Translated by
2020/06/29 13:14:04

Market of safety of an APCS

The APCS directory - systems and projects is available on TAdviser


2020: The market of safety of an APCS by 2026 will reach $12 billion

By 2026 the size of the market of solutions for security of automated process control systems (APCS) will increase from flowing more than $2 billion up to $12 billion, specialists[1] predict an entry of 2020[2][3].

Distribution of attached devices and increase in number of cyber attacks accelerates the global growth of the market of solutions for security of an APCS. Solutions of security for an APCS generally include program and hardware components which are used for automation and management of industrial procedures, such as management systems for distribution and dispatching control.

As a rule, in case of cyber attack the company sustains considerable financial losses. For last years cases of cyber attacks to the major production infrastructures became frequent. Solutions of security for an APCS help to reduce similar risks and ensure data security and information displayed on screens and on meter panels.

The growing need for protection of end network devices, such as smartphones, notebooks and PC, from cyberthreats significantly increases growth of a segment of safety of an APCS. Use of security of endpoints is profitable as offers the ciphered structure for protection of network infrastructure against date leaks and other attacks which can lead to failures in network functioning.

According to forecasts of experts, in the market of solutions for security of an APCS in North America the share of the industry will make more than 30% that is caused by growth of financing and cyber attacks in an oil and gas sector of the USA, promoting increase in demand for solutions in the field of safety of an APCS.

In a segment of the systems of identification and access control (Identity and Access Management, IAM) in Great Britain experts predict the 30% growth of size of the market of solutions for security of an APCS, including due to distribution of the concept of Bring Your Own Devices (BYOD) within which it is authorized to employees to use personal devices for access to corporate systems.

It is expected that by 2026 in the USA the segment of network security will occupy 20% of the market thanks to the growing demand for means of protecting of integrity and convenience of using of the data and networks connecting different industrial applications. It is predicted that in China by 2026 the segment of managed services in the market of solutions for security of an APCS will make 20%, and the segment of the critical industrial systems in Mexico will increase by 26% due to rapid implementation of "smart" solutions, touch technologies, IoT-strategy and analytics in production companies for increase in business performance.

2019: Rostelecom called the main cyberrisks for the industry

On November 19, 2019 the Rostelecom Solar company published results of a research in which called the main cyberrisks for the industry.

Experts analyzed devices and the software which are used in industrial Internet of Things, automated control systems for production, the robotic systems, etc. The most part of the analyzed software and the equipment is used in the electricity sector and also in oil and chemical industry.

Rostelecom-Solar published results of a research in which called the main cyberrisks for the industry

According to RBC with reference to this the report, 72% of the vulnerabilities found in software of industrial enterprises can give to the malefactor control over technology processes and paralyze work of the companies. It can lead to damnification of life and human health, a stop of production or decline in quality of products and also to loss of a trade secret.

According to specialists, the most widespread gap (28% of cases) was revealed in authentication systems and authorization of the user — they allowed to bypass completely requirements of identification and to get to an industrial system practically to any user.

Another 22% of vulnerabilities are connected with the fact that credentials were stored in open form: it leads to the fact that the malefactor can obtain information on the device and its configuration and find weak points in protection of the equipment.

Besides, experts of Rostelecom-Solar company pointed to the vulnerabilities allowing to implement a malicious code in the web page which is opened by the user of a system (XSS injection). In case of the successful attack depending on injection type the malefactor can get different advantages — from access to confidential information before full control over a system.[4]


Research of Kaspersky Lab

Researchers from Kaspersky Lab published in the summer of 2018 the report on cyber security of the systems of industrial automation in 2018 during which 320 heads at the enterprises with decision-making power for security issues of an APCS from around the world[5] were polled[6]

As it appears from the report, more than three quarters of the polled industrial managers consider that safety of an APCS is a serious problem, and cyber attacks - very probable event. At the same time only 23% of the companies at least in the minimum volume observe the state or industry standards and recommendations relating to cyber security of an APCS.

