Full Report
Descriptions of dangerous threats, our findings from analyzing statistics on blocked threats, and possible vectors of malware penetration of ICS computers.
Analysis Summary
# Research: Threat landscape for industrial automation systems, H1 2019
## Metadata
- **Authors:** Kaspersky ICS CERT (Industrial Control Systems Cyber Emergency Response Team)
- **Institution:** Kaspersky
- **Publication:** Kaspersky ICS CERT Reports
- **Date:** September 30, 2019
## Abstract
This research provides a comprehensive analysis of the cyber threat landscape affecting Industrial Control Systems (ICS) during the first half of 2019. It focuses on the prevalence of blocked various malicious objects on ICS computers, the geography of attacks, and the specific vectors through which malware penetrates the industrial perimeter. The report highlights a shifting trend toward targeted, multifaceted attacks despite a slight decrease in the overall percentage of attacked ICS computers compared to 2018.
## Research Objective
The study aims to identify the most significant cybersecurity threats facing industrial environments, analyze global and regional trends in malware activity, and provide data-driven insights to help organizations prioritize their defensive strategies for critical infrastructure.
## Methodology
### Approach
The research utilizes a statistical analysis of anonymized telemetry data collected from ICS computers protected by Kaspersky security products. The researchers categorized blocked threats by type, origin, and industrial sector.
### Dataset/Environment
- **Scope:** Hundreds of thousands of ICS computers worldwide.
- **Criteria:** Systems including SCADA servers, Historians, Data Gateways, Engineering workstations, and Human-Machine Interface (HMI) computers.
- **Timeframe:** January 1, 2019, to June 30, 2019.
### Tools & Technologies
- Kaspersky Security Network (KSN) for cloud-based threat intelligence.
- Specialized ICS-targeted detection engines.
- Heuristic and signature-based analysis.
## Key Findings
### Primary Results
1. **Saturation of Attacks:** 41.2% of ICS computers globally were targeted by at least one malicious attack in H1 2019.
2. **Shift in Vectors:** While the internet remains the primary source of infection, there was a notable increase in threats delivered via removable media and email.
3. **Geographic Variation:** Threats are disproportionately distributed, with high activity in developing regions (Africa, Asia, Latin America) and lower activity in Northern Europe and North America.
### Supporting Evidence
- **Internet:** Blocked on 25.6% of ICS computers.
- **Removable Media:** Blocked on 8.3% of computers.
- **Email Clients:** Blocked on 8.1% of computers.
- **Top Industries:** "Energy" and "Automotive Manufacturing" saw the highest percentages of attacked computers.
### Novel Contributions
- Classification of "industrial" malware vs. "general" malware impacting industrial environments.
- Detailed breakdown of regional shifts in threat types (e.g., the prevalence of worms in specific geographic clusters).
## Technical Details
The report details the variety of malicious objects detected:
- **Trojans and Spies:** Increasing use of multifunctional malware (e.g., AgentTesla) designed to exfiltrate authentication data for VPNs, RDP, and industrial software.
- **Insecure Architecture:** Many infections originated from "dual-homed" computers that are simultaneously connected to the industrial network and the public internet, bypassing the "air gap" myth.
- **Ransomware:** While overall volume decreased, "WannaCry" remains a persistent threat in industrial segments due to patch-management difficulties.
## Practical Implications
### For Security Practitioners
- **Access Control:** Enforce strict controls over the use of removable media (USB drives) as they remain a top 3 infection vector.
- **Legacy Systems:** Prioritize compensating controls for legacy systems that cannot be patched against known exploits like EternalBlue.
### For Defenders
- **Email Filtering:** Implement robust sandboxing and attachment filtering on corporate mail systems that bridge to the industrial network.
- **Monitoring:** Implement continuous monitoring of industrial network traffic to identify "living off the land" (LotL) techniques.
### For Researchers
- **Cross-Sector Vulnerabilities:** Need for more research into how general-purpose malware is specifically modified to disrupt PLCs or IEDs.
## Limitations
- **Selection Bias:** The data is limited to systems running Kaspersky security solutions.
- **Air-Gapped Blindspots:** Non-connected systems that do not report telemetry are not represented in the statistical aggregate.
## Comparison to Prior Work
Compared to the H2 2018 report, this research identifies a slight downward trend in the *quantity* of attacks but an upward trend in the *complexity* and targeted nature of the malware used against industrial targets.
## Real-world Applications
- **Implementation:** Organizations can use the regional threat data to adjust their threat models based on their geographical footprint.
- **Policy:** Informing corporate policies regarding the separation of corporate IT and industrial OT (Operating Technology) networks.
## Future Work
- Analysis of the long-term impact of 5G and IoT integration on the industrial perimeter.
- Further study into the role of compromised supply chains in delivering malware to isolated ICS environments.
## References
- Kaspersky ICS CERT Technical Reports: [https://ics-cert.kaspersky.com/publications/reports/]
- Kaspersky Security Network Statistics 2019.