Mining, spying, self-replicating – energy sector under cyberthreat pressure
This article has been supplied as a media statement and is not written by Creamer Media. It may be available only for a limited time on this website.
Kaspersky solutions were triggered on almost half of industrial control system (ICS) computers in the energy sector globally in the first six months of 2019. The top three cyberthreats were worms, spyware, and cryptocurrency miners – together, they combined to make almost 14% of the share of targeted computers.
These are among the main findings of the Kaspersky ICS CERT report on the industrial threat landscape in the first half of 2019.
Industrial cyber incidents are among the most dangerous as they may result in production downtime and tangible financial losses and are quite hard to overcome. This is especially the case when the incident occurs in critical, life-supporting sectors, such as energy. Statistics for H1 2019, automatically processed by Kaspersky security technologies, have shown that those who manage energy solutions should not let their guard down.
Overall, during the observed period of time, Kaspersky products were triggered on 41.6% of ICS computers in the energy sector. A large number of conventional malware samples –– not designed for ICS — were blocked.
Among the malicious programmes which were blocked, the greatest danger was posed by cryptocurrency miners (2.9%), worms (7.1%), and a variety of versatile spyware (3.7%). Infection with such malware can negatively affect the availability and integrity of ICS and other systems that are part of the industrial network. Among these detected threats, some are of particular interest.
This includes AgentTesla, specialised Trojan Spy malware, designed to steal authentication data, screenshots, and data captured from the web camera and keyboard. In all of the analysed cases, the attackers sent data via compromised mailboxes at various companies. Aside from malware threat, Kaspersky products also identified and blocked cases of the Meterpreter backdoor which was being used to remotely control computers on the industrial networks of energy systems. Attacks that use the backdoor are targeted and stealthy and are often conducted in manual mode. The ability of the attackers to control infected ICS computers stealthily and remotely poses a huge threat to industrial systems.
Last but not least, the company’s solutions detected and blocked Syswin, a new wiper worm written in Python and packed into the Windows executable format. This threat can have a significant impact on ICS computers due to its ability to self-propagate and destroy data.
The energy sector was not the only one to face malicious objects and activities. Other industries, analysed by Kaspersky experts, have also shown no reason for relief with automotive manufacturing (39.3%) and building automation (37.8%) taking the second and the third places in terms of percentage of the number of ICS computers on which malicious objects were blocked.
Other findings of the report include:
On average, ICS computers do not operate entirely inside a security perimeter typical of corporate environments, and are, to a large extent, protected from many threats, which are also relevant to home users, using their own measures and tools. In other words, tasks related to protecting the corporate segment and the ICS segment are to some extent unrelated.
In general, the level of malicious activity inside the ICS segment is connected with the ‘background’ malware activity in the country.
On average, in countries where the situation with the security of the ICS segment is favorable, the low levels of attacked ICS computers are attributable to protection measures and tools that are used rather than a generally low background level of malicious activity.
Self-propagating malicious programmes are very active in some countries. In the cases analysed, these were worms (malicious Worm class objects) designed to infect removable media (USB flash drives, removable hard drives, mobile phones, etc.). It appears that infections with worms via removable media is the most common scenario that could happen to ICS computers.
“The collected statistics, as well as analysis into industrial cyberthreats, are a proven asset for assessing current trends and predicting what type of danger we should all prepare for. This report has identified that security experts should be particularly cautious about malicious software that aims to steal data, spy on critically important objects, penetrate the perimeter and destroy the data. All of these types of incident could cause lots of trouble for industry”, says Kirill Kruglov, security researcher at Kaspersky.
Kaspersky ICS CERT recommends implementing the following technical measures:
- Regularly update operating systems, application software and security solutions on systems that are part of the enterprise’s industrial network.
- Restrict network traffic on ports and protocols used on edge routers and inside the organisation's OT networks.
- Audit access control for ICS components in the enterprise’s industrial network and at its boundaries.
- Provide dedicated regular training and support for employees as well as partners and suppliers with access to your OT/ICS network.
- Deploy dedicated endpoint protection solution such as Kaspersky Industrial CyberSecurity on ICS servers, workstations and HMIs to secure OT and industrial infrastructure from random cyberattacks; and network traffic monitoring, analysis and detection solutions for better protection from targeted attacks.
Comments
Press Office
Announcements
What's On
Subscribe to improve your user experience...
Option 1 (equivalent of R125 a month):
Receive a weekly copy of Creamer Media's Engineering News & Mining Weekly magazine
(print copy for those in South Africa and e-magazine for those outside of South Africa)
Receive daily email newsletters
Access to full search results
Access archive of magazine back copies
Access to Projects in Progress
Access to ONE Research Report of your choice in PDF format
Option 2 (equivalent of R375 a month):
All benefits from Option 1
PLUS
Access to Creamer Media's Research Channel Africa for ALL Research Reports, in PDF format, on various industrial and mining sectors
including Electricity; Water; Energy Transition; Hydrogen; Roads, Rail and Ports; Coal; Gold; Platinum; Battery Metals; etc.
Already a subscriber?
Forgotten your password?
Receive weekly copy of Creamer Media's Engineering News & Mining Weekly magazine (print copy for those in South Africa and e-magazine for those outside of South Africa)
➕
Recieve daily email newsletters
➕
Access to full search results
➕
Access archive of magazine back copies
➕
Access to Projects in Progress
➕
Access to ONE Research Report of your choice in PDF format
RESEARCH CHANNEL AFRICA
R4500 (equivalent of R375 a month)
SUBSCRIBEAll benefits from Option 1
➕
Access to Creamer Media's Research Channel Africa for ALL Research Reports on various industrial and mining sectors, in PDF format, including on:
Electricity
➕
Water
➕
Energy Transition
➕
Hydrogen
➕
Roads, Rail and Ports
➕
Coal
➕
Gold
➕
Platinum
➕
Battery Metals
➕
etc.
Receive all benefits from Option 1 or Option 2 delivered to numerous people at your company
➕
Multiple User names and Passwords for simultaneous log-ins
➕
Intranet integration access to all in your organisation