According to specialists, 35% of the Russian companies are not afraid to fall a victim of cyber attacks, however 13% of firms note high risk of the hacker attack. The companies from the Middle East are alarmed far stronger: 63% from them consider that they with a high share of probability can become the victims of cyber attacks.

Besides, researchers declared the critical shortage of specialists in the field of protection of an APCS against cyberthreats.

"58% of the polled companies consider one of major problems hiring of experienced specialists in cyber security of the industrial systems. This problem has the international character", - experts noted.

For the last 12 months declared lack of cyberincidents to 51% of respondents. In comparison with 2017 the number of such organizations grew a little, last year it was 46%.

"On this basis it is possible to assume that the measures for ensuring cyber security of an APCS taken within the last year yielded considerable results", - specialists emphasized.


Research Dragos

Researchers of security from Dragos company published the report on vulnerabilities in automated process control systems (APCS)[7] at the end of 2017]. According to the report, in 2017 163 recommendations with the description of the different vulnerabilities mentioning an ACS were published. 63% of these vulnerabilities allowed malefactors to cause failures in work of a direct system. At the same time, only 15% of problems can be exploited for receiving direct access to network[8].

According to researchers, one of the main problems are difficulties which the organizations meet with correction of vulnerabilities in an APCS. Certain features of these systems often lead to delays when installing corrections – sometimes for an indefinite term. As researchers consider, the organizations need to work more intensively to develop more perfect test systems on which it will be possible to check patches reliably.

"Engineers will receive from it benefit as they will be able to test new settings, having reduced thereby time for maintenance. The testing system can raise really profit in many respects, it not just squandering", - experts noted.

However, the organizations also need more effective support from suppliers and community of researchers of security. Public reports on vulnerabilities provide not enough information on alternative methods of risk reduction, in addition to use of corrections or isolation of systems, specialists consider. At the same time, in 12% of cases reports did not contain information on elimination of a problem at all.

In addition, users of an ACS should mean that even the set corrections do not eliminate risks completely. On the available data, in 2017 64% of the vulnerabilities mentioning an ACS were detected in components which initially were unsafe.

5 cybercriminal groupings

According to the report, there are at least 5 cybercriminal groupings showing the strengthened interest in an APCS, or performing direct attacks on the systems of this type.

In particular, researchers selected the Electrum grouping using the malware Crashoverride and Industroyer for attacks on computer networks of Ukrenergo company in December, 2016. As experts believe, Electrum can be connected with the hacker Black Energy grouping (also known as TeleBots and Sandworm Team) suspected of participation in the attacks of the encoder of NotPetya and attacks on power generating systems of Ukraine in 2015. According to the report, Electrum expanded the list of the purposes and can soon make new cyber attack.

The second group which interested researchers is known under the name Covellite. This grouping which is presumably connected with the North Korean government became known after the large-scale phishing campaign directed to the power enterprises of the USA. There are suspicions that Covellite is also responsible for a series of cyber attacks to the organizations in Europe, North America and East Asia. It is unknown whether there is in a grouping arsenal a malware developed especially for an APCS.

Experts also paid attention to the hacker Dymalloy grouping attacking an APCS in Turkey, Europe and North America. Hackers practically did not show activity since the beginning of 2017 because of special attention of media and cybersecurity experts to their activity.

One more grouping constituting danger to an ACS is known as Chrysene. Its activity is generally concentrated on the companies and the organizations in North America, Europe, Israel and Iraq. According to researchers, the malware used by Chrysene rather difficult, however is intended not so much for attacks on an ACS how many for espionage.

The last grouping mentioned by Dragos carries the name Magnallium (APT33) and is presumably connected with the Iranian government. Main objectives of hackers are the enterprises of the aerospace industry, the energy sector and military facilities.

