Cyber Security Threat Summary:
“Cybersecurity firm Kaspersky has identified the primary factors contributing to advanced persistent threat (APT) attacks in industrial sectors. The first of them, discussed in a new report published today, is the absence of isolation in operational technology (OT) networks” (Info Security Magazine, 2023). Kaspersky observed engineering workstations being connected to both the IT and OT networks. Previously air-gapped OT/ICS environments are being more commonly connected to the Internet. Lacking adequate segmentation, IT and OT environments are becoming connected and can allow attackers to infect OT networks.

“In situations where the OT networks’ isolation solely relies on the configuration of networking equipment, experienced attackers can always reconfigure that equipment to their advantage,” explained Evgeny Goncharov, head of the industrial control systems cyber emergency response team at Kaspersky.

Security Officer Comments:
The report also blames the human factor as a significant driver of cybercrime against industrial environments. Employees and contractors are frequently given access to OT networks without adequate attention or security measures in place. Most concerning, remote administration tools such as TeamViewer or AnyDesk are often used in an unsafe manner. These temporary connections may be overlooked or forgotten, allowing attackers to gain access. These remote connection points can also enable insider threats, where disgruntled employees or contractors with network access could cause future harm to systems.

Kaspersky warns that OT assets can often have outdated databases, security components disabled, and may have exclusions from scanning and protection solutions. These insecure configurations can play a role in APT attacks. OT networks need to keep industrial workstations and servers up to date. “In some cases, updating the server’s operating system may require updating specialized software, which in turn requires upgrading the equipment – that all may be too expensive. Consequently, there are outdated systems found on industrial control system networks,” Goncharov added.

“Installing updates for OT assets can sometimes be next to impossible – for example, when an operating system update on the server requires updating specialized software (such as the SCADA server) which, in turn, requires upgrading the equipment, there is an amazing variety of antiques that you can find on ICS networks – such as CNC machines running Windows XP SP1, or servers running Windows NT 4.0, or even MS-DOS used to control the industrial process” (Kaspersky, 2023).

The right to repair should also be taken into consideration. Some industrial products have to rely on the security mechanisms provided by the supplier, and it can be difficult to add additional protections to a system. In other cases, updates may require a specialized technician to work on a system, which can cause delays to patching and updating. As Kaspersky noted, it can be expensive to stop production to update an important piece of machinery for a patch, there may be update windows in place, which can delay critical security patches.

The Kaspersky report comes a few months after a separate research study from the company suggested two out of every five (40.6%) OT computers used in industrial settings were affected by malware in 2022.

Link(s):
https://www.infosecurity-magazine.com/news/human-error-fuels-industrial-apt/
https://ics-cert.kaspersky.com/