Ultra Intelligence & Communications

Simulation Reveals Ransomware
Threat to ICS

March 7th, 2017 / By

(Authors Matt Cowell & Sunny DeMattio)

As many have heard, ransomware is one of the latest forms of malware plaguing the internet today. With typical ransomware a user’s system is held hostage until the user agrees to pay the proposed ransom through bitcoin or other hard-to-trace online payment method. Ransomware in the past has been associated with IT networks, propagating itself as Trojan, and disguising itself as a legitimate file. It will typically spread through e-mail attachments, infected programs and compromised websites in the enterprise. Now we’re hearing that ransomware may be an advancing threat to operational technology (OT) environments and industrial control systems (ICS).

In a recent Georgia Institute of Technology article cybersecurity researchers broke common misconceptions about what is connected to the internet. Many operators believe their systems are air-gapped and that there’s no way to access the controllers, but these systems are often indeed connected. Researchers used a specialized search program to locate 1,400 programmable logic controllers (PLCs) of a single type that were directly accessible across the internet. In this way, they showed that compromising OT systems may well be the next logical step for these attackers.

The Georgia Tech article examined how researchers developed a form of ransomware equipped to take control of a simulated water treatment plant. After gaining access, the researchers were able to command PLCs to shut valves, increase the amount of chlorine added to water, and display false readings.

David Formby, a PhD student in the Georgia Tech School of Electrical and Computer Engineering, expects ransomware to go beyond the customer data to compromise the control systems. He believes ransomware will eventually allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities.

While this research was focused on the impact to a water treatment facility, the work could easily be applied to other industries’ critical infrastructure. As mentioned in the article, while no real ransomware attacks have been publicly reported on the process control components of ICS, the attacks have become a significant problem for patient data in hospitals, and for customer data in businesses. But the migrating threat from IT to OT is already looming within healthcare. In another recent article in Information Management, Marty Edwards, director of the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team is quoted, “When it comes to ransomware moving into the embedded device it’s not a matter of ‘if’ but ‘when’ given that the proof-of-concept code is already in existence for that.” As a result, he believes that this could be the year that medical devices get hit with the equivalent of the malicious computer worm Stuxnet, which damaged Irans nuclear program.

In my opinion, too little attention has been paid to ransomware’s threat to ICS. The idea that critical systems and services could be held for ransom is frightening to say the least. Embedded devices in ICS are commonplace and often responsible for critical controls. If the firmware were compromised, and the boot loader code affected, the user would be seriously challenged to re-flash the device back to its original firmware — a circumstance that could measurably impact operational safety and continuity. Embedded devices can be easy targets, as demonstrated by the Georgia Tech research. We’ve already seen how embedded devices can be compromised through poorly secured interfaces and then fall prey to botnets like Mirai and Leet.

So, what do we do to fight this new type of ICS threat? We need to take researchers’ advice. The need to ramp up defense-in-depth security measures — isolating critical systems from business networks, monitoring for network traffic anomalies, and changing default passwords — must be taken seriously in the OT arena.

Tools like CyberFence are designed for deeply layered security. They are easily deployed to existing systems, providing security features absent from these critical devices. Among them:

  • Lock-down insecure interfaces and protocols such as HTTP, SNMP and TELNET
  • Validation of network traffic to ensure that messages are consistent with the protocol
  • Enforcement of access rules by device, protocol, commands and registers
  • Alerts when network anomalies are detected
  • Mirroring of traffic to Network monitoring tools
  • Encryption of critical data links

The Georgia Tech simulation clearly shows the vulnerabilities in control systems. Industry has known about these for more than a decade and they should come as no huge surprise. The findings basically highlight the opportunity to cyber-criminals and enemy nations that as other ransomware targets become more difficult to penetrate, the less guarded targets are plentiful in our industrial control systems.

To learn more about the Georgia Tech project and findings, read the article in Research Horizons magazine.