Research Positive Technologies

Historically it developed so that approaches to information security support of industrial facilities have the features. The known vulnerabilities in IT systems often are not eliminated because of unwillingness to make changes and to break thereby technology process. Instead the main efforts of the company direct to decrease in probability of their operation, for example, by department and isolation of internal technology networks from the corporate systems connected to the Internet. As practice of testing for penetration shows, similar isolation is not always implemented effectively, and the violator has opportunities for the attack.

So according to collected statistics, malefactors can overcome perimeter and get to corporate network of 73% of the companies of an industrial segment. In 82% of the companies penetration from corporate network in technology in which the APCS components function is possible.

Administrative control links were one of the main opportunities for receiving by the hacker access to corporate network. Often administrators of the industrial systems create for themselves possibilities of remote connection to them — it allows them not to be, for example, all the time on an object, and to work from office.

In each industrial organization in which researchers of Positive Technologies managed to get access to technology network of corporate these or those shortcomings of segmentation of networks were revealed or traffic filtering — they were entered to 64% of cases by administrators during creation of channels of remote control.

Dictionary passwords became the most widespread vulnerabilities of corporate networks and outdate software — these errors were found in all studied companies. These shortcomings allow to develop an attack vector before obtaining the maximum privileges in the domain and to control all corporate infrastructure. It is important to note that often files with passwords to systems are stored directly at workstations of employees.

The quantity of the APCS available components grows in a global area network every year: if in 2016 in Russia the IP addresses of 591 subsystems, then in 2017 already 892 were detected. Such results contain in[9] of Positive Technologies company where the threats connected with availability and vulnerabilities of an APCS for the last year are analyzed.

The greatest number of the APCS components which are present at the Internet is revealed in the countries in which automation systems are developed best of all — the USA, Germany, China, France, Canada. In a year the share of the USA increased almost by 10% and now makes about 42% of total number (175,632). Russia rose by three positions and takes the 28th place.

Experts of Positive Technologies pay attention to increase in a share of network devices (from 5.06% to 12.86%), such as converters of interfaces Lantronix and Moxa. Availability of similar devices, despite their supporting role, constitutes big danger to technology process. For example, in the course cyber attacks on "Prikarpatyeoblenergo" malefactors far off put converters of Moxa company therefore it was lost communication with field devices on power substations out of action.

The Niagara Framework components most often occur among software products on the global area network. The similar systems manage conditioning, power supply, telecommunications, signaling, lighting, surveillance cameras and other crucial engineering elements, contain many vulnerabilities and were already exposed to cracking.

The second important observation of researchers concerns the growing number of threats in the APCS components. The number of the published vulnerabilities in a year grew by 197 whereas the previous year it became known of 115. Over a half of new shortcomings of security have critical and a high risk. Besides, the considerable share of vulnerabilities in 2017 fell on industrial network equipment (switches, converters of interfaces, gateways, etc.) which even more often meets in open access. At the same time, the majority of security shortcomings of an APCS detected in a year can be operated far off without the need for receiving exclusive access.

In comparison with 2016 leaders exchanged. The first position instead of Siemens company is taken now by Schneider Electric. In 2017 it was published almost ten times more vulnerabilities (47) connected with components of this vendor than the previous year (5). Also it is necessary to pay attention to quantity of new shortcomings of security of industrial network equipment of Moxa — them twice more (36), than in 2017 was published (18).

2016: Research Positive Technologies

On July 15, 2016 the Positive Technologies company provided results of a research of vulnerabilities and prevalence of components of industrial control systems (APCS).

Using information from public sources (knowledge bases of vulnerabilities, notifications of producers, collections of exploits, reports of scientific conferences, publications on the specialized websites and blogs), experts at the end of 2015 detected in total 212 vulnerabilities in the APCS components, and their total quantity in five years reached 743. Nearly a half of these vulnerabilities have a high risk.

