Industrial Strength Control

If proof were needed, recent hacks on healthcare services, multinationals and central banks drive home the scale and severity of one of cybercrimes most prized tools: ransomware. The malicious malware locks users out of their computer systems until they pay a ransom—small change next to the potential impact of downtime and data loss. But while such attacks have wreaked havoc at organizations across sectors, the impact remains largely unknown when it comes to the world of industrials—a sector that rarely discloses cybersecurity breaches. What is beyond doubt, however, is that the ransomware threat is real, and that for industrial organizations, the consequences of an attack could be catastrophic. 

While little is known about their cybersecurity experiences, industrial companies undoubtedly count as attractive targets for attackers. A breach at an energy, water or manufacturing facility has the potential to result in irreparable damage to equipment and even loss of human life—prospects that afford cybercriminals significant leverage when it comes to extorting ransom payments from their victims.

At the center of this threat are the industrial control systems (ICS) tasked with monitoring and controlling a myriad of industrial processes. The problem is this: ICS networks are typically based on legacy systems which were deployed at a time when cybersecurity was of little concern. As a result, these systems are often less protected than those found in traditional IT environments.

Yet, industrial organizations do have one advantage. Utilities companies and firms manufacturing the everyday goods we consume, possess little in the way of valuable intellectual property, much to the frustration of cybercriminals who hold data hostage for a living. Instead, the ‘crown jewels’ of such companies are seamless facility operations—something difficult to assign monetary value to and just as difficult to hamper for criminals who lack industrial knowhow. The trouble is, the sophistication of ransomware and the criminals behind it is advancing fast.

Research suggests that cybercriminals are already tailoring ransomware to target manufacturing facilities and a report from Booz Allen Hamilton indicates that the threat will spread beyond regular IT systems, such as servers and workstations, to programmable logic controllers (PLCs)—digital computers adapted for the control of a multitude of processes across industries. If this proves correct, then a profitable new business model could be arriving soon on the cybercrime circuit.

If few companies can afford to endure facility shutdown, none can afford to compromise human safety. After all, nobody wants to risk a chemical spill if a valve were to be opened, or an explosion caused by a centrifuge out of control. There are less catastrophic yet inconvenient consequences of a breach too; food manufacturers would be forced to flush out their entire systems, while for companies using third parties to manage their PLC programming, there would be far more to restoring a PLC than reloading the program.¹

These scenarios may be hypothetical, but real-world ransomware is edging dangerously close to ICS networks. In November 2016, the management of a transit system in San Francisco was forced to allow passengers to travel for free when ticketing machines fell afoul of attack.¹ In another case, ransomware compromised a hotel in Austria, preventing the programming of key cards and locking guests out of rooms.³

Even closer to home for industrial companies, the Stuxnet worm damaged Iran’s nuclear program in 2010 by reprogramming the PLCs controlling centrifuges.⁴ Then, just this year a cyber attack breached the defenses of Ukrainian utility, Ukrenergo, causing a blackout in the capital, Kiev. These cases were not ransomware attacks—other forms of malware were used—but they have nonetheless set an industrial precedent for ransomware attackers to follow.

To explore how profit-hungry hackers might reap their rewards, experts at the Georgia Institute of Technology have developed a threat model and the first known cross-vendor ransomware worm for PLCs called LogicLocker.⁵ In their scenario, the criminal steals the original PLC program and adds a logic bomb in the PLC code that begins operating outputs if the ransom is not paid. A novice could erratically operate outputs in the hope of causing damage, while a savvy criminal may know exactly which to operate to maximize leverage and, if necessary, damage.

While such an attack is yet to occur, industrial organizations can ill afford to wait until it does. From now, companies can start to build up their defenses on multiple fronts, focusing on endpoint security, network security and safety at the end user level.

Measures at the endpoint could include controlling remote access to interfaces, backing-up data and securing their system by reducing its vulnerability—a process known as ‘hardening.’ Meanwhile, enhancing network security might involve intrusion prevention, identity access management and segmenting network architecture, ensuring that control networks are monitored for abnormal activity. As for end users, is important to conduct training and awareness programs. At a minimum, employees must be able to identify phishing emails and refrain from using their own devices in the workplace. Having an incident response plan in place can also prove vital in the event of an attack.

Ransomware may have bypassed the industrial sector so far, but it’s only a matter of time before the logic bomb starts ticking. Just as cybercriminals must weigh ransom demands against the damage they can inflict, industrial organizations have a balance of their own to consider. Bolstering security might be costly and time-consuming, but is holding out until ransomware worms its way in really a price worth paying?

¹ Out of Control: Ransomware for Industrial Control Systems’ David Formby, Srikar Durbha & Raheem Beyah, School of Electrical and Computer Engineering Georgia Institute of Technology

² Samuel Gibbs, ‘Ransomware attack on San Francisco public transit gives everyone a free ride,’ The Guardian, 28th November 2016

³ Wired.co.uk; forbes.com; nytimes.com

⁴ ‘Out of Control: Ransomware for Industrial Control Systems’

⁵ David Formby, Srikar Durbha & Raheem Beyah, School of Electrical and Computer Engineering Georgia Institute of Technology