ICS-OT Directed Ransomware is Not Likely to Happen
Daniel Ehrenreich
Leading ICS-OT-IIOT Cyber Security Expert, Consultant, Workshops Lecturer, International Keynote Speaker
Author: Daniel Ehrenreich, SCCE, ICS-OT Cyber Security Expert
Introduction
Industrial Control Systems/Operation Technology (ICS-OT) cyber security practitioners were traditionally educated to worry about cyber-attack vectors, such as those directed against the organization's IT Zone. None can be blamed for that misunderstanding because Ransomware, Distributed Denial of Service (DDoS), and exposure of confidential information are all IT-directed attacks. When I asked, “Is ICS-OT Directed Ransomware at Purdue Levels 1&2 likely to happen?” most instantly thought about incidents like the Colonial pipeline, Norway Aluminum, JBS meat, etc. After a few moments of thinking about the technological aspects of the ransomware processes, most replied, “Yes, it Can.” From a technology point of view, they were right. When I asked if they would pay $10 to receive the decrypting key to restore the encrypted HMI or PLC, knowing that professional attackers are expecting payment of millions for the decrypting key, all replied, “Yes, for such an amount, I will not hesitate”. However, when I explained that most of the published incidents related to industrial operations were IT-directed ransomware attacks, they agreed to spend 10 minutes listening.
This paper does not deal with cyber-attacks such as manipulating the PLC or the HMI programs or placing a logic time bomb in the system, but it aims to explain why ICS-OT-directed Ransomware (delivery of the decrypting key for money) is unlikely to happen.
IT-directed ransomware
Before reading about ICS-OT-directed cyber incidents, I briefly explain the IT-directed ransomware. We all know it involves encrypting databases and programs, but not everyone knows that a ransomware attacker might demand a ransom payment in three phases.
a) When such an attack occurs, IT users receive a red-screen message indicating that the database was encrypted and that they cannot operate the business processes. Organizations that hold updated backup files for the data and a Golden Image for the processes may refuse to pay the ransom and restore the business operation.
b) Upon receiving that disappointing message, the attacker might reply, “I leaked all your data, including privacy information, and if you disagree to pay, I will publish or sell the information.” Now, the backup files are useless, and the organization must negotiate.
c) When the attacker feels the payment will arrive soon, his appetite might grow and send you a new message: ”I also have information on all your customers, suppliers, and their details. If you do not pay extra, I might attack them as well, and they will blame you”.
From the above, you may instantly learn that Ransomware attacks are a highly profitable “business operation,” and professional attackers expect to receive high ransom payments for the two or all three demands explained above.
Recommended by LinkedIn
ICS-OT Directed attacks
Some people might mistakenly believe that the above-outlined explanation also applies to ICS-OT operations because, technically, the encrypting process may also work in that zone. This assumption is correct, but we must elaborate deeply on it.
· Data stored in the ICS-OT zone is usually not confidential (!), except in systems that run a secret technological process (food, pharma, etc.). Therefore, a “smart attacker” will not invest in exfiltrating operation-related data from the ICS-OT zone.
· Once an attacker decides to penetrate the ICS-OT zone, he might do that to manipulate the process, cause an operation outage, or damage or risk lives. This can be done through an internally or externally generated cyber-attack or through the supply chain.
· Furthermore, we often say that once an attacker penetrates the ICS-OT zone, “Game-is-Over” because he can harm the system within minutes, manipulate the database and/or the process, causing an outage, damage, or risk lives.
Restoration of the ICS-OT zone
· Technically, decrypting the ICS-OT database and the process files is possible, assuming the encryption was correctly conducted and the attacker delivered a reliable decrypting key. However, remember, you cannot trust that assumption for ICS-OT!
· Consequently, any part of the decrypted ICS-OT system that an attacker earlier encrypted for receiving the ransom might not operate safely. You may obtain the decrypting key if you wish, but you cannot use it for a system that controls a critical safety-oriented process.
· Obviously, these recommendations apply to safety-oriented systems. If you deal with simple processes such as counting produced packages in a warehouse or collecting data from mechanical utility meters, you may try to restore the operation with the decrypting key if you are confident that it will comply with the SRP (Safety-Reliability-Performance) Triad.
