Configuration issues left industrial control systems exposed to disruption by the WannaCry and NotPetya worms earlier this year, finds Kaspersky Lab
The computer networks that link to industrial control equipment are becoming more like standard corporate networks, leading to an increase in cyber-attacks as they’re hit by the same types of incidents that affect other companies, according to researchers.
As a result, indiscriminate attacks such as the WannaCry and NotPetya worms in May and June of this year are increasingly affecting industrial systems, causing disruption to areas ranging from shipping to healthcare, according to computer security firm Kaspersky Lab.
In the first half of this year Kaspersky counted 33 different families of encryption ransomware alone attempting to infect industrial control computer systems, but none were specifically aimed at industrial computers, according to the ‘Threat Landscape for Industrial Automation Systems in H1 2017’ report.
WannaCry made up the largest proportion of those attacks, accounting for 13.4 percent of the ransomware incidents affecting industrial infrastructure.
“In the first half of the year we’ve seen how weakly protected industrial systems are: pretty much all of the affected industrial computers were infected accidentally and as the result of attacks targeted initially at home users and corporate networks,” stated Kaspersky Lab head of critical infrastructure Evgeny Goncharov.
He added that the WannaCry and NotPetya attacks had led to “the disruption of enterprise production cycles around the world, as well as logistical failures, and forced downtime in the work of medical institutions”.
Ironically, that disruption didn’t reflect intentional attacks on industrial systems, but rather on companies’ failure to keep their industrial control computers isolated from the corporate network.
“Industrial networks are becoming increasingly similar to corporate networks,” Kaspersky said in the study.
“Consequently, the threat landscape for industrial systems is becoming similar to the threat landscape for corporate systems… In the vast majority of cases, attempts to infect ICS computers were accidental and malware functionality was not specifically designed for industrial automation systems.”
The fact that industrial systems were accessible from corporate business networks exposed them to infections by WannaCry and NotPetya, which spread using unorthodox methods, Kaspersky said.
Both strains used Windows exploits that had been published by a hacking group in April to spread across the internet as well as companies’ internal networks. As a result, industrial systems were infected indirectly after the company’s internal network had been hit by the malware.
“In most cases industrial automation systems had been attacked by WannaCry malware from the local corporate network and through VPN connections,” the report found.
Manufacturing companies affected
The firm estimated that “at least several dozen” computers that were part of industrial control systems were hit by WannaCry.
In June NotPetya disproportionately affected industrial organisations, with Kaspersky estimating that at least half of the companies affected were from the manufacturing and oil and gas industries.
Like other security firms, Kaspersky said it believes that while WannaCry and NotPetya both appeared to be encryption ransomware strains, they were probably aimed primarily at causing disruption.
“It is likely that the real objective of ExPetr attacks was not to extort ransom payments – the ransom demands may have been a mask for acts of sabotage,” Kaspersky said in the report.
The company recommended firms take steps to isolate their industrial control systems from their corporate business networks.
In addition to the accidental exposure of industrial systems to broader internet-borne attacks, the study also noted several cases in which industrial computers were deliberately targeted, including the December 2016 blackout in Kiev, which may have been instigated using the Industroyer malware, the infection of Washington, DC security cameras by ransomware in mid-January, and the hack of tornado warning sirens in Dallas, Texas in April.
Overall, Kaspersky estimated 0.5 percent of all industrial systems worldwide were affected by ransomware in the first half of the year,
But attack attempts were more prevalent, with 37.6 percent of the industrial control systems protected by Kaspersky being targeted by attempted hacks during the first half of the year, down 1.6 percent from the second half of 2016. Companies producing various materials, equipment and goods accounted for about one-third of those attacks.
Vietnam was the most targeted by attacks, with 71 percent of the industrial systems protected by Kaspersky targeted during the first half, followed by Algeria, Morocco and Indonesia. Ireland was at the bottom of the list with 13.8 percent targeted.
Do you know all about security in 2017? Try our quiz!