Pay up or else: the ransomware threat to your business
Image credit: Nadia ahdout/Dreams time
A Stuxnet-style ransomware attack on the control systems on which our industrial infrastructures depend is a tempting prospect for cyber-criminals keen to repeat their success extorting payments from enterprise sector victims.
New information about the capabilities of Stuxnet revealed in the recent documentary film ‘Zero Days’ has revived concerns about the potential impacts of cyber attacks on critical infrastructure such as power stations, chemical plants and fuel refineries. The movie explains with chilling resonance how, in 2010, the state-sponsored Stuxnet worm managed to gain destructive control of the programmable logic controllers (PLCs), which automated electromechanical processes inside gas centrifuges used for isotopic separation of uranium at Iran’s Natanz nuclear facility.
Very many installed PLCs – along with other types of operational technology (OT) such as industrial control and SCADA (supervisory control and data acquisition) systems – are innately insecure, because they were not designed to be secure; nor were they designed to be easily retro-secured to current requirements. Effort has gone into how to make aspects of OT safe in the years since Stuxnet first struck, but subsequent malwares aimed at industrial systems keep coming: Duqu (2011), Flame (2012), Gauss (2012) – the three so-called ‘cousins of Stuxnet’ – BlackEnergy (2015), Citadel (2012), Energetic Bear/Havex (2014), Irongate (2016), and PLC Blaster (2016).
While such attacks have caused their share of problems to power stations and utility assets around the world, the newer cyber-scourge of ransomware has yet to openly turn its disruptive powers on the computerised systems that monitor or manage the physical state of an industrial or infrastructural control system – physical devices such as pumps and valves. This is set to change, warn industry experts, as cyber criminals figure out how to repurpose their dark arts into a profitable model for targets in OT environments.
“In the typical enterprise IT environment, the ‘crown jewels’ that are most important to the victim, and thus the target of any attacker, is the company’s data, which explains the success of recent ransomware strains,” explains David Formby, research team leader at the Georgia Institute of Technology’s School of Electrical and Computer Engineering. “Recent attacks on hospitals have demonstrated how profitable ransomware can be when used to hold operationally critical assets hostage with the threat of human harm, and reports suggest that attackers are beginning to shift their focus to ICS networks [within OT environments].”
In OT environments, Formby adds, while there may be some intellectual property data of value to be filched, for commercial entities, such as utility companies, the real crown jewels are the continued availability and safe operation of their facilities.
“We expect ransomware to go one step beyond customer data, to compromise control systems themselves,” Formby has said. “Compromise of the PLCs is a next logical step. That could allow attackers to hold critical systems hostage.”
In such a scenario, the top goal of the attacker is to cause the victim enough lost revenue from system downtime, and threaten enough damage to personnel and expensive equipment, to make paying the ransom more attractive than other means of restoring the facility, Formby explains. This is achieved by stealing the original PLC program, locking down the PLC, encrypting the original program, and adding a ‘logic bomb’ (code that sets off a malicious function when specified conditions are met) in the PLC code that will start dangerously operating outputs if a ransom is not paid in time.
“The key aspect of ICSs is their direct control of physical systems, which have a direct impact on human safety,” says Arun Subbarao, VP: engineering and technology at Lynx Software Technologies, and the company’s representative on the Industrial Internet Consortium Security Forum. “The worst-case scenario is a malicious actor taking control of a nuclear facility, water treatment facility or chemical plant, and then threatening large-scale disaster if their ransom demands are not met.”
The Georgia Tech research team provided evidence of its concerns at the RSA Conference in February 2017, when it demonstrated ransomware it had developed that could take control of a simulated water treatment plant. After gaining access, the researchers were able to command PLCs to close valves, increase chlorine added to water and display false readings.
The simulated attack was set up to highlight vulnerabilities in the control systems used to operate industrial facilities such as manufacturing plants, water and wastewater treatment facilities and building management systems for controlling escalators, lifts and heating, ventilation and air-conditioning.
Georgia Tech is not alone in its belief that ICS/SCADA networks have come to the attention of cyber-criminal gangs. The recent proliferation of ransomware of all kinds evidences that this strain of malware is viewed as a future money-spinner by criminal threat actors.
Cyber-security solutions vendor Kaspersky Lab suggests that ransomware is a “rising threat” to ICSs. Its Kaspersky Industrial CyberSecurity Solution Overview 2016 reports that the range and diversity of ransomware “escalated massively” between 2015 and 2016, and that the emergence of ransomware “is highly significant for the industrial sector [because] such infections may cause high-impact, wide-ranging damage to systems, making ICSs a particularly attractive potential target”. Ransomware designed to attack industrial systems may have its own specific agenda – instead of encrypting files, “the malware may set out to disrupt operations or to block access to key assets”.
