Skip to content ↓ | Skip to navigation ↓

Once upon a time, operational technology (OT) enjoyed little-to-no connectivity with the web. Industrial system attack surfaces were quite small, with physical access acting as the overriding attack vector in many security incidents that did occur (including Stuxnet). It was a simpler time.

But all that changed with the Industrial Internet of Things (IIoT). Manufacturing and other industries now increasingly integrate IoT devices into their OT environments. Unfortunately, with greater connectivity comes greater exposure to IT-based digital threats like ransomware. These scourges don’t necessarily need physical access get the job done. Some affect OT systems simply by piggy-backing off infected IoT devices.

That’s exactly what happened to one factory when a ransomware infection spread from its smart coffee machine to its programmable logic controllers (PLC) monitoring system.

Coffee Can Cure Mornings, But It Can’t Cure Ransomware!

In June 2017, a local control room operator called up a chemical engineer who goes by the name “C10H15N1” on Reddit. C10H15N1 works as a PLC expert for a company that owns multiple petrochemical factories based in Europe.

As such, C10H15N1 receives an alert when a PLC starts acting up, and they serve on a team that’s responsible for programming software used by the company’s central control room to monitor all factories remotely.

The operator told C10H15N1 that computers connected to their local factory’s control system displayed an error. C10H15N1 checked the data coming out of the factory. Everything looked normal except for the monitoring system, which appeared to have crashed.

C10H15N1 decided to get more information from the operator. They recount this effort in a post submitted to Reddit:

“As I’m part of the team working on the monitoring software I’ll take over the call, while my college will keep monitoring the situation. I asked operator what was happening on his screens, and he starts describing something that sounds very similar to an infamous ransomware attack. Which is problematic, because the computers running the monitoring software are not connected to the internet.”

The chemical engineer doesn’t identify the “infamous ransomware attack” in their post. But they do say that the affected machines were running an out-of-date version of Windows XP, which means WannaCry or NotPetya could have been responsible.

Apparently, C10H15N1’s company can’t update the monitoring software on their own. They must wait for the local government to validate a new version of the software when the factory is down. This verification process happens only about every five years or so when all of the company’s clients go down for a big maintenance check-up.

Unable to update the infected computers’ software, C10H15N1 instructed the operator to reboot the machines and begin the reimaging process. The monitoring system, which is connected to its own internal control room network, remained up for a short period of time. But one by one, the computers attached to that system started showing the same error message again.

None of it made sense to C10H15N1. While the chemical engineer tried to figure out what was happening, the operator went to go get some coffee. They came back shortly thereafter without any coffee and said the smart coffee machine displayed the same error message.

It all made sense at that point. As the PLC expert explains:

“So long story short, the coffee machines are supposed to be connected to their own isolated WiFi network, however, the person installing the coffee machine connected the machine to the Internal control room network, and then when he didn’t get internet access remembered to also connect it to the isolated WiFi network. The operator contacted us about his monitoring system not working but forgot to mention the Coffee Machines were showing the same error.”

Fortunately, the ransomware infection never affected any of the factory’s PLCs. But that didn’t stop C10H15N1’s company from writing a strongly-worded letter to the external company responsible for managing the coffee machine. All clients of that coffee machine provider subsequently went without working machines while the company worked to address the infection.

Visibility Is Key for Industrial Security

No doubt the service provider could have done a better job securing its coffee machines from the start. But in a world of growing supply chain security risks, organizations are ultimately responsible for protecting their industrial environments. Such an effort should include scanning the internal network for all connected assets, including coffee machines that lack authorization.

For more information on how to protect your industrial environment, please download Tripwire’s guide on industrial control systems (ICS) security here.

SANS White Paper: Security Basics
  • Khürt L. Williams

    Isn’t C10H15N1 the chemical structure of methamphetamine?

    • Almost, it´s C10H15N! Someone else must have already have that username.

  • In what fantasy land is a network switch located in a break room physically tied in with plant controls?