24 April 2020

Threat landscape for industrial automation systems. 2019 Report at a glance

  • In 2019, Kaspersky ICS CERT identified 103 vulnerabilities in industrial, IIoT/IoT, and other types of solutions.
    • 33 of them are still not fixed by the vendors, though although all the information needed to identify the problem has been provided to them.
    • If exploited, 30.1% of the vulnerabilities identified could lead to remote code execution, 14.6% to a DoS condition. The exploitation of 13.6% of the vulnerabilities could result in privilege escalation or session hijacking.
    • The absolute majority of the flaws identified have CVSS v.3 base scores of 7.0 or more, which places them in the most severe group.
    • All the vulnerabilities arise from errors made in the process of developing software, including solution architecture. The most popular error type was CWE-787, “Out-of-bounds Write”, according to the Common Weakness Enumeration specification.
  • In H2 2019, malicious objects were blocked on 39.2% of all ICS computers
    globally – this is lower than in H1 2019 by 2 percentage points. The percentage for the entire year 2019 was 46.4%.
    • The percentage varies for different industrial environments, such as Building Automation (38%), Car Manufacturing (37.6%), Power & Energy (36.6%), Oil & Gas (36.3%) and Engineering and ICS Integration (32.7%).
    • The five most attacked countries in the ranking based on the percentage of ICS computers on which malicious activity was prevented have remained the same for a year and a half now: Vietnam (65.5%), Algeria (64.6%), Tunisia (58.8%), Morocco (56.6%) and Egypt (55.3%).
    • The five most secure countries and territories in H2 2019 were Ireland (7.3%), Sweden (10.3%), Denmark (11.6%), the Netherlands (12%) and Hong Kong (13%).
    • The most noticeable increases in the percentages of ICS computers on which malicious activity was prevented were observed in Singapore (an increase of 9.2 p.p.), Belarus (7.6 p.p.) and South Africa (6.2 p.p). It is worth noting that the percentages for Singapore had been decreasing during the previous 3 reporting periods
    • In Russia, malicious objects were blocked at least once during H2 2019 on 43.1% of ICS computers, which is 1.7 p.p. lower than the level observed in H1 2019 (44.8%).
    • The internet is still the main source of threats in all regions of the world. However, the percentage of ICS computers on which internet threats were blocked is much lower in Northern (6.8%) and Western Europe (10%) and in North America (12.6%) than in other regions, such as Eastern Europe (17.2%), the Middle East (21.7%), Latin America (24.2%), Central Asia (30.8%), Africa (34.6%), and South-East Asia (35.8%).
    • In 2019, we saw the same seasonal dynamics that we have observed in recent years: the numbers are higher in spring and autumn. Since the absolute majority of malicious transactions are highly automated, we believe these dynamics reflect seasonal changes in employee presence and thus demonstrate the effect of the human factor on the cybersecurity of industrial organizations.
  • Although many different malware types, if not blocked on ICS computers, could pose significant threats to operation, ransomware would be the most devastating of these threats. Overall, in H2 2019 ransomware was blocked on 0.61% of ICS computers. According to the refined data, in H1 2019 that figure was 0.76%. The percentage for the entire year 2019 was 1.0%.
    • The highest percentage of ICS computers on which ransomware was blocked in 2019 was in South-East Asia (2.09%), the lowest – in Northern Europe (0.19%).
    • The most attacked country in 2019 was Bangladesh (3.43%), followed by Algeria, Vietnam, Indonesia, Egypt, China, Chile, Belarus, India, Kazakhstan, Ukraine, Malaysia, Tunisia, Italy, and Thailand, which were the top countries attacked by ransomware in 2019.
    • The infamous WannaCry ransomware is still alive. Among all users of Kaspersky products who were attacked by ransomware Trojans in 2019, over 23% were attacked by WannaCry. This percentage is even greater for ICS computers – over 35%.
    • Some ransomware attacks could be even more dangerous than others. Thus, the GandCrab malware was operated via a malware-as-a-service platform until the summer of 2019, when the malicious service was discontinued. This made the malware even more dangerous, since the data could no longer be decrypted – by malicious actors or by any other means (the latest GandCrab version uses strong encryption algorithms). In late 2019, we still detected – and prevented – attacks by the GandCrab malware on ICS machines.

| Next part