Home / ICS Worldwide Statistics

ICS Worldwide Statistics

All statistics were obtained from Kaspersky Security Network – a complex distributed infrastructure that provides intelligently processing of cybersecurity-related data streams. Data is received from ICS computers protected by Kaspersky Lab solutions, from users who have voluntarily agreed to share this data with KSN by accepting the corresponding agreement. Data sent to Kaspersky Lab by users is not attributed to a specific individual and is anonymized wherever possible.

We define attacked computers are those on which Kaspersky Lab security solutions were triggered during the reporting period. When calculating percentages of machines attacked, we use the ratio of unique computers attacked to all ICS computers from which Kaspersky Lab ICS CERT received anonymized information during the reporting period.

Geographical distribution of attacks on industrial automation systems

All sources of threats blocked on ICS computers
All sources of threats blocked on ICS computers
Internet
Email clients
Network shares
Removable media
2017
2017
Entire year
Entire year
H1
H2
Q1
Q2
Q3
Q4
January
April
July
October
January
May
August
November
February
June
September
December

Main sources of threats

Infection for all sources

% attacked computers
Percentage of attacked ICS computers in each country: 0%
100%

The map shows the percentages of industrial automation systems attacked in each country to the total number of industrial automation systems in that country from which Kaspersky Lab ICS CERT received anonymized information during the reporting period.

TOP 15 countries by percentage of ICS computers attacked

2017
2017
Entire year
Entire year
H1
H2
Q1
Q2
Q3
Q4
January
April
July
October
January
May
August
November
February
June
September
December
No data for this period, try another.

Percentage of industrial automation systems attacked in each country to all industrial automation systems in that country from which Kaspersky Lab ICS CERT received anonymized information during the reporting period.

The calculations exclude countries from which we did not receive adequate statistics during the reporting period.

Percentage of ICS computers attacked globally by month

The data was received from ICS computers that are protected by Kaspersky Lab products and perform one or more of the following functions:

  • supervisory control and data acquisition servers (SCADA);
  • data storage servers (Historian);
  • data gateways (OPC);
  • stationary and mobile workstations of engineers and operators;
  • Human Machine Interface (HMI).

The statistics may also include data received from computers of industrial control system researchers, developers and integrators, as well as ICS computers used in test labs, classrooms and demonstration stands.

Main sources of threats blocked on ICS computers

2017
2017
Entire year
Entire year
H1
H2
Q1
Q2
Q3
Q4
January
April
July
October
January
May
August
November
February
June
September
December
No data for this period, try another.

The internet

Kaspersky Lab products regularly block ICS machines from accessing infected and phishing internet resources, as well as Command&Control and hosting servers used by malware. Online infection remains the most common vector of attacks on industrial control systems in both mass and targeted attacks. Watering hole attack tactics and injection of malicious code into the sites of suppliers / partners / contractors can be used to implement targeted attacks (the supply chain attack vector).

According to our data, many ICS computers have access to the internet on a regular basis – for example, during scheduled maintenance and when configuring equipment, installing software updates, etc.
About 40% of ICS computers in our sample have internet access on a permanent basis or at least once a month.

Although, in some cases, internet access from ICS computers may be required by industrial processes, it is often the result of oversight and a negligent approach to security.

Removable media

Malware infections can occur when connecting infected removable data media, such as USB flash drives, external hard drives or mobile phones, to a system.

This malware propagation method is used, among other cases, in targeted and APT attacks in order to bridge the “air gap” designed to isolate critical information systems of organizations.

Email clients

The main source of email threats in electronic mail is malicious attachments and links to infected sites sent in messages. In most cases, such messages are sent as part of malicious spam or phishing email distribution.

Spear phishing (sending emails that were carefully crafted with specific potential victims in mind to selected targets) has been used in numerous cases as one of the initial steps in targeted attacks.

Network shares

Services that provide access to file systems on remote computers, such as SMB/CIFS, are among the main sources of information security problems at enterprises. Vulnerabilities in these services have been exploited on many occasions to conduct targeted and APT attacks (such as Stuxnet), as well as large-scale malicious campaigns (such as WannaCry and ExPetr).

Malware uses network shares to spread within an organization or between organizations – usually by copying itself to remote network folders and/or infecting files that are already located in these folders. Planting a malicious object on shared resources provides attackers with additional capabilities related to compromising user credentials and subsequently escalating privileges to develop the attack further.

Platforms used by malware

2017
2017
Entire year
Entire year
H1
H2
Q1
Q2
Q3
Q4
January
April
July
October
January
May
August
November
February
June
September
December
No data for this period, try another.

Обновление от 29 июня 2017 года После проведения детального анализа образцов ExPetr (Petya), использованных в данных атаках, эксперты «Лаборатории Касперского» полагают, что злоумышленники не смогут расшифровать данные — даже в тех случаях, когда пользователь заплатил выкуп. Пострадавшим стоит надеяться только на программы восстановления удалённых файлов и резервные копии