ICS endpoints more vital and susceptible to cyberthreats, following IT/OT convergence

ICS endpoints

ICS endpoints have become significantly more important and susceptible to cyber threats, leading to a significant rise in ransomware activity in these environments in 2020, a Trend Micro whitepaper highlighted. The ICS infrastructure has repeatedly been struck by a rise in Nefilim, Ryuk, LockBit and Sodinokibi ransomware attacks from September to December last year. Together, this group of ransomware makes up more than half of ransomware attacks affecting ICS operations in 2020.

In the white paper, titled “2020 Report on Threats Affecting ICS Endpoints,” Trend Micro summarized different types of threats that affected ICS (industrial control systems) endpoints the most in 2020.

To validate ICS security and establish a global baseline for examining the threats that plague these systems, Trend Micro analyzed and reported specific malware families found in ICS endpoints. The type of malware a cybercriminal chooses to wield in particular incidents offers a glimpse into the scope and severity of these cyberattacks, providing clues on two key aspects: the attackers and the affected network.

Interconnection between the business process on the IT side and the physical process on the operational technology (OT) side has pushed the security of ICS into the limelight. With IT/OT convergence, organizations are able to improve visibility, efficiency, and speed, while also exposing the ICS to security threats, which have been affecting IT networks for decades. 

Securing the ICS is also vital, especially the ICS endpoints involved in the design, monitoring and control of industrial processes, according to Trend Micro researchers. These ICS endpoints have specific software installed on them that performs important ICS functions, which typically run on Windows operating systems. The ICS endpoints can be found in various levels of the IT/OT network architecture, except the process and control level. 

Trend Micro data revealed that ransomware remains a concerning and rapidly evolving threat to ICS endpoints globally. The US is by far the country with the most ransomware detections affecting the ICS, with India, Taiwan and Spain coming in a far second. 

A vast number of U.S. organizations have fallen victims to ransomware attacks in recent months. Ransomware attacks have disrupted operations at industrial units and within the critical infrastructure segments, apart from affecting operations at fuel pipeline company Colonial Pipeline operations, manufacturing operations at Sierra Wireless, and at the world’s largest food producer JBS

Ransomware in ICS infrastructure can cause a loss of view or control of physical processes, such as the February incident at a water treatment plant at the city of Oldsmar near Tampa, Florida, where unidentified cyber attackers were able to remotely gain access to a panel that controls the amount of sodium hydroxide in the water supply. 

The researchers also said coinminers affecting ICS mostly through unpatched operating systems. ICS endpoints are still vulnerable to the EternalBlue vulnerability, and coinminers that were distributed through the Equation Group tools exploiting this vulnerability were rampant in several countries, especially in India. 

The top coinminer family found on industrial control systems for 2020 is MALXMR, a post-intrusion coinminer, according to Trend Micro. “It was usually installed through fileless techniques, but starting in 2019, we have seen MALXMR infections that use Equation group tools to exploit the EternalBlue vulnerability to aid distribution and lateral movement,” it added.

Trend Micro also picked out Conficker (aka Downad) as a persistent threat for ICS endpoints, initially detected in 2008. The computer worm is still being persistently detected on 200 unique endpoints, and still propagates on ICS endpoints running newer operating systems. Variants of Conficker with the additional routine of brute-forcing admin shares can infect ICS endpoints, even if they are running an OS that is not vulnerable to MS08-067, a Windows Server Service vulnerability that Conficker can use as an attack vector. 

In networks running on the ICS infrastructure, Trend Micro detected old worm malware whose primary method of propagation is through network shares or removable USB drives. Even though these legacy malware are found in less than 2 percent of organizations, they are detected frequently and on several endpoints within the same network, signifying a localized outbreak. 

Worms like Autorun, Gamarue, and Palevo became rampant in 2013 and 2014 but have since waned as security policies that disable autorun have become widely adopted. The older types of malware propagate through removable drives, and are still commonly detected in ICS endpoints, Trend Micro said in its white paper. 

Trend Micro also observed in its white paper that the malware detected on ICS endpoints varies between countries. By percentage, Japan had the least amount of ICS endpoints affected by malware or potentially risky software, while China has the most such detections, while the US had the most ransomware infections, and India had the most coinminer infections.

While ICS might be difficult to patch and update, it is necessary to patch the endpoints to protect them from cyber threats and attacks. If patching is not an option, virtual patching can help fill in security gaps. It would also help to implement micro-segmentation in the network to enhance security by restricting network access and communications to the necessary devices and protocols. Organizations are also advised to use malware detections as one of the criteria of IT/OT networks’ cybersecurity readiness, in order to improve their security posture and protect the ICS endpoints.

With the prevailing rise in ransomware attacks, Trend Micro observes that post-intrusion ransomware is commonly the end product of an existing compromise, not the cause of it. If ransomware is found in ICS endpoints, it means the access to such a system is poorly secured or the network is fully compromised. To address this, organizations must use a safelist or “allow list,” and conduct incident response and network sweeping for indicators of compromise (IoCs).

The number of cyberattacks on organizations has been on the increase with the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) also reporting on Sunday the presence of a vulnerability in Kaseya VSA software, which cyber attackers have exploited. The targets seem to be mainly managed service providers (MSPs) and their customers. There has so far been no clear indication that operational technology and ICS environments have been affected.

“Unlike SolarWinds, the cybercriminals behind this attack apparently had monetary gain rather than cyber espionage in their sights, eventually planting ransomware while exploiting the trust relationship between Kaseya and its customers,” ESET researchers, Cameron Camp and Aryeh Goretsky wrote in a blog post.


Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on whatsapp


Join over 5,000 Industrial OT & Cyber professionals

Weekly Newsletter direct to your inbox