The security of Industrial Control Systems (ICS) has been pushed into the limelight over the past few years due to the increasing interconnection between the business process on the IT side and the physical process on the OT side. While this interconnection improves visibility, efficiency, and speed it also inadvertently exposes ICSs to threats that have been affecting IT networks for decades.
To validate ICS security and establish a global baseline for examining the threats that plague these systems, we analyzed and reported specific malware families found in ICS endpoints.
The type of malware cybercriminals choose to wield in particular incidents offers a glimpse into the scope and severity of these cyberattacks, providing clues on two key aspects: the attackers and the affected network.
The choice of malware helps unveil the attackers’ motivation and skill level. For example, the use of ransomware or a coinminer signifies financial motivation, the use of a wiper or other destructive malware suggests sabotage, and the use of a backdoor or information stealing malware reveals espionage. In terms of the attackers’ skill, the use of customized malware suggests high technical skill or understanding of the attacked environment, while off-the-shelf malware suggests amateur skills, although this is not always the case.
The malware found in the system could also provide insights into the affected network’s environment and cybersecurity hygiene. We can infer the inadequate security practices applied on the affected networks based on malware infections found in them. For one, malware variants exploiting certain vulnerabilities imply unpatched endpoints. On the other hand, file-infecting viruses suggest previous infections that were not totally eradicated, with groups of unchecked devices hosting the viruses.
By identifying and breaking down the malware threats found in ICSs through the data we gathered in 2020, we hope to provide insights into the general security posture of industrial control systems found in IT/OT environments and what attackers are doing once they compromise it. We also share recommendations on how to secure these environments.