Industrial control systems, also known as Industrial control Systems (ICS), continue to be the subject of attacks by multiple categories of malicious actors, from cybercriminals with extortion purposes to groups operating for governments with the aim of sabotage.
Over the past few years, there have been a number of attacks specifically designed to target this specific category of devices that our businesses depend on to function. It should also be noted that even generic threats, and therefore not designed to offend ICS systems, are often involved in attacks against this category of devices.
In April, the cybersecurity company Kaspersky has released an interesting report on the threat landscape to industrial control systems related to second half of 2020 and based on statistical data collected by the antivirus system produced by the company and installed on computers hosted in industrial infrastructure networks.
Windows systems on which antivirus software are installed perform various functions such as:
- Supervisory control and data acquisition server (SCADA)
- Data storage server (History)
- Data gateway (OPC)
- Fixed workstations for engineers and operators
- Mobile workstations for engineers and operators
- Human Machine Interface (HMI)
- Computers used for the administration of industrial networks
- Computers used to develop software for industrial automation systems
According to Kaspersky the percentage of ICS computers affected by a cyber attack in the second half of the year on a global scale was 33.4% (+ 0.85% compared to the first half of 2020). In the second half of 2020, the percentage of affected ICS systems increased, compared to the first half, in 62% of countries. The country that recorded the greatest growth in the number of attacks (+ 8.2%) was Saudi Arabia.
According to the report, the number of ransomware attacks on industrial control systems (ICS) has increased in specific areas of the planet, including United States and Canada (+ 0.25%), Australia (+ 0.23%) and Western Europe (+ 0.13%).
The Internet, removable media such as USB sticks and e-mail continue to be the main attack vectors for information systems in the industrial infrastructure of organizations.
To get an idea of the impact of threats on ICS systems, consider that in the second half of 2020 alone, Kaspersky blocked over 19,400 variants of malware on industrial automation systems belonging to approximately 5,365 different families.
The numbers in the report confirm growing pressure from threats to industrial systems. But what are the main risks for industrial control systems? To answer this question, it is worth reading the third half-yearly report on ICS risks and vulnerabilities published by the company specializing in cybersecurity for industrial equipment Claroty.
According to the company, in the course of the first half of 2021 637 vulnerabilities were published affecting the industrial control systems (ICS) of 76 suppliers.
Comparing the data to that of the previous semester, in which there was a number of disclosed vulnerabilities of 449 affecting 59 suppliers, we can appreciate a significant increase. This increase is certainly attributable to an increased perception of the security risk for ICS systems that are subject to frequent assessments by companies, however an increase in the number of leaks is certainly indicative of an expansion of the attack surface that could be exploited by malevolent actors.
Another alarming fact is that over 70% of vulnerabilities published in the first half were classified as critical or of high severity. This means that exploiting these flaws in attacks could have major consequences on vulnerable systems and that such attacks sometimes do not require special skills on the part of the attacker.
How have these vulnerabilities been identified in ICS systems? In most cases (80.85%), the vulnerabilities have been reported by third parties to the affected manufacturer, such as third party security companies, independent experts and academics.
The largest number of vulnerabilities disclosed in first six months of 2021 relates to solutions from the manufacturer Siemens (146), closely followed by Schneider Electric (65) and Rockwell Automation (35). The flaws in ICS systems were mainly related to operations management systems (historical, OPC server) (23.55%), followed by the basic control level (programmable logic controllers (PLC), Remote terminal units (RTU) (15.23%) and supervisory control (Human-Machine Interface (HMI), and SCADA (14.76%).
According to Claroty experts, 61.38% of disclosed vulnerabilities could be exploited in attacks from outside IT or Operational technology (OT) networks. This data is very worrying, as phishing attacks, social engineering and even spam could lead to the compromise of an industrial plant.
Vulnerabilities exploitable through local attack vectors are increasing, the percentage went from 18.93% in the second half of 2020 to 31.55% in the first half of this year.
Other Achilles’ heel of industrial systems are the processes of patch management, in fact, often despite having security updates, their installation is complex and takes time to analyze the impact of security updates on the processes that are controlled.
Here are some statistics relating to mitigation activities of threats:
• 25.59% of the 637 ICS vulnerabilities disclosed in the first half of 2021 do not have a patch that completely or partially corrects them. This data gives us an indication of how exposed industrial systems are and implies the need to take additional protective measures to protect ICS systems from attacks that exploit these flaws.
• 61.96% of all or partial uncorrected vulnerabilities were detected in firmware. Firmware is software directly integrated into the programmed electronic components of the devices (eg ROM read-only memory) and therefore related updates are not always possible or easy and may involve more complex operations than updating the operating system of a computer.
• 55.21% of vulnerabilities without full or partial fix could lead to remote code execution while 47.85% could lead to denial of service (DoS) conditions. These percentages tell us that in most cases the flaws can be exploited by a remote attacker and therefore it is necessary to adopt suitable defense measures to prevent an attacker from compromising an industrial system with an attack from anywhere in the world.
• 6.43% of the 637 vulnerabilities are related to products no longer supported by manufacturers. In this case it is necessary to replace the ICS device and if not possible it is necessary to apply the necessary mitigations. Also in this case, most of the vulnerabilities, as much as 51.22%, affecting products no longer supported are present in the firmware.
Experts warn against ransomware and extortionate attacks addressed to critical infrastructures that represent strategic objectives for the criminal organizations certain of the payment of the ransom in case of paralysis of the operations.
There is no doubt: the data reported confirm how much ICS systems are exposed to cyber attacks and how critical their protection is to our society.
.