OREANDA-NEWS. To minimize the possibility of a cyber-attack, Industrial Control Systems (ICS) are supposed to be run in a physically isolated environment. However this is not always the case. In its report on the ICS threats landscape, Kaspersky Lab experts revealed 13,698 ICS hosts exposed to the Internet that more than likely belong to large organizations. These organizations include energy, transportation, aerospace, oil and gas, chemicals, automotive and manufacturing, food and drink, governmental, financial and medical institutions. 91.1% of these ICS hosts have vulnerabilities that can be exploited remotely. But the worse is yet to come – 3.3% of ICS hosts located in these organizations contain critical and remotely executable vulnerabilities.  

Exposing ICS components to the Internet provides a lot of opportunities, but also many concerns around security. On the one hand, connected systems are more flexible in terms of a fast reaction to critical situations and implementation of updates. But on the other, the expansion of the Internet gives cybercriminals a chance to remotely control critical ICS components, which can result in physical harm to the equipment as well as potential danger to the whole critical infrastructure.   

Sophisticated attacks on ICS systems are not new. In 2015, an organized group of hackers called BlackEnergy APT attacked a power company in Ukraine. In the same year two more incidents, supposedly connected with cyber-attacks, were reported in Europe: on a steel mill in Germany and on the Frederic Chopin Airport in Warsaw.

More attacks of this kind will emerge in the future since the attack surface is big. Those 13,698 hosts, located in 104 countries are only a small part of the total number of hosts with ICS components available through the Internet.

To help organizations working with ICS to identify their possible weak points, Kaspersky Lab experts conducted an investigation into ICS threats. Their analysis was based on OSINT (Open Source Intelligence) and information from public sources like ICS CERT, with the research period limited to 2015.

The major findings of the Industrial Control Systems Threats Landscape report are:

  • In total, 188,019 hosts with ICS components available via the Internet have been identified in 170 countries.
  • Most of the remotely available hosts with ICS components installed are located in the United States of America (30.5% - 57,417) and Europe. In Europe, Germany has a leading position (13.9% - 26,142 hosts), followed by Spain (5.9% - 11,264 hosts), and France (5.6% - 10,578 hosts).
  • 92% (172,982) of remotely available ICS hosts have vulnerabilities. 87% of these hosts contain medium risk vulnerabilities and 7% of them have critical vulnerabilities.
  • The number of vulnerabilities in ICS components has increased tenfold during the past five years: from 19 vulnerabilities in 2010 to 189 vulnerabilities in 2015. The most vulnerable ICS components were Human Machine Interfaces (HMI), Electric Devices and SCADA systems.
  • 91.6% (172,338 different hosts) of all the externally available ICS devices use weak Internet connection protocols, which opens the opportunity for attackers to conduct ’man in the middle’ attacks.