The key contributors to the success of the Advanced Persistent Threat (APT) operations inside their victims' networks include human factors, insufficient security measures, challenges with updates and configuration of cybersecurity solutions, and other factors. While some of these reasons may appear trivial, they are frequently encountered by Kaspersky experts during their incident response activities. To assist companies to mitigate related threats and to ensure the implementation of best practices, Kaspersky ICS CERT experts have compiled a list of the most prevalent issues.

Lack of OT network isolation

During incident investigations, Kaspersky experts witnessed cases when there were problems with keeping the Operational Technology (OT) network separate and secure. For example, there are machines such as engineering workstations connected to both the regular IT network and the OT network. 

“In situations where the OT network's isolation solely relies on the configuration of networking equipment, experienced attackers can always reconfigure that equipment to their advantage,”  said Evgeny Goncharov, Head of Industrial Control Systems Cyber Emergency Response Team at Kaspersky. “For instance, they can turn it into proxy servers to control malware traffic or even use it to store and deliver malware to networks that were believed to be isolated. We have witnessed such malicious activities on multiple occasions.”

Human factor remains a driver of cybercriminal activities

When granting access to OT networks to employees or contractors, information security measures are often overlooked. Remote administration utilities like TeamViewer or Anydesk, initially set up temporarily, may remain active unnoticed. However, it’s crucial to remember that these channels are easily exploited by attackers. In 2023, Kaspersky investigated an incident where a contractor attempted sabotage, by taking advantage of remote access to the ICS network legitimately granted to them several years before.

This story demonstrates the importance of considering the human factor as any potentially dissatisfied employees may be driven by their work assessments, income, or political motivations, leading them to engage in cybercriminal actions. A possible solution in such a situation can be Zero Trust – the concept assuming that neither the user, device, nor application within the system is trusted. Unlike other Zero-Trust solutions, Kaspersky extends Zero Trust approach down to the Operating System level with its KasperskyOS based solutions.

Insufficient protection of OT assets

During incident analysis, Kaspersky experts have discovered outdated security solution databases, missing license keys, user-initiated removal of keys, disabled security components, and excessive exclusions from scanning and protection – all contributing to the spread of malware.

For example, if your databases are not up-to-date and a security solution can’t be updated automatically, it can allow advanced threats to quickly and easily propagate as in APT attacks, where sophisticated threat actors are trying to avoid detection.

Insecure configurations of security solutions

Proper configurations of a security solution are crucial to prevent it from disabling or even abusing it – a tactic often seen to be employed by APT groups/actors. They may steal information on the victims’ network stored in the security solution to get into other parts of the system, or move laterally, using professional infosec language.

In 2022, Kaspersky ICS CERT noticed a new trend in APT tactics, which makes proper configurations even more vital. For instance, when searching for ways to move laterally, the attackers no longer stop at hijacking critical IT systems, like domain controller. They proceed for the next target - the administration servers of security solutions. The goals may vary – from putting the malware on a list of programs that won’t be checked to using tools in the security system to spread it to other systems, even those that are supposed to be completely separate from the infected network.

The absence of cybersecurity protection in OT networks

It might be hard to believe, but on some OT networks, cybersecurity solutions are not installed on many endpoints at all. Even if the OT network is completely separated from other networks and not connected to the Internet, attackers still have ways of gaining access to it. For example, they can create special versions of malware that are distributed via removable drives, such as USBs.

Workstations and servers’ security updates challenges

Industrial control systems have a unique way of functioning, where even simple tasks like installing security updates on workstations and servers need careful testing. This testing often happens during scheduled maintenance, causing updates to be infrequent. This gives threat actors plenty of time to exploit known weaknesses and carry out their attacks.

“In some cases, updating the server's operating system may require updating specialised software (like the SCADA server), which in turn requires upgrading the equipment – that all may be too expensive. Consequently, there are outdated systems found on industrial control system networks,” adds Goncharov. “Surprisingly, even Internet-facing systems in industrial enterprises, which can be relatively easy to update, can remain vulnerable for a long time. This exposes the operational technology (OT) to attacks and serious risks, as real-world attack scenarios have shown.”

More advice is published on the Kaspersky ICS CERT blog, such as those related to security solutions configuration and settings, OT network isolation, protecting systems, running outdated OS, application software, and device firmware.

To protect your organisation from relevant threats, Kaspersky experts recommend:

  • If an enterprise has operational technology (OT) or critical infrastructure, make sure it is separated from the corporate network or at least that there are no unauthorised connections.
  • Conduct regular security audits of OT systems to identify and eliminate possible vulnerabilities.
  • Establish continuous vulnerability assessment and vulnerability management process.
  • Use ICS network traffic monitoring, analysis and detection solutions for better protection from attacks potentially threatening technological processes and main enterprise assets.
  • Make sure you protect industrial endpoints as well as corporate ones. Kaspersky Industrial CyberSecurity solution includes dedicated protection for endpoints and network monitoring to reveal any suspicious and potentially malicious activity in industrial network.
  • To get a more realistic understanding of risks associated with vulnerabilities in OT solutions and to make informed decisions on mitigating them, we recommend that you get access to Kaspersky ICS Vulnerability Intelligence in the form of human-readable reports or a machine-readable data feed, depending on your technical capabilities and needs.
  • Dedicated ICS security training for IT security teams and OT engineers is crucial to improve response to new and advanced malicious techniques.