The Industrial Control Systems threat landscape

Published: Tuesday, 12 July 2016 08:26

Kaspersky Lab has published a report which looks at Industrial Control Systems (ICS) threats, vulnerabilities and controls. The report found that a widespread issue is the exposure of ICS to the Internet, when in fact ICS are supposed to be run in a physically isolated environment. However, this is not always the case.

Kaspersky Lab’s report states that it found 13,698 ICS hosts exposed to the Internet; and 91.1 percent of these hosts have vulnerabilities that can be exploited remotely.

Exposing ICS components to the Internet provides a lot of opportunities, but also many concerns around security. On the one hand, connected systems are more flexible in terms of a fast reaction to critical situations and implementation of updates. But on the other, the expansion of the Internet gives cybercriminals a chance to remotely control critical ICS components, which can result in physical harm to the equipment as well as potential danger to the whole critical infrastructure.   

Sophisticated attacks on ICS systems are not new. In 2014, an organized group of hackers called BlackEnergy APT attacked a power company in Ukraine. In the same year two more incidents, supposedly connected with cyber-attacks, occurred in Europe: on a steel mill in Germany and on the Frederic Chopin Airport in Warsaw. More attacks of this kind will emerge in the future since the attack surface is big. Those 13,698 hosts, located in 104 countries are only a small part of the total number of hosts with ICS components available through the Internet.

To help organizations working with ICS to identify their possible weak points, Kaspersky Lab experts conducted an investigation into ICS threats. Their analysis was based on OSINT (Open Source Intelligence) and information from public sources like ICS CERT, with the research period limited to 2015.

The major findings were:

“Our research shows that the larger the ICS infrastructure, the bigger the chance that it will have severe security holes. This is not the fault of a single software or hardware vendor. By its very nature, the ICS environment is a mix of different interconnected components, many of which are connected to the Internet and contain security issues. There is no 100 per cent guarantee that a particular ICS installation won’t have at least one vulnerable component at any single moment in time. However, this doesn’t mean that there is no way to protect a factory, a power plant, or even a block in a smart city from cyber-attacks. Simple awareness of vulnerabilities in the components used inside a particular industrial facility is the basic requirement for security management of the facility. That was one of the goals behind our report: to bring awareness to interested audiences,” said Andrey Suvorov, Head of Critical Infrastructure Protection, Kaspersky Lab.

In order to protect the ICS environment from possible cyber-attacks, Kaspersky Lab security experts advise the following: