Full Report
In this report, Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second half of 2017.
Analysis Summary
# Industry News: Kaspersky H2 2017 ICS Threat Report Highlights Shifting Industrial Attack Surfaces
## Summary
Kaspersky Lab’s ICS CERT has released its comprehensive analysis of the industrial automation threat landscape for the second half of 2017. The report identifies a stabilizing but diversifying threat environment where nearly 38% of industrial control systems (ICS) faced cyberattacks, driven largely by opportunistic malware and the increasing convergence of IT and OT networks.
## Key Details
- **Date:** March 26, 2018 (H2 2017 Reporting Period)
- **Companies Involved:** Kaspersky Lab ICS CERT
- **Category:** Market Research / Threat Intelligence
## The Story
The report details the findings of Kaspersky’s specialized Industrial Control Systems Cyber Emergency Response Team (ICS CERT). Throughout H2 2017, the team observed that while the percentage of attacked ICS computers slightly decreased—falling from 37.6% (H1) to 36.6% (H2)—the nature of the threats evolved.
Internet-born threats remain the primary vector (22.7%), followed by removable media (8.4%) and email clients (3.3%). A significant trend noted is the "collateral damage" caused by non-targeted, mass-market malware—such as cryptocurrency miners and general-purpose ransomware—which are increasingly finding their way into air-gapped or semi-isolated industrial environments via bridgeheads in the corporate network.
## Business Impact
### For the Companies Involved
- **Kaspersky Lab:** Solidifies its position as a dominant thought leader in the niche but critical ICS security space. Detailed reporting serves as a sophisticated marketing tool to drive adoption of their "Kaspersky Industrial CyberSecurity" (KICS) suite.
### For Competitors
- **Vendors (Claroty, Nozomi, Dragos):** The data validates the growing market for passive monitoring and network visibility tools, as the report highlights that many industrial firms remain unaware of persistent infections.
### For Customers
- **Asset Owners:** There is a growing realization that "security through obscurity" is dead. Companies now face increased operational risks (downtime) not just from state actors, but from common internet "noise" like botnets.
### For the Market
- **Insurance and Compliance:** Such reports increase the pressure on the insurance market to refine cyber-underwriting for industrial risks and push regulators to mandate more stringent OT security controls.
## Technical Implications
The report highlights the rise of **WannaCry-style** self-propagating worms in industrial segments. Technically, the most significant innovation is the adaptation of cryptocurrency miners to run on low-power industrial gateway devices, which can cause unexpected CPU spikes and lead to critical system latency or failure in real-time environments.
## Strategic Analysis
- **Market Positioning:** Kaspersky positions itself as the "bridge" between traditional antivirus and specialized industrial protection.
- **Competitive Advantage:** Their massive global install base (KSN) allows for data collection that smaller, OT-specific startups cannot match.
- **Challenges:** Ongoing geopolitical tensions regarding Russian-headquartered software may limit the adoption of these findings by government bodies in certain Western jurisdictions, regardless of the report's technical merit.
## Industry Reactions
- **Analyst Opinions:** Analysts view the 37.8% annual infection rate as a "wake-up call" for the manufacturing and energy sectors.
- **Market Response:** There is an increased focus on "Integrated Security Content," where threat intel is no longer seen as a luxury but a core part of the industrial tech stack.
## Future Outlook
- **Predictions:** Expect a rise in "Industrial Ransomware" where attackers specifically target human-machine interfaces (HMIs) for financial extortion.
- **What to watch for:** The integration of ICS security telemetry into broader "Smart City" and IIoT (Industrial IoT) management platforms.
## For Security Professionals
Practitioners should note that the most significant threat vector remains **removable media**. While sophisticated APTs grab headlines, the strategic priority for H2 2017 and beyond should be hardening USB ports on engineering workstations and implementing robust email filtering for engineers who have "temporary" internet access. Turning off unnecessary services on PLC-connected PCs is no longer optional; it is a critical safety requirement.