Threat landscape for industrial automation systems, H2 2021

2021 is the second year we have spent living and working in the pandemic. By 2021 everyone got used to pandemic limitations – industrial organization employees and IT security professionals and threat actors. If we compare the numbers from 2020 and 2021, we see that 2021 looks more stable, particularly in H2.

H2 2021 Report at a glance

The full report is available on the Kaspersky ICS CERT website.

Percentage of ICS computers on which malicious objects were blocked

The percentage of ICS computers on which malicious objects were blocked in 2021 increased by 1 percentage point from 2020 – from 38.6% to 39.6%.

In H2 2021 this percentage decreased by 1.4 p.p. for the first time in 1.5 years.

As we can see from the graph depicting the monthly dynamics of the percentage of attacked ICS computers, the numbers in H2 2021 were more stable than in H1 – the numbers were lower and there were no sharp fluctuations.

It is also worth noting that in 2021 the vectors of monthly fluctuations (increases and decreases) are the same as those in 2019 and, particularly, in 2018 more often than in 2020. Specifically, we can see decreases in July and August that we believe are due to the traditional vacation periods. However, compared to 2018 and 2019, the summer decrease in the percentage of ICS computers on which malicious objects were blocked was less pronounced in 2021.

Selected industries

Malicious objects

In H2 2021 Kaspersky security solutions blocked over 20,000 malware variants from 5,230 families on ICS computers.

The results of our analysis revealed the following estimated percentages of ICS computers on which the activity of malicious objects from different categories had been prevented:

Since H1 2020, we have seen increases in the percentages of ICS computers on which the following types of objects were blocked:

Spyware – by a factor of 1.4 — from 5.6% to 8.1%.

Malicious scripts and phishing pages – by a factor of 1.4 – from 6.5% to 9.3%.

Cryptocurrency miners (Windows executable files) – more than doubled – from 0.9% to 2.1%.

Ransomware

In H2 2021 ransomware was blocked on 0.50% of ICS computers.

The percentage of ICS computers attacked by ransomware increased in half of the world’s regions. The most significant increases were recorded in Southeast Asia, East Asia and Africa, which are thus the leaders in this ranking.

Main threat sources

The internet, removable devices and email continue to be the main sources of threats for computers in the OT infrastructures of companies and organizations.

Shared network folders are one of the minor threat sources. Only on 0.57% of attacked ICS computers malicious objects were blocked in network shares in H2 2021. However, this percentage is slowly growing and is over 1% in a few countries and territories.

2021 in numbers

Indicator	H1 2021	H2 2021	2021
Percentage of attacked ICS computers in the world	33.8%	31.4%	39.6%
Percentage of attacked ICS computers by region
Northern Europe	11.1%	10.4%	12.1%
United States and Canada	16.5%	17.2%	19.7%
Western Europe	15.3%	15.8%	20.2%
Australia and New Zealand	23.7%	21.4%	26.5%
Eastern Europe	29.5%	28.4%	32.4%
Southern Europe	29.4%	25.1%	33.0%
Latin America	32.8%	32.5%	38.7%
South Asia	35.2%	35.6%	41.0%
Middle East	37.3%	34.3%	42.0%
Russia	39.4%	30.0%	42.3%
Central Asia	42.0%	37.9%	44.7%
East Asia	43.2%	40.5%	48.1%
Africa	46.1%	43.4%	50.9%
Southeast Asia	44.2%	47.6%	51.2%
Main threat sources globally
Internet	18.3%	16.5%	22.2%
Removable devices	5.2%	4.8%	6.7%
Email clients	3.5%	3.7%	4.2%
Network folders	0.52%	0.57%	0.75%

For more information, visit the Kaspersky ICS CERT website