey Suvorov, Head of Critical Infrastructure Protection, Kaspersky Lab.
In order to protect the ICS environment from possible cyber-attacks, Kaspersky Lab security experts advise the following:
- Conduct a security audit: inviting experts who specialise in industrial security is probably the quickest way to identify and remove the security loopholes described in the report.
- Request external intelligence: today IT security relies on knowledge of potential attack vectors. Obtaining such intelligence from reputable vendors helps organisations to predict future attacks on the company’s industrial infrastructure.
- Provide protection inside and outside the perimeter. Mistakes happen. A proper security strategy has to devote significant resources to attack detection and response, to block an attack before it reaches critically important objects.
- Evaluate advanced methods of protection: A Default Deny scenario for SCADA systems, regular integrity checks for controllers, and specialised network monitoring to increase the overall security of a company and reduce the chances of a successful breach, even if some inherently vulnerable nodes cannot be patched or removed.