In a report published by Kaspersky documenting threat activity recorded on devices in the second half of 2020, 33.4% of Industrial Control Systems (ICS) devices observed were attacked. This is up from 7% in H2 2019. In the United States and Canada attacks specific to ransomware were up 0.25%.
ICS Devices Recorded:
- Supervisory control and data acquisition (SCADA) servers
- Data storage servers (Historian)
- Data gateways (OPC)
- Stationary workstations of engineers and operators
- Mobile workstations of engineers and operators
- Human Machine Interface (HMI)
- Computers used for industrial network administration
- Computers used to develop software for industrial automation systems
Much of the ICS hardware in use today is falling towards a legacy state where patching to provide the best security detection is either not supported or very difficult to implement. That combined with a growing interest in the attacker communities provides a very target rich environment. Not long ago Dragos released a report involving the TRISIS malware attacks on a Saudi Arabian Chemical Plant that was a first of its kind to deliberately disable safety controls, potentially endangering human life as the end goal. While much of ICS is behind firewalls and monitored networks, or isolated, it still remains a critical target vulnerable to exploitation whenever remote control mechanisms are implemented to allow operators to access the ICS from Internet connections. Conventional means of defense such as an active in-house Security Operations Center monitoring activity is a practical solution. Additional active steps can be taken to identify active malicious activity or compromise by employing a Threat Hunting team and Counter Intelligence operations providing a massive advantage securing those devices that are critical to infrastructure.