The greatest number of vulnerabilities was found in products of the famous producers, such as Siemens (147), Schneider Electric (85), Advantech (59), General Electric (27) and Rockwell Automation (26).

File:Снимок экрана 2016-07-15 в 18.23.52.png

The most vulnerable and at the same time the APCS widespread components are SCADA system to which share in 2015 271 vulnerabilities fell. Besides, many gaps were revealed in ChMI-components, network devices of industrial function and the engineering software.

In 2015 only 14% of vulnerabilities were liquidated within three months. In 34% of cases elimination occupied more than this time span. It is more than a half (52%) of errors or remained, or producers did not announce terms of their elimination.

The greatest number of the components available on the Internet, was revealed in the countries in which automation systems are developed best of all. It is the USA (38.85% of a total quantity of available components), Germany (12.28%), France (5.43%), Italy (5.15%) and Canada (4.93%).

File:Снимок экрана 2016-07-15 в 18.24.13.png

On prevalence of the APCS components the companies Honeywell, SMA Solar Technology, Beck IPC, Siemens are in the lead and Bosch Building Technologies (Ранее Bosch Security Systems).

File:Снимок экрана 2016-07-15 в 18.39.49.png

Based on a research in Positive Technologies came to a conclusion that adequate protection of the APCS components is absent. Even the minimum preventive measures of protection, such as use of difficult passwords and shutdown of the APCS components of the Internet, will allow to reduce substantially the probability of carrying out the attacks bearing noticeable effects, specialists note.

2013: Research of Informzashita

The audit of automated process control systems of industrial enterprises booked in the fall of 2013 by specialists of Informzashita company [10] testifies to the "depressing" statistics in the field of fulfillment of requirements of information security].

In the course of inspection 25 most significant safe criterions were used, compliance to which as consider in Informzashita, should secure an APCS of the industrial companies. These requirements are created on the basis of experience of projects implementation in ten large enterprises of fuel and energy complex.

Generalization of the received results showed that in an APCS of most the inspected enterprises there are no procedures of incident management of security and their analysis and also the actions interfering repeated emergence of dangerous events are not developed.

Are not used also the detection system and prevention of external invasions and means of identification of network anomalies which should be applied when APCS network is connected with communication infrastructure of all enterprise anywhere. Along with it audit of a status of information security and the analysis of security of the APCS complexes are not carried out.

Informing personnel on problems to which can lead non-compliance with rules of information security and training in this sphere are carried out only to quarters of the organizations. And such training becomes vital in conditions when the methods of social engineering based on features of psychology of the person are more and more widely applied to illegal penetration into a system. These methods are used for access to confidential information, including to the data allowing to perform unauthorized actions in an APCS. A characteristic example — a password request allegedly on behalf of the system administrator.

Wireless access to complexes of automation and the information systems supporting them which can be used by internal personnel and the staff of contract organizations requires especially close attention as it is fraught with abundance of vulnerabilities. The lack of the developed measures of protection and not knowledge of all these employees can lead to very serious effects.

Among the reasons of technology and organizational lag in the field of information security of an APCS from corporate information systems it is possible to select specifics of projects of industrial automation. At their implementation long time problems of speeding up, performance, optimization of cost whereas due attention was not paid to protection against potential threats were mainly solved. Besides, corporate information systems and the APCS complexes are traditionally developed and operated by the separated divisions of the enterprises.

In the large domestic organizations of the industrial sector, in particular in the oil and gas industry, consolidation of IT services and divisions of an APCS begins. Representatives of the company consider also that results of audit of a status of protection of an APCS should show to heads of business divisions what threat for the continuity of their business processes is posed by non-compliance with security policies. Besides, business shows very noticeable interest in prevention of the plunders and in implementing solutions interfering distortion of the credentials coming to management systems for activity of the enterprises. It is characteristic that from more than three tens specialists of the energy industry enterprises which took part in work of a seminar, about a quarter represented services APCS.

See Also