Ransomware & Industrial Control Systems: Never the twain shall meet – until now!

If ransomware infects and encrypts a device you might swap it out for another device, but Andrew Cooke explains, if HMI devices get infected, unplugging equipment isn’t always feasible, so the critical thing has to be prevention.

For many of us, the image conjured when thinking of power plants and oil refineries is of expansive concrete plants, protected by razor wire fences that are regularly patrolled by burly security teams holding back aggressive dogs with teeth bared. Of course, it would be considered suicide to try and scale the fences and out run the dogs so today’s attackers are looking for alternative ways to scale the fences, and they’re finding them – virtually.

Tunneling through defences

From the outset, Industrial Control Systems were designed to be as secure as the facilities they were installed within. Safe behind physical perimeters, computers were then ‘air-gapped’ to segregate them from other computers and network devices, incapable of connecting wirelessly or physically. The theory was that someone would need to gain physical access to a machine to infect or tamper with it.

While in principle this practice would appear to be a sound strategy the truth is, in the real world, air-gaps simply don’t exist – as demonstrated by Stuxnet. The centrifuges within the uranium enrichment plant in Iran were air- gapped yet hackers were still able to infiltrate them with a worm designed to spread surreptitiously via a flash drive. It’s not an isolated case as researchers have also demonstrated that air-gapped systems can be attacked via radio waves. There are also reports that the NSA has proven this practice effective and has been using a sophisticated version for years to collect information from air-gapped machines.

More recently LogicLocker Ransomware has been making headlines as it too has proven that it can jump the gap and infect Programmable Logic Controllers (PLCs) The researchers behind this proof-of-concept ransomware were able to infect two different PLC models with a ‘cross-vendor worm.’

That said, the point of entry that most hackers will aim for is going to be the Human-Machine Interface (HMI), not least because many are making it remarkably easy for them to penetrate here. Wannacry illustrated rather effectively just how many unpatched, outdated and even unsupported operating systems there are running HMIs across a wide range of infrastructure. Don’t be fooled into thinking that it’s just old kit in old power plants, as relatively modern equipment is running older or unpatched systems. There was a report recently of a new nuclear warship that was still running Windows XP.

This all demonstrates that someone, with enough determination, can get into these very sophisticated environments.

What do they want

What would happen if ransomware managed to access HMIs? Very simply – a whole load of bad!

Ransomware typically infects and encrypts a device and, if compromised, the quickest way to restore services is to swap it out for another device, reinstall original software and restore systems and files from the most recent backup to get up and running again.

As control systems are managed by a PC of some description they could be infected and, from there, the ransomware could then jump to the HMI and from there over to the control system. This would put the entire operating system out of action, which is unlikely to be resolved either by swapping out the PC or installing a backup, leaving little option but having to pay the ransomware.

Accepted that this is theoretical as, even with the recent outbreaks of WannaCry, [Not]Petya, etc, there have been no reports of real world infections – yet.

When Shamoon 2 started spreading through South East Asia, there were suggestions that the worm – ‘Magic Hand’ attached to it allowed it to jump from system to system, and left many speculating that it could cross the divide from the IT to OT (Operation Technology) and from there to control systems. While currently Shamoon is a data-wiping malware, there’s no technical reason that the worm couldn’t be ransomware laden instead.

Creating a stronger barrier

If HMI devices get infected, unplugging equipment isn’t always feasible, so the critical thing has to be prevention. Here’s some steps to raise and strengthen the defences around ICS:

  • Air-Gapping as a technique needs to be made as effective as possible. This mean ensuring that policies are appropriate, and are applied to enterprise and OT networks. For example monitoring the use of USB sticks and, before any are passed between networks, that they are tested on a dedicated computer – ie ‘sheep dipped’ to check for irregularities or uninvited code
  • Ensure all virus protection is up to date on all machines that can be installed both on IT and OT networks.
  • Understand what polices are and train people in those appropriate policies.
  • As with most current ransomware threats, the point of entry is a known vulnerability that has yet to be patched. Which begs the question – why hasn’t it been patched yet? The big challenge with ICS environments is that they need to be available 100 percent of the time and installing an update/patch requires taking the system offline which can be disruptive to delivering the organisation’s mission or critical national services. There is also concern that, applying a patch to the OS, there could be unforeseen repercussions that may cause related applications, particularly those that run critical systems, to crash. However, following WannaCry, the reality was that taking equipment down to test and then apply a patch was relatively short compared to infected systems.

Organisations need to put together a case for testing systems with updated patches and software products to fully appreciate, and understand, what the risks are of patching versus not doing anything.

  • Perform regular pen testing to obtain a holistic vulnerability assessment of systems. You can go a long way to test the systems, processes around them and identify where the risks are. Some will come from technology, some from people interacting with the technology, some from the systems and some from the applications themselves. This will help identify where controls are being circumvented and how a malevolent individual will try to break through!
  • Establish a Kill Chain – identify where attacks might stem from, analyse each point in the chain and whether controls exist and are strong enough.
  • Install an early warning system so if something does occur, it’s identified and all parties know how to respond to prevent malware and other malevolent software detonating. As part of this business continuity plan, identify what can be taken offline and will continue to carry on working so that, if malware does find its way onto the network and the HMI is affected, systems can be disconnected and allow critical processes to continue working while action is taken.

As working practices have evolved, and technology advanced, increasingly connections are tolerated. The issue is that, once you’ve established IT connectivity it’s difficult to put the genie back in the bottle. Each of these avenues acts as a potential point of weakness that can be compromised by hackers burrowing in or malware – such as ransomware, detonating internally and then radiating out.

With networks a veritable rabbit warren of interconnectivity, how you prepare to respond if malware does try to hop across from IT to OT will make the difference.

Article written by Andrew Cooke, head of cyber consulting, Airbus Cyber Security and originally published in SC Magazine