· ICS-OT operations must be periodically evaluated according to the SRP Triad. If you cannot be assured that the restored ICS-OT will safely operate, you must clear the affected zone (PLCs, HMIs, Control Servers, etc.), reinstall all appliances from a stored Golden Image, and copy the required operational data from the Historian Server. After that, you must perform in-depth testing of the repaired system. Complete system reinstallation is your only choice!
Conclusions
Industrial operations must be prepared to ensure business operation continuity with increasingly interconnected (negligently converged) architectures between the IT and ICS-OT zones and a growing amount of communicated data across the organization. To achieve the desired cyber security goals, the IT and OT experts must collaborate to correctly select and deploy the cyber defense measures. The role of management at industrial and utility-related facilities is to allocate the needed resources and hire manpower to be at least one step ahead of attackers.
Senior Intelligence Coordinator | Former U.S. Diplomat | Former FBI SIA
4moICS-OT ransomware attacks being senseless doesn’t necessarily make them less likely to happen. I think your logic is sound for why it doesn’t likely make sense to pay to decrypt control systems in many situations, and therefore why ICS-OT ransomware attacks don’t make business sense for the attacker. But that doesn’t mean that attackers will share your reasoning (even though I do), or that the average responder in a small or medium enterprise will. Threat intelligence is filled with examples of defenders who were surprised because they projected their thought process onto attackers who had their own. Since the adversary gets a vote too, I think the conclusion would maybe better be “ICS-OT Directed Ransomware Should Not Happen,” but organizations response plans should be prepared for it nonetheless.
OT Cyber Threat & vulnerability Consultant
4moHi Daniel, don't you believe that is a misleading statement, what about? Colonial Pipeline: The attackers focused on the SCADA machine that controls the pipeline's operations. Oldsmar Water Treatment Plant: The attacker received access to the plant's SCADA system and tried to control the water treatment process. Ukraine Power Grid Attacks: The assaults in particular focused on the managed structures of the electricity grid, causing enormous outages.
Hi Daniel, Appreciate your thoughts but lets not presume rasomware for OT has not happened, I have myself worked on the analysis of ransomware ttps that have been writtern targeting OT oem applications and halting production, if you read the tttps used by SNAKE ransomware, it has killed specific exe files of OEM applications such as Proficy and Siemens, please refer to the blog by Mandiant ( Google cloud now), - So the adversary are always learning OT environment and crafting novel malware and ransomware and reaching the environments through different initial entry points. In my capacity as an ICS cybersecurity researcher I have conducted various proprietary research to analyse ttps of incidents in different OT environments.
OT Cybersecurity Consultant | Enterprise IT & IACS Cybersecurity | IEC 62443
4moWell written Daniel. Very insightful and aligns with my thoughts on the topic. My only point of disagreement is around the scope of education for engineers and technicians. While it is "unlikely" that ransomware will hit the ICS environment, we have to face the reality that many IT-OT environment interfaces are poorly managed and architected. Whether it be a risky workflow or a configuration flaw, ransomware can hit the ICS environment and people need to be aware. These types of scenarios are generally coincidental or opportunistic, and will rarely if ever target the L1/2 zones (like you said, we're not talking about bricking of field equipment here, only traditional IT focused ransomware). The key to combating this is engineering a level of cyber resilience into the ICS environment so encryption of the supervisory components at L3 and L2 (EWS, OWS, SCADA, DCS, etc), is not detrimental to the process operation. This provides the required time to properly perform rebuild, and validation to ensure SRP on-going. Resiliency uplift might come in the form of playbooks for executing zone separation, or even measures to activate additional site resources to function in a manual mode of operation for an extended period of time.
Information & Cyber Security Risk Management Professional | IT-OT Security Architect | AI & Emerging Tech Advocate | Cyber Security Consultant & Advisor | Compliance & Data Protection Expert
4moI am not sure whether it is right to assume that all such OT processes data which might be affected with a ransomware threat have a backup done with RPO requirements and there are recovery drills performed regularly for an assurance on it. Also, we may be negating the Grey Hat hackers who may be doing it to satisfy their ego without any financial gain. Still the impact is same.