Almost two in ten (26.5%) computers used to control smart building automation systems were subject to some kind of malicious attack in the first half of 2019, Kaspersky found, with the company’s software blocking malicious objects on 37.8% of computers in building-based automation systems over the same period.
While it is unclear if such systems were deliberately targeted, they often become a destination for various generic threats. Out of the 26.5% protected smart building systems management computers that were targeted, nearly 12% were attacked with different variants of spyware – malware aimed at stealing account credentials and other valuable information. Worms were detected on 20.6% of workstations and 5.9% encountered ransomware.
More worryingly, 41.6% of ICS computers in the energy sector globally had Kaspersky solutions being triggered in response to malware in the first six months of 2019. And the energy sector was not the only one to face malicious objects and activities, with automotive manufacturing taking second place in terms of the percentage of the number of ICS computers on which malicious objects were blocked.
Although malware blocked on the computers analysed was not ICS-specific, the danger posed by it should not be underestimated, Kaspersky says. Such malware is capable of stealing confidential information, loading and executing arbitrary malicious software, and providing attackers with the ability to control infected computers remotely. The side effects of an active infection could therefore have a significant impact on the availability and integrity of the ICS and systems on the industrial network.
Surprisingly, Africa has the highest percentage of ICS machines on which malicious activity was prevented, with Algeria leading the ranking. The top 5 also included Bolivia, which climbed into second place, pushing Vietnam, Tunisia and Morocco down into third, fourth and fifth positions, respectively. The most secure countries and territories – those with the fewest number of ICS machines on which malicious activity was blocked – are Hong Kong, Ireland, and Singapore.
The fact that the share of attacked computers in building-based automation systems is consistently higher than in industrial systems is mainly due to the fact that building-based automation systems are more similar to other IT systems. They are better protected than industrial ones, but they have a large attack surface, so each computer is exposed to more threats from different sources.
The networks of automation systems in specific buildings such as airports and hospitals are not the only ones that face threats. The networks of developers, integrators, and operators of such systems, who have (often privileged) remote access to a huge number and variety of objects, are also subjected to attacks. Having gained access to computers in the network of an integrator or dispatcher, the cybercriminals can, theoretically, attack many remote objects simultaneously. At the same time, the remote connection to the automation object on the side of the integrator/operator is considered trusted and often effectively uncontrolled.
And while the number of attacked BMS systems is relatively low in comparison to the wider threat landscape, the impact of an attack on these systems should not be underestimated. Imagine if credentials from a highly secured building are stolen by a generic piece of malware and then sold on the black market. Or a sophisticated building’s life support system is frozen because essential processes have been encrypted by a ransomware strain. In light of this, it seems clear that engineering companies must start prioritising their security efforts.