Ransomware is a rising threat and its severity is only set to grow. In 2016, ransomware attacks increased by almost 17,000 per cent from the year before, with 15 per cent seeking to hold data to ransom in the mechanical and industrial sectors. Until recently, however, the exclusive target for these attacks was IT in industrial environments. A number of industry professionals have since noted the threat posed by ransomware, highlighting the risks OT (Operational Technology) is exposed to. Helping to qualify the seriousness of this risk, we recently undertook detailed research that has been presented at the ICS Cyber Security Conference in Singapore; developing Proof of Concept (PoC) “Scythe” to evaluate if cybercriminals can potentially create a new industry out of ICS field devices ransomware.
Applied Risk has witnessed a trend where threat actors are rapidly shifting their scope of focus. While targets previously included financial services and banks, industrial environments now represent an increasingly lucrative target. This is due to the high monetary value assigned to a production ‘batch’ being created and the financial loss its destruction or contamination would incur. Notably, the threat actors behind malicious attacks against industrial environments are not limited to cyber-attackers seeking financial gain. The attackers could also include nation states, state sponsored actors and potentially even competitors seeking an edge.
The PoC we undertook determined that target field devices could be compromised and turned to a black-box development environment to develop and spread ransomware:
- Find target field device
- Infect the target device and load the ransomware
- Send the Ransomware Note
- Collect the Ransom
The result being, that once infected, the device is either unlocked through a ransom being paid, or the organisation in question is left to suffer severe disruption to mission-critical elements.
In meeting and mitigating the threats posed by ransomware in industrial systems, asset owners have a number of strategies available. Namely, ensuring the deployment of strong passwords, proactive supply chain control, undertaking effective backups and incident response capabilities. Further to this, organisations can ensure that control systems are effectively segmented and not exposed directly to the internet in the first place.
For ICS manufacturers, Applied Risk recommends the implementation of ‘Secure by Design’ concepts, making sure that all devices manufactured are built with the highest level of security in mind. Further to this, security can be ensured through product testing and the disabling of unused interfaces and ports. Security through obscurity, the reliance on secrecy around internal product designs, is no longer a strategy, which can be relied on.
Effective security strategies begin with risk mitigation in mind; moving from a device-by-device approach to holistic security practices. With mature processes, technologies and security awareness training for engineering community in place, risk is reduced and can be more effectively handled should a breach occur. In support of global security best practice, our research is designed specifically to identify emerging threats and provide comprehensive solutions.
Applied Risk undertakes a strict vulnerability disclosure policy, guaranteeing our clients are aware and provided with the greatest level of protection possible. As such, we continue to work closely with the affected vendors, as well as the Information Sharing and Analysis Center (ISACs) to address these issues.