The threat of ransomware in ICSs “raises the game, [as] potentially there is more than just money at stake – whole governments and communities of people can be seriously impacted”, says Mark Carolan, head of R&D at BSI Espion. “Cyber-extortionists holding a SCADA system to ransom could mean lack of availability, and therefore loss of control. Losing control of industrial physical processes not only has financial implications, but consequences that could endanger human lives.”
Ransomware attacks in ICS environments “will seek to halt the business, disrupt production, or otherwise harm the bottom line – harm to the business is secondary to safety, but it is still incredibly important [as a coercive lever],” says Tim Erlin, security director and IT risk strategist at Tripwire. “A ransomware attack like this needs a capability to execute, and a means to request the ransom. Ransomware needs leverage, and safety is the leverage that we will see used.”
Cyber-security practitioners in OT evidently face multiple challenges when it comes to protection of vulnerable industrial systems. Foremost among these is recognition of the extent of the attack surface (the sum of the different points – attack vectors – where an attacker can try to enter data to an environment).
They must also disabuse themselves of the notion that historical ‘isolationism’ of the types of critical industrial systems will continue to protect operations against the looming likelihood of ransomware threats. This is because ‘airgaps’ supposed to exist around ICS/SCADA systems are narrowed by the requirement to integrate OT with IT platforms – and that includes links to the internet.
“While it is argued that ICS and SCADA systems are segregated, the reality is that the ‘wall’ which separates OT and IT is permeable – the adoption of Ethernet, and other standard network technologies, delivers benefits in industrial controls, but also introduces risk,” says Edgard Capdevielle, CEO at Nozomi Networks. “Just as it is hard to avoid the Earth’s gravitational pull, the introduction of Ethernet draws in more layers of connectivity.”
The reality is that many ICS and SCADA systems are not truly air-gapped, but rather segmented or segregated logically, adds Erlin. “Using tools to separate networks can work, but requires monitoring and maintenance to ensure that inadvertent changes aren’t introduced, and that malicious attackers do not gain access.”
“The airgaps between SCADA systems and the rest of the network in many organisations no longer exist,” says Amol Sarwate, director of vulnerability research at Qualys. This has come about due to three compelling requirements, he explains: “First, one reason for connecting SCADA systems to the rest of the network is for remote management. A second reason for narrower airgaps is to get easy access to the data SCADA systems generate. The third – and most prevalent – reason is misconfiguration or network design done too quickly, with ease-of-use in mind rather than security. Thus, one can find many SCADA systems not only connected to other networks inside the organisation, but even accessible on the internet.”
Businesses “need a higher level of visibility throughout their supply chain and a real-time information flow to optimise costs and gain competitive advantage, so they demand insight from SCADA systems to achieve this”, says Salvatore Sinno, chief security architect at Unisys. “From a cyber-security standpoint, these systems are a huge challenge and readily exploitable.”
The adoption of remote access support, made available through connected devices, has also transformed traditional maintenance models, says William Culbert, director of solutions engineering at Bomgar: “[It has] drastically reduced costs and improved efficiencies. Many SCADA systems are integrated into critical national infrastructure, meaning the ability to quickly and easily resolve a technical issue is key, but it is also having a knock-on effect causing the narrowing of this segregation.”
Broader developments in ICT technology make closer connectivity between ICSs and the internet inevitable, say some observers. The Industrial Internet of Things (IIoT) will prove influential in ‘enfranchising’ the ICS/SCADA/PLC class of technology, according to Tripwire’s Erlin – and with good reason.
“Organisations are not expanding connectivity just for fun – there are commercial objectives at play,” Erlin says. “There is clear value to increased communication and access, whether you are a business looking to maximise profit, or a service looking to maximise delivery. The expansion of connected devices and technology comes with risk. The development and deployment of an IIoT brings safety to the top of that risk assessment.” When connected devices can make material changes in the physical world, life and safety become especially relevant to cyber security, Erlin points out.
“The IIoT will be a factor, as more data will be collected and analysed,” agrees Nozomi’s Capdevielle, “plus modernised ICS systems will become increasingly dependent on external influences to remain current – such as remote updates, patches, and perhaps even routine maintenance – all further muddying the water.”
The scale of the ‘attack surface’ is almost impossible to estimate, says Sarwate at Qualys, and implementing security upgrades to the number of installed ICS/SCADA systems, even just in developed countries, is a huge and expensive undertaking. “Vendors have started implementing good security controls for newer ICS products, but older ICS/SCADA systems are intended to last for decades,” Sarwate says. “For newer products, extra cyber-protection need not imply higher prices, but we have seen it in other spaces.”
Even where commercial utilities companies, for instance, have begun to identify and address vulnerabilities in their most critical infrastructural assets, there comes the challenge of employing technical practitioners with the requisite skills to upgrade and patch vulnerable industrial equipment and deploy safeguards against ransomware and other malicious cyber-attacks. The problem is compounded by the fact that many ICS engineers who could be skilled to implement better security on systems they have maintained for years are near the end of their careers, and may soon prove to be a rather rare resource.
“ICS security skills are scarce, relatively new, and can only grow. You have ‘technology boomers’ reaching retirement and leaving the profession,” says Capdevielle. “Attracting and retaining young talent is another challenge. Even when you do, the skillset needs to change rapidly to keep pace with the ever-changing technologies and risks. This isn’t going to be resolved any time soon, so in the meantime we need to close the gap with security analytics, managed services, and converging OT and IT skills, so that cyber-attacks initiated via ransomware can be identified and stopped.”
There is most definitely a skills shortage issue in relation to professionals operating in the industrial control market, agrees Culbert at Bomgar. “A major proportion of ICSs were developed, programmed and integrated years ago, creating almost a time capsule from the technology and software the developers used when running these legacy systems,” Culbert says. “In conjunction with this, the security professionals of 2017 have not been educated in or experienced the legacy security software itself, causing a skills shortage in the space.”
Certified ICS and SCADA security practitioners equipped with skills to address the threats, vulnerabilities and risks specific to this domain are in high demand, says Carolan at BSI Espion. “Industrial systems engineers often lack [cyber-security management] skills because systems they managed were isolated from external connection, and therefore previously faced no external threats.” This scenario has changed completely – OT professionals now need cyber-security skills, Carolan says.
“It is important that plant managers and industrial staff have an in-depth knowledge of IT and networking issues,” says Noel Sheppard, director at Distec. “There is not so much a skills gap as a tendency to work in silos. By bringing multi-disciplined teams together during the infrastructure design stages, we can work together to embrace the ongoing convergence OT and IT.”
When ransomware attacks on industrial systems start, what lessons can be derived from analysis of other malware that targets such technology? In publicity terms, Stuxnet raised awareness regarding cyber threats in the industrial sector, says Subbarao at Lynx Software Technologies: “However, it is unclear if this has resulted in technology changes to combat this threat. The industry is overly reliant on network-based protection mechanisms whereas the key solution to this problem lies in platform protection.”
The issue is that “once you’ve established IT connectivity it’s difficult to put the genie back in the bottle”, says Capdevielle. “Each of these avenues are potential points of weaknesses that can be compromised by hackers burrowing in or malware such as ransomware detonating internally and then radiating out.”
Managers of critical ICS applications should envision a scenario where “an interface or the control system is infected by ransomware, and the factory production is brought to a halt,” warns Sarwate at Qualys. “In addition to putting protection mechanisms in place, managers should now prepare for successful attack scenarios.”
For Culbert, the Stuxnet worm “identified a key learning that the industry has had to take heed of: changes in the virtual world have a direct impact on the physical world. It’s taught OT asset owners that nothing is truly air-gapped, and that every asset or system is targetable. Before Stuxnet, no-one had witnessed a weaponised piece of malware that could look for the right devices in the right locations, and also took all variables into consideration. Security standards were dangerously low and needed to be acted upon – fast.”
Logic bomb: Code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.
Operational technology (OT): Application of computers and computerised systems dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves, pumps, etc.
Programmable logic controller (PLC): Industrial digital computer ruggedised and adapted for the control of manufacturing processes such as assembly lines, robotic devices, or activities that require high-reliability control, ease-of-programming, and process fault diagnosis.
Ransomware: Malware that installs covertly on a victimised device, and that either mounts the cryptoviral extortion attack from cryptovirology that holds the victim’s data hostage, or mounts a cryptovirology ‘leakware’ attack that threatens to publish the victim’s data, until ransom is paid.
SCADA (Supervisory control and data acquisition): Control system architecture that uses computers, networked data communications and graphical user interfaces for high-level process supervisory management, but uses other peripheral devices (such as PLCs) to interface to the process plant or machinery.