Edge Cyber Threats: A Report


In 2018, Symantec reported a 600% increase in attacks on IoT/Edge devices along with a 29% increase in attacks on industrial control systems (ICS).

These attacks put the Edge at the center of a cybersecurity struggle that pits sophisticated attackers against a set of highly valuable targets. Prudent leaders in both the private and public sectors should develop proactive defense strategies to protect their critical assets.


Real World Edge Attack: TRITON

In December 2017 a Saudi Arabian oil and gas petrochemical facility experienced a safety system shutdown as the result of a malware attack. The malware, named TRITON (also known as TRISIS or HatMan), directly attacked a Safety Instrumented System (SIS). SIS are the last line of automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire

SIS systems use a special type of PLC (Programmable Logic Controllers) designed with predictability and reliability in mind. They include multiple main processors, built-in diagnostics, redundancy management systems, and failure detection for inputs and outputs. The attack reprogrammed the facility’s SIS controllers, causing them to enter a failed state, and resulting in an automatic shutdown of the industrial process.

The SIS that was attacked was a Triconex Safety Instrumented System from Schneider Electric. This type of SIS is commissioned in a consistent way across many industries and is widely used.

It’s a golden age to be an attacker against critical infrastructure. If you are in critical infrastructure you should plan to be targeted. And if you are targeted, you will be compromised. It’s that simple.
— Andy Bochman, Senior Grid Strategist for National & Homeland Security at the Idaho National Laboratory (INL)

Since 2000, the Cybersecurity firm FireEye has identified more than 1,700 publicly disclosed industrial control system vulnerabilities. Nearly all of these, more than 1,550, have been discovered since 2010.


Patching these systems is a real challenge since many ICS and Edge vendors are slow to provide patches. One third of these ICS vulnerabilities had no vendor fixes. And, operators are slow to apply fixes when available given the risk of instability and downtime when the patch is loaded.


Real World Edge Attack: INDUSTROYER

On Dec. 23, 2015, three Ukrainian electricity distributors were compromised by a cyber attack. The attack invaded systems and triggered power outages across three regions in western Ukraine. The attackers systemically shut down the flow of electricity. Then, attackers used two previously unknown vulnerabilities (zero day attacks) to inhibit the utilities’ ability to restore power and maintain control of the grid.

Then, on Dec 17th 2016, attackers used a tool called INDUSTROYER to turn off electrical power to Kiev, the capital of Ukraine. These attacks targeted a vulnerability in Siemens SIPROTEC 4 and SIPROTEC Compact devices, as well as ABB MicroScada software.

Industroyer is notable for its use of four payload components, which are designed to gain direct control of switches and circuit breakers at an electricity distribution substation.

Source: ICS-CERT 2/11/2019

Source: ICS-CERT 2/11/2019

Edge Cybersecurity Facts

  • 35% of attacks are fileless (immune to anti-virus)

  • 40% of industrial sites have at least 1 connection to the Internet

  • 49% of significantly attacked companies are successfully attacked again within 1 year

  • 84% of industrial sites have at least one remotely accessible device

  • 86% of significantly attacked companies attacked by more than 1 adversary

  • 90% of corporate networks have active attack signatures

  • 101 days before an attack is discovered, on average

  • 140 professional attack groups globally, 29 new groups discovered each year

  • 8,718 tracked vulnerabilities. 4,262 of these are zero day vulnerabilities