Most of the headlines concerning cyber attacks on Industrial Control Systems (ICS), tend to focus on one of three types of threat actor: nation-states (e.g. Stuxnet), cyber criminals stealing intellectual property (e.g. Energetic Bear), or terrorists (e.g. ISIS attacking national critical infrastructure).
Ransomware is an emerging concern, however, and shouldn’t be dismissed as “only” a corporate IT problem–it’s a serious threat to Operational Technology (OT) environments, too. ICS owners and operators should educate themselves and prepare their organizations to defend critical systems against ransomware.
A recent report from Unit 42, the Palo Alto Networks threat intelligence team, highlights that “ransomware is not a single family of malware, but a criminal business model in which malicious software is used to hold something of value for ransom.” The cryptologic variant of ransomware, for example, identifies valuable data on a compromised system and encrypts it, preventing the victim from accessing the data unless they make a payment to the attacker.
Drivers for ransomware attacks to ICS
Why would cybercriminals want to go after an ICS environment? Job #1 in an ICS facility is to ensure the uptime of the industrial processes used to deliver critical services to citizens and businesses.
Just as important is avoiding any incidents that can harm human lives and the environment. Serious consequences to economies and communities could result if these services are disrupted or stopped even if for just a few hours. Because of the potentially severe and widespread impact of ransomware to industrial processes, the likelihood an ICS operator/owner would pay the ransom to avoid a service disruption or recover an already impacted process is pretty high. Attackers know this.
An alternative to paying the ransom would be to try to recover from the infection through disaster recovery protocols, which hopefully are in place and up to date. These could include processes for installing golden images or backups to existing or new machines and running processes manually at the lower layers of the ICS (i.e. at the PLCs and RTUs themselves) in the interim. However, those options are typically costly in terms of both capital and operational expenditures.
Besides the potentially high ransoms, another compelling reason for attackers to go after ICS is the perception of its “soft underbelly”. ICS environments are known for having long patching cycles leaving many vulnerabilities subject to exploits, so the exposure to ransomware attacks in ICS could be even higher than in more frequently patched IT environments. Furthermore, the vulnerability could be exacerbated as ICS environments start to increase their use of commercial off the shelf (COTS) systems including operating systems, IT applications, and OT applications.
Also increasing the vulnerability of ICS is its increasing connectivity to other internal business networks and third party networks. Many OT environments depend on the COTS elements like Windows OSes and common business applications like browsers and productivity applications that are susceptible to ransomware (HMIs, Historian and SCADA servers, engineering workstations, etc). Therefore, the same ransomware impacting corporate IT could affect OT.
How legitimate is the threat?
Using Palo Alto Networks AutoFocus, a threat intelligence and correlation tool, we looked at the occurrence of 30 tracked ransomware families across Utilities, Energy, Manufacturing, and Construction sectors. Since January 2014, we found over 4,600 samples and 525,000 download sessions for these families indicating that ransomware attacks are indeed happening to these critical infrastructure sectors. It is not clear from the data if the attacks are specifically to IT or OT. The more likely scenario is that only the IT environment was impacted such as it was in a couple of recent ransomware infections at two utilities: the Israeli Electricity Authority publicly disclosed in January 2016 and in the U.S., the Lansing (Michigan) Board of Water and Light on April 25, 2016. Both organizations were reported to have been infected by ransomware through spear phishing to the IT environment. In neither case was there utility service disruption, but many machines were taken offline and replaced to recover the IT environment.
An example where ransomware impacted the OT directly and where there was subsequent process downtime is in the ransomware infection at a concrete manufacturer, as first reported by F-Secure. Here Cryptowall, a clone of the notorious CryptoLocker family of ransomware, which was said to have generated more then $300 million in ransom, was introduced into the IT environment via a spearphishing email. Quiet lateral movement ensued and the ransomware eventually encrypted accounting data and files critical to several production systems. The net result described in F-Secure’s report was that there were two days of downtime, after which the company decided to pay the ransom and decrypt the system. They also hired an external consultant to purge the malware and cleanse the network.
Owners/operators who argue that their ICS is airgapped and hence safe from ransomware should be wary of newer type of variants such as the Samsa campaign, which through the help of an insider and local encryption can impact air-gapped facilities.
Basic steps for defending ICS from ransomware
It is in every ICS owner’s and operator’s best interest to act now to prepare their organization from this rising threat. Education is the first step and the Unit 42 ransomware report is one resource that offers a comprehensive view.
Next, take some basics steps with the goal of preventing ransomware attacks or minimizing the impact of ransomware if you have been infected. These steps include the following:
1. Back up your critical ICS and ICS support systems—These include HMIs, historian databases, automation servers/masters, order entry systems (for manufacturing), etc. Consider setting the frequency of backups to be tied to the criticality of the system. Make sure that the backup is in a location that the ransomware can’t get to.
2. Limit and manage the use of network drives—Infected users/systems with write access to these drives could infect all the files on a network drive causing a mass outage. It would be prudent to limit write access to as small a number of users as possible.
3. Patch as often as possible—This is more difficult in ICS environments as described above, but try to stay as current as possible. Other means described below for compensating controls will be even more necessary if patching is inherently infrequent or perhaps not an option.
4. Apply the principles of zero-trust segmentation—This entails creating security zones and limiting the applications, users and contents between these zones only to those consistent with valid business use. This minimizes the number of channels ransomware can use to hop around laterally. This applies not only to the OT perimeter, but also to the internal zones in the ICS. Segmenting the ICS core will be particularly helpful for targeted attacks originating from within.
5. Inspect all traffic for known threats—Use network threat prevention to stop known ransomware, the exploits that they use, access to associated bad domains/websites and to block command and control traffic associated with them.
6. Use sandboxing to detect and prevent zero-day ransomware—There will be times when the ransomware is completely new. This is when more advanced technologies like sandboxing, which detects zero-day malware and creates new protections to stop attacks, can prove to be invaluable.
7. Apply advanced endpoint protection—Use newer endpoint solutions that can stop zero-day exploits and malware at the endpoint itself. This will be critical for stopping social engineering attacks like spear phishing and drive-by downloads as well as direct insider assaults to endpoints which are the beachheads for ransomware attacks.
About the author: Delfin Rodillas is Solution Lead, SCADA & Industrial Control Systems, at Palo Alto Networks.