ICS Companies Are Worried About Cybersecurity, But Are They Worried About Right Things?


The equipment was expected to be installed and left alone for a long time. Pressures to reduce operating costs led to this equipment being connected, and the easiest networking equipment to find was designed for convenience in a corporate environment — not security in an ICS environment This has led to the current situation where malware designed to compromise corporate systems can impact ICS equipment.

ICS vendors’ traditional development model didn’t accommodate regular patches and updates so it is quite likely that companies with ICS equipment are forced to consider other security tools than vulnerability scanning and patch management.

Based on the stats, it seems likely that there will be many cybersecurity incidents in the coming months. 

“The growing interconnectedness of IT and OT systems raises new security challenges and requires a good deal of preparedness from board members, engineers, and IT security teams.”


  1. Tomi Engdahl says:

    Malware on ICS Increasingly Comes From Internet: Kaspersky

    Kaspersky Lab products installed on industrial automation systems have detected over 19,000 malware samples in the first half of 2018, and the company has determined that the Internet is an increasingly significant source of attacks.

    According to Kaspersky’s “Threat Landscape for Industrial Automation Systems” report for H1 2018, the company detected over 19,400 samples belonging to roughly 2,800 malware families. As expected, most of the attempts to infect industrial systems were part of random attacks rather than targeted operations.

  2. Tomi Engdahl says:

    ThreatList: Attacks on Industrial Control Systems on the Rise

    The main source of infection on industrial control systems was the internet, researchers at Kaspersky Lab found in a new report.

    The systems that power the manufacturing, power and water plants, the oil and gas industry, and many other sectors are increasingly in the crosshairs of cyber-attackers: A full 41.2 percent of industrial control system (ICS) were attacked by malicious software at least once in the first half of 2018.

    That’s according to Kaspersky Lab, which analyzed telemetry information from customers using industrial automation computers through the end of June. The data indicates a consistent rise in the percentage of attacks on this segment; the year-ago data showed the percentage of ICS computers attacked to be 36.61 percent; that then ticked upward to 37.75 percent in the second half of 2017.

  3. Tomi Engdahl says:

    How To Protect Tomorrow’s Critical Infrastructure

    Cyber security is therefore one of the key concerns for those who manage modern manufacturing plants as well as any form of critical infrastructure. One of the only ways to safeguard these facilities now and in the future is by providing standardized protection measures.

    Efficient security processes and procedures cover the whole value chain, from the manufacturers of automation technology to machine and system builders and installers as well as the operators themselves.

  4. Tomi Engdahl says:

    IT Versus OT Patching, Explained

    Last December, a new type of malware targeting industrial processes struck an unnamed critical infrastructure facility.

    The TRITON/TRISIS malware was the first designed to attack an industrial plant’s physical safety control systems, called a safety instrumented system (SIS). After the attack, several industrial cybersecurity firms provided detailed analyses of the attack and the malware.

    The following explanation of the differences in software patching between information technology (IT) and operational technology (OT) environments is given in this context.

    How is the patching process different for ICS environments compared to IT environments?

    Industrial control system (ICS) environments are radically different from IT environments when it comes to patching.

    Because ICS control large-scale physical processes like petroleum refining pumps and fuel storage tanks that run 24/7, they can typically be updated only during scheduled maintenance periods — usually once a quarter or twice a year. Additionally, this is legacy equipment that was installed 15 or more years ago, and any patches must carefully be tested before deployment.

    The situation was even more complex in the TRITON case because that attack exploited a zero-day vulnerability in the SIS PLC firmware, which resides at the innermost level of the software stack that runs these devices.

    How quickly can ICS systems be updated compared to how fast malware can be repurposed by other malicious actors?

    It’s clear that the attackers in the TRITON case had intimate knowledge of the exact model and firmware revision level of the PLC.

    This implies that, as time goes by, attacks on the industrial side of the business become more and more common as the knowledge of attack methods propagates while the networks remain vulnerable. The best way to resolve that gap is to have defense-in-depth including continuous monitoring and threat simulation.

    How can OEMs protect against these types of attacks?

    Due to the “insecure-by-design” nature of legacy protocols, combined with the difficulty of regularly patching ICS systems, organizations should implement compensating controls and defense-in-depth beyond simple perimeter security.

    Continuous network monitoring can be used to immediately detect anomalous or unauthorized activity that indicates that an attacker has breached the OT network and is now performing reconnaissance and attempting to compromise devices.

    Another technology that can help is automated ICS threat modeling, which enables organizations to prioritize patching and mitigation efforts based on the risk to their most critical “crown-jewel” assets because it isn’t possible to patch everything.

  5. Tomi Engdahl says:

    The Day When the Industrial IoT Gets Hacked

    The more devices that get connected to the industrial internet of things (IIoT) networks, the more that those networks get hacked and attacked. Cyberattacks of all kinds used to be directed mostly at IT networks but not anymore. Many of today’s attackers are going after the industrial control system (ICS) and operational technology (OT) side of the IIoT.

    Here, the threats are potentially larger and much more damaging, from ransomware demands to industrial espionage to altering production process code that can change industrial robot safety levels, affect product contents and manufacturing yields, or even cause massive damage.

    From the design engineer’s point of view, effective cybersecurity for ICS and everything else in a firm’s IIoT comprises two different but related efforts:

    On one hand, designing security into an embedded device that forms all, or part of, an IIoT endpoint
    On the other hand, acquiring and managing cybersecurity technology that protects those devices as they are manufactured in the engineer’s company and as they, and other IIoT devices, are deployed on the company’s factory floor and throughout the plant

  6. Tomi Engdahl says:

    Industrial networks in need of RAT control

    Remote Administration Tools (RATs) have always been controversial. Yes, they let people avoid direct access to hardware, but at the same time, they put computer systems at risk by opening remote access to equipment. In an industrial environment, remote access is especially dangerous, and so our colleagues from KL ICS CERT undertook a study on how widespread RATs are on industrial computers and what harm they can cause.


Leave a Comment

Your email address will not be published. Required fields are marked *