Current issues in industrial cybersecurity

Ransomware is as loathsome as it sounds; programmable logic controllers (PLCs) seen as likely targets.

By Kevin Parker February 27, 2017

A meteoric rise in ransomware attacks in the past year is disturbing news for engineers in manufacturing and production environments. Ransomware, as you might imagine, is a kind of malicious software used by criminals to prevent access to a computing system until their demands are met.

Executing a ransomware attack doesn’t take programming skills per se, as kits for committing such attacks are readily available today in some the Internet’s darker corners, either for free or for a small fee.

An exponential increase in the number of ransomware threats, from nearly 4-million attack attempts in 2015 to 638-million in 2016—a more than 167 times year-over-year (YOY) increase—has taken place, per SonicWall’s recently released 2017 Annual Threat report. "The meteoric rise of ransomware in 2016 is unlike anything we’ve seen in recent years," the report said.

Want proof the threat is real? For 2015 and 2016, even though many intrusions go unreported, it is known that at least 15 major industrial incidents occurred, per the Booz Allen Hamilton Industrial Cybersecurity Threat Briefing. They include the following:

  • In April 2016, cybercriminals delivered ransomware via phishing to the corporate network of Board of Water & Light (BWL), a Michigan-based public electric and water utility. Administrators shut down the corporate network to isolate the ransomware to prevent it from potentially moving into the operations-technology environment.
  • In December 2015, an allegedly Russia-backed group established remote access to supervisory control and data acquisition (SCADA) systems of three electricity distributors in Ukraine after procuring valid network credentials via spearphishing. The threat actors used access to systematically open breakers, causing blackouts for 225,000 customers.
  • In June 2015, a cybercriminal advertised the sale of SCADA access credentials on a Dark Web forum dedicated to selling stolen data. The post included a screenshot of a SCADA graphical user interface, IP addresses, and virtual-network computing passwords for a SCADA system managing a hydroelectric generator.

Hands on the problem

To better understand the threat, cybersecurity researchers at the Georgia Institute of Technology recently developed a form of ransomware that was able to take over control of a simulated water treatment plant, according to a Georgia Tech Research Horizons news release. After gaining access, the researchers took command of programmable logic controllers (PLCs) to shut valves, increase the amount of chlorine added to water, and display false readings.

The simulated attack highlights vulnerabilities in industrial control systems (ICS) found in manufacturing and production plants, the researchers said. Believed to be the first demonstration of a ransomware compromise of real PLCs, the research was presented this February at the RSA Conference in San Francisco.

Per SonicWall, ransomware attacks are typically delivered by phishing campaigns and hidden from detection using secure socket layer/transport layer security (SSL/TLS) encryption. Phishing is the malicious attempt to gain information or access by disguising as a trustworthy entity in an electronic communication. TLS and SSL are both cryptographic protocols for communications security.

The rise of ransomware-as-a-service, in the form of the kits already mentioned, makes it easier than ever for cybercriminals to access and deploy ransomware, SonicWall said. Companies are struggling to protect themselves and to form a response to dilemmas raised by the emerging cyberthreat.

By the end of 2016’s first quarter, $209 million in ransom had been paid by companies, and by mid-2016, almost half of those organizations reported being targeted by a ransomware attack in the prior 12 months, SonicWall said.

Companies of all sizes underwent ransomware attacks last year, SonicWall said, although many were never publicized. On-record though are paid bitcoin ransoms worth more than $20,000. A total post-attack clean-up, including response, stabilization, and restoration easily runs into millions of dollars.

A brief demonstration

Many ICSs lack strong security protocols. It’s therefore only a matter of time before critical industrial systems are compromised and held for ransom, as compromising the PLCs in these systems is a next logical step for these attackers, the Georgia Tech researchers said.

For their demonstration, Raheem Beyah, a Motorola Foundation professor and associate chair at the School of Electrical and Computer Engineering, and David Formby, a Ph.D. student in that same school, had to locate 1,400 PLCs of a single type that were directly accessible across the internet.

To start, the researchers identified several common PLCs used at industrial facilities. They obtained three different devices and tested their security setup, including password protection and susceptibility to settings changes. The devices were then combined with pumps, tubes, and tanks to create a simulated water treatment facility.

Most PLCs are ensconced behind business systems that to a degree protect them-until the business network is compromised. Once attackers get into a business system, the control systems may not be properly walled off, the researchers said. Too many enterprises are such that anyone on the network is authorized to make changes to the control systems. Weak password and security policies could let intruders take control of pumps, valves, and other key components of an ICS.

In fact, control systems never meant to connect to the Internet are connected to it today, while users persist in assuming those systems aren’t on a public network and aren’t susceptible to attack. The researchers pointed out ICS often have connections unknown to operators, including for maintenance, troubleshooting, and updates. 

Sound advice

The Booz Allen briefing confirms that spearphishing is the primary method of attack. It was the "initial attack vector for Operation Clandestine Wolf, one of the largest ICS attack campaigns [of 2016], as well as attacks on a German steel mill and Ukrainian electricity distributors, the two most destructive attacks disclosed [in 2015]," the report said.

While there are yet no reported ransomware attacks on ICSs, vulnerability has been a well-known fact for more than a decade. The difference today is, the availability of bitcoin digital currency allows criminals to financially benefit from attacks. As businesses and other type ransomware targets become more difficult to penetrate, the Georgia Tech researchers believe attackers may turn to ICS as easier targets.

In addition to improving password security and limiting connections, they said operators should install intrusion-monitoring systems to alert them if attackers are in the process-control networks.

The penetration of control networks by way of enterprise networks is also on the rise, Booz Allen confirmed, basing its conclusions on a study by the Department of Homeland Security. While enterprise-intrusion remained low, at 12% of reported incidents in 2015, during that time the number of intrusions attempted by way of enterprise networks increased by 33%. The total number of incidents reported by ICS operators rose by 20% in 2015.

Attacks on control systems can lead to "tangible impacts," said Booz Allen, making them choice targets for attack. Instead of simply encrypting files, as when a business is attacked, ransomware attacks on ICS could disrupt operations or prevent access to an asset.

The incorporation of ransomware into exploit kits facilitates a profitable build-once, infect-many approach, Booz Allen said. It has led to a veritable army of attackers, ensuring massive infection rates. Infections for some variants were estimated at 90,000 machines per day in February 2016, according to Forbes magazine. In fact, per the Cryptothreat Alliance, between January and October 2015 an estimated $325 million in revenue was generated from just one variant, Cryptowall version 3.0.

The problem is only compounded, Booz Allen pointed out, when ICS are often older systems not restorable from backup. It also may be difficult to obtain a clean version of system software and configuration settings. Access to the system itself may be difficult, and there may be a shortage of trained personnel for the restoration.

"Frequency and severity of ransomware infections on ICS networks are likely to increase."

Government help

In April 2016 the National Institute of Standards and Technology of the U.S. Commerce Department issued a draft of an NIST Cybersecurity Framework tailored to the manufacturing industries. The profile, says the institute, gives manufacturers a simple method to indicate the types of controls they have in place to protect their manufacturing system resources and operational data. It allows evaluation of their ability to operate the control environment at an acceptable risk level. In addition, the framework outlines a standardized approach to preparing a cybersecurity plan that validates system security.

The profile is built around primary functional areas of the NIST Cybersecurity Framework, and enumerates basic cybersecurity functions and activities. The five primary functional areas are: identify, protect, detect, respond, and recover. There are 98 distinct security objectives within the primary functional areas. A total of nearly 100 objectives comprise a starting point for developing a manufacturer-specific or sector-specific profile cognizant of low, medium, and high risk levels. Besides prioritizing the functions and categories found in the NIST Cybersecurity Framework, use of the profile can help identify a subset of relevant security practices that can be implemented to support enterprise goals. 

Final words

In February, IBM, Nokia, Palo Alto Networks, Symantec, and Trustonic formed the IoT Cybersecurity Alliance. The companies say they’ll work together to help find solutions for top IoT security challenges, while raising awareness of how to better secure the IoT ecosystem. In a survey last year, AT&T reported a 3,198% increase in attackers looking for vulnerabilities to exploit in IoT devices. Approximately 58% of survey respondents said they were not comfortable with the security of their devices.

"The explosive growth in the number of IoT devices is only expected to continue; therefore, so must the associated cybersecurity protections," said Mo Katibeh, AT&T senior vice president of advanced solutions. "Today’s businesses are connecting devices ranging from robots on factory floors to pacemakers and refrigerators. Helping these organizations stay protected requires innovation across the whole IoT ecosystem to enable sustainable growth."

The Alliance members say protection at the endpoint, network, cloud, and application layer are relevant to good IoT security. They also believe in the use of threat analytics and in designing products with built-in and "always-on" security. They plan to both advise consumers and educate manufacturers and developers on what is needed to create a safer, more secure IoT ecosystem.

This is all to say that the dangers and threat of ransomware and other kinds of cyberterrorism has drawn the attention of technology leaders. Not addressing the threat endangers their customer base, technology infrastructure, and dreams for the future.

Nevertheless, no matter how well threats against ICS are addressed, at no point will every possible risk have been mitigated, whether because of financial, technical, or even political constraints. When considering an approach the experts say take an incremental approach and focus on high-impact, low-cost initial steps that eliminate imminent risk while looking to a long-term strategy.

2016 industrial cybersecurity developers summarized

Other current and noteworthy cyberthreat developments mentioned in SonicWall’s recently released 2017 Annual Threat Report include the following:

  • Poorly designed IoT devices are being compromised for use in massively distributed denial-of-services attacks.
  • Secure sockets layer/transport layer security (SSL/TLS)-encrypted malware provides an uninspected backdoor into networks that cybercriminals can exploit. At the same time, SSL/TLS-encrypted