Building automation, oil and gas facilities are top cybersecurity targets
There has been an increase in the percentage of systems attacked in the oil and gas industry as well as the building automation sector during the COVID-19 pandemic.
Attacks against industrial enterprises have become more targeted, organized by sophisticated threat actors with extensive resources whose goals may not just be financial gain but also cyberespionage.
On top of that, over the first six months of this year, there has been an increase in the percentage of systems attacked in oil and gas as well as the building automation sector compared to the first half last year and even the second half.
Growth of attacks in these sectors occurred as the percent of industrial control system (ICS) computers attacked in other industries declined as cybercriminals shifted their focus to distributing more targeted and focused threats, according to a report by Kaspersky.
This past winter, spring and early summer, the industries most prone to attacks were building automation and oil and gas. Attacks against the latter have the potential to be catastrophic given the massive financial losses already incurred as a result of the COVID-19 pandemic. The percentage of ICS computers on which malicious objects ended up blocked grew from 38% in the second half last year to 39.9% in the first half this year in the building automation industry and 36.3% to 37.8% in the oil and gas industry.
Building automation systems tend to be more often exposed to attacks, researchers found. They often have a larger attack surface than traditional ICS computers because they are frequently connected to corporate networks and the Internet. At the same time, because they traditionally belong to contractor organizations, these systems are not always managed by the organization’s corporate information security team, making them an easier target.
The growth percentage of ICS computers attacked in the oil and gas industry can trace back to the development of a variety of worms written in script languages, specifically Python and PowerShell. These worms are able to gather authentication credentials from the memory of system processes using different versions of the Mimikatz utility. From the end of March to mid-June 2020, a large number of these worms ended up detected, primarily in China and the Middle East.
The increase in the percent of ICS systems attacked in the oil and gas and building automation industries was the exception for the first half of 2020, as the percent of systems attacked in most other industries declined.
“The percent of ICS computers attacked across most industries is declining, however there are still threats to specific industries that are on the rise,” said Evgeny Goncharov, security expert at Kaspersky. “The more targeted and sophisticated attacks are, the greater potential they have to cause significant damage — even if they occur less frequently. What’s more, with many enterprises forced to work remotely and sign-in to corporate systems from home, ICS have naturally become more exposed to cyberthreats. With fewer on-sight personnel, there are fewer people available to respond and mitigate an attack, meaning the consequences may be far more devastating. Given that the oil and gas and building automation infrastructures appear to be a popular target among attackers, it’s crucial that these system owners and operators take extra security precautions.”
Attackers appeared to shift their focus from mass attacks to distributing more focused and targeted threats, including backdoors (dangerous Trojans that gain remote control over the infected device), spyware (malicious programs designed to steal data) and ransomware attacks (which tend to target specific enterprises). In fact, there were more families of backdoors and spyware built on the .NET platform detected and blocked on ICS computers. The percent of ICS computers affected by ransomware grew slightly in first half this year compared to the second half last year across all industries.