The ICS engineering sector is different from other industries as the operational technology (OT) environment is made up of various components, leaving them vulnerable to a range of cyberthreats, Kaspersky highlighted in its ‘Threat landscape for the ICS engineering and integration sector 2020’ report.
Components in the OT environment, such as human-machine interfaces (HMIs), OPC gateways, and engineering, control and data acquisition software, often have direct and indirect connections to various industrial control systems, some of which may even belong to other industrial enterprises.
Kaspersky has in this report investigated cyberthreats blocked on computers used to engineer, configure and maintain industrial control equipment and software on which various software packages for the industrial control system (ICS) engineering and integration industry are installed.
As the ICS engineering computer has more access rights and fewer restrictions, like application control and device control, than the average ICS computer, it also has a wider attack surface, it added. An ICS engineering computer usually allows the user to install any software, provides access to both ICS and corporate networks simultaneously, and is used to access the internet, email services, network file shares and instant messengers.
At the same time, Kaspersky found that ICS engineering environments normally react to new threats much faster than the average ICS computer environment. In a typical ICS environment, a computer can be repeatedly hit by the same malware, often by the same threat, due to a constant source of infection, which is not the case for the environment at an ICS engineering company.
In the second half of 2020, Kaspersky products were triggered on 39.3 percent of computers in the ICS engineering and integration sector. The last six months of 2020 also saw an increase in the percentages of malware blocked for several industries, including building automation, automotive manufacturing, energy, and oil and gas, though the biggest increase of 7.8 percent was in the ICS engineering sector.
In Latin America, the Middle East, Asia and North America, the percentage of ICS computers in ICS engineering environments that had malware blocked on them during the second half of 2020 was higher than the percentage for the first half of the same year. This was in contrast to Africa, Russia and Europe where the percentage for the second half was lower than that for the first half last year.
The North America region registered 22.8 percent of computers on which malware was blocked in the second half of last year, mainly associated with an increase in the number of web-miners blocked. The increase in the Middle East region was mostly due to an outbreak of Fast-Load AutoLISP modules that spread within infected AutoCAD projects and other self-propagating worms that spread via USB.
ICS engineering companies in southern and eastern regions of Europe mainly encountered phishing emails that were used to deliver spyware and cryptominers, which are usually capable of spreading inside a network either automatically or manually, according to Kaspersky. These worms use various techniques for network propagation, like credentials abuse, exploitation of vulnerabilities, and brute-forcing credentials.