The Ransomware Threat to ICS Security

Industrial control systems (referred to as ICS) have faced an ever-growing volume of threats over the past few years. From 2015 to 2016, IBM Managed Security Services reported a 110 percent increase in ICS cybersecurity attacks. The US accounted for most of these incidents, given it has the most Internet-connected ICS networks on the planet, but the effects were still geographically widespread. In December of 2015, a Ukrainian power company suffered an outage caused by a malware attack titled BlackEnergy; in 2016, the United States Department of Justice charged seven Iranians for coordinating cyberattacks against a dam in Rye, New York; that same year, an unnamed European energy company was attacked by a sophisticated strain of malware titled SFG; in 2017, FireEye responded to a malware attack against an unnamed critical infrastructure organization; and the list goes on. At the same time, the prevalence of ransomware attacks has dramatically increased. From February 2015 to mid-2016, the ransomware Teslacrypt struck online gamers worldwide; from early 2016 to mid-2017, the Petya ransomware heavily hit Ukraine (in addition to numerous other countries); in May of 2017, the ransomware WannaCry infected hundreds of thousands of devices around the globe, notably hospital systems across Europe; and again, the list goes on. One strain of ransomware dies, and another one (often just a slightly adapted replication) takes its place. Over the next few years, we’re going to see a rising intersection between these two – specifically, ransomware attacks against industrial control systems. As the SANS Institute and numerous other researchers have articulated, industrial control systems are quite challenging to secure. This is especially true as governments depend increasingly on private-sector infrastructure for public- and national security-related activities, which amplifies the damage that can be caused by a ransomware attack. (Imagine such an incident against an electrical grid.) This is also true as many ICS organizations bring their systems online through IoT, which dramatically increases the attack surface through which hackers can enter. Because of these factors – the high exposure and critical nature of these systems – they are an attractive target for all forms of hackers, and ransomware is a perfect, low-cost, and scalable way to strike. With the click of a button, sensitive systems can grind to a halt, held hostage by malicious actors.

How do we begin to safeguard against the ransomware threat to ICS systems?

1. Monitoring and Detection

Leverage detection technologies on your network. Use data analytics to look for anomalous activity, such as spikes in internal network activity, strange API requests from clients, and bizarre outputs from ICS sensors and other controllers. Also look for discrepancies between ICS device behavior and control system logs; after all, this was how the cyberweapon Stuxnet remained hidden on Iranian centrifuge controllers for years. Outside of your known and scheduled monitoring protocols, randomly run analytics on certain devices, or randomly monitor certain system segments. (As hackers remain semi-unpredictable on the offensive end, you should the same on the defensive.) And don’t neglect the human side: focus on preventing insider threats through user activity monitoring. As you receive threat intelligence, have that directly inform your monitoring processes and protocols.

2. Strong Security Standards

Ensure compliance with all industry and regulatory standards, such as NIST SP800-82. Check guidance from peer organizations, and read up on current ICS security literature, as well. As part of this standardization of security, secure system endpoints and ensure robust IT security protocols are in place, such as perimeter firewalls, email filtering and intrusion detection systems. Encrypt and restrict access to all documents about your system’s inner workings. Limit privileged system access as much as possible and cut off Internet access from internal control panels. Implement strict bring-your-own-device (BYOD) policies that reflect the sensitivity of your ICS environment. Conduct independent security tests of all devices and modules attached to the industrial control system, looking for default passwords, misconfigured encryption settings, and the like. Probe for vulnerabilities in your supply chain by which risk may transfer from another organization to yours. (Are contractors somehow exposing info about your systems?) And make sure to quickly patch systems as security updates are released; as the ransomware campaigns of the last few years have shown, many “new” forms of ransomware are in fact just slightly modified versions of old ones.

3. Continuity Planning

Build an extensive continuity plan – that is, assess the risk ransomware poses to your organization and understand how critical and business operations will continue in the face of an attack. For instance, build redundancies into your networks and securely segment them from one another, back up all data offsite (and heavily encrypt it), and have protocols in place to negotiate with attackers. Flush out chains of communication to notify clients and other relevant parties in the event ransomware hits your system, and factor their needs into your continuity plans. Coordination and communication are key to a timely and effective response in which you not only want to mitigate risk and “end” the attack but also resume critical operations ASAP.

4. Remembering the Human

It’s worth nothing, however, that technical flaws aren’t the only way to break into industrial control systems. Many of the aforementioned attacks (as with most cyberattacks) were executed through spearphishing campaigns and other forms of social engineering. For this reason, we cannot forget the human when preparing for ransomware attacks against ICS systems. Train your employees – all of your employees – on safe and secure cyber behavior. Frame issues in relevant ways to increase understanding, maximize retention, and change the notion that security is inconvenient. Ensure that regular re-training and re-testing programs are in place. Focus on simulations and other forms of gamification, which are especially important when dealing with systems whose downtime has direct effects on other organizations, public health, or national security. Build a strong security culture, and positively reinforce good security behavior. Most importantly, remember that cybersecurity is inherently dynamic, so don’t think that these steps will be perfect or that they won’t need to be adjusted over time. Constantly watching for new threat vectors, adapting your education programs, and changing your security policies are just some of the key components of a robust, in-depth defense posture. Be ready for change whenever it hits – in ransomware form or not.  

Image

About the Author: Justin Sherman is a student at Duke University double-majoring in Computer Science and Political Science, focusing on all things cyber. He conducts technical security research through Duke’s Computer Science Department; he conducts technology policy research through Duke’s Sanford School of Public Policy; and he’s a cybersecurity contributor for the Public Sector Digest. Justin is certified in cybersecurity policy, corporate cybersecurity management, social engineering, infrastructure protection, insider threat prevention, and homeland security planning from such organizations as FEMA, the National Institutes of Health, the U.S. Department of Homeland Security, and the U.S. Department of Defense. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.