Full Report
Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the results of its research on the threat landscape for industrial automation systems for the first six months of 2017.
Analysis Summary
# Research: Threat Landscape for Industrial Automation Systems in H1 2017
## Metadata
- **Authors:** Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT)
- **Institution:** Kaspersky Lab
- **Publication:** Kaspersky ICS CERT Reports
- **Date:** September 28, 2017
## Abstract
This research provides a comprehensive analysis of the cyber threat landscape affecting Industrial Control Systems (ICS) globally during the first half of 2017. The report details the prevalence of malware, the primary sources of infection, and geographic variations in threat distribution. It highlights a critical trend: rather than specialized ICS-specific malware, industrial systems are increasingly being compromised by common, "traditional" malware, often introduced via the internet and removable media.
## Research Objective
The primary objective of this study was to quantify and qualify the cyber threats faced by industrial automation systems globally. It aimed to answer:
1. What percentage of ICS computers are being attacked?
2. What are the primary vectors of infection (web, email, removable media)?
3. How do threat landscapes vary across different industries and geographic regions?
4. What is the prevalence of "ransomware" within industrial environments?
## Methodology
### Approach
The research employed a quantitative empirical analysis based on anonymized telemetry data. The study tracked the execution and attempted execution of malware on computers used in industrial infrastructures.
### Dataset/Environment
- **Sample Size:** Tens of thousands of ICS computers protected by Kaspersky Lab products.
- **System Types:** Windows-based systems including SCADA servers, Data Historians, HMI stations, engineering workstations, and computers used for managing industrial networks.
- **Timeline:** January 1, 2017 – June 30, 2017.
### Tools & Technologies
- **Kaspersky Security Network (KSN):** A distributed cloud-based infrastructure for processing anonymized security data.
- **Signature-based and Heuristic Detection:** Used to categorize malware families.
- **Geography/Vertical Categorization:** Data was segmented by country and industrial sector (e.g., manufacturing, energy, oil and gas).
## Key Findings
### Primary Results
1. **High Attack Prevalence:** 37.6% of ICS computers protected by Kaspersky Lab faced at least one malware attack during H1 2017.
2. **The Internet as the Primary Vector:** Internet-borne threats accounted for 29% of attacks, followed by removable storage media (10.9%) and email clients (3.3%).
3. **Ransomware Growth:** ICS computers across 63 countries were attacked by encryption ransomware, including high-profile cases like WannaCry and ExPetr.
4. **Geographic Disparity:** Industrial systems in developing regions (Vietnam, Algeria, Morocco) faced significantly higher threat levels than those in developed regions (Denmark, Ireland, Switzerland).
### Supporting Evidence
- **Percentage Change:** The share of ICS computers attacked rose from 34.3% in July 2016 to nearly 40% by the end of H1 2017.
- **Top Malware Categories:** Trojans (found on 18.2% of computers) and Worms (13.1%) were the most prevalent threats.
### Novel Contributions
- This report was among the first to provide large-scale empirical evidence that the "Air Gap" is largely a myth in modern industry, as evidenced by the high volume of internet-based infections.
- It provided a granular look at how general-purpose malware affects specialized industrial endpoints.
## Technical Details
The report highlights that most malware detected on ICS systems consists of "unintentional" attacks. These are programs (Trojans, Miners, Spyware) not specifically designed for SCADA or PLC protocols but which cause significant operational risk by consuming system resources, creating backdoors, or encrypting critical process data. The study also noted the emergence of **WannaCry**, which utilized the EternalBlue exploit, demonstrating how vulnerabilities in legacy Windows systems frequently used in industrial environments can lead to catastrophic outages.
## Practical Implications
### For Security Practitioners
- **Patch Management:** The prevalence of exploit-driven malware (like WannaCry) underscores the need for rigorous, albeit tested, patching cycles for industrial Windows hosts.
- **Asset Inventory:** Security teams must identify "hidden" internet connections in the ICS environment that are bypassing official gateways.
### For Defenders
- **Disabling Unnecessary Services:** Minimize the attack surface by disabling Windows services not required for industrial operations.
- **Removable Media Control:** Implement strict policies and technical controls (e.g., "Sheep Dip" stations) for USB drives, which remain a top-three infection vector.
### For Researchers
- **Cross-Domain Analysis:** There is a need for further research into how IT malware behavior changes when operating in constrained OT environments.
- **Geopolitical Correlation:** Study the link between regional economic development and the maturity of industrial cybersecurity.
## Limitations
- **Data Bias:** The study only reflects systems running Kaspersky Lab security software.
- **Lack of Impact Data:** The telemetry identifies *detections* and *preventions* but does not necessarily quantify the financial or physical damage of successful breaches.
- **Anonymization:** Due to privacy, specific company names or detailed network topology information are not included.
## Comparison to Prior Work
Unlike previous reports that focused heavily on "BlackEnergy" or "Stuxnet-style" targeted attacks, this H1 2017 report shifted focus to the "mass-market" threat landscape. It highlighted that for most ICS operators, the immediate threat is not a nation-state actor using a zero-day, but rather common ransomware or worms.
## Real-world Applications
- **Policy Development:** Using this data to justify the transition from reactive "air-gap" mindsets to proactive "defense-in-depth" strategies.
- **Training:** Developing social engineering simulations based on the high percentage of email-borne threats identified.
## Future Work
- Monitoring the evolution of IoT-based botnets and their potential to bridge into industrial control networks.
- Analyzing the long-term efficacy of "Industrial EDR" (Endpoint Detection and Response) in reducing the 37.6% attack rate.
## References
- Kaspersky ICS CERT Full Report: `https://ics-cert.kaspersky[.]com/media/Kaspersky-ICS-CERT-ICS-H1-2017-report-final-En.pdf`
- Related: [Analysis of WannaCry in Industrial Environments]
- Related: [ExPetr/NotPetya Impact on Global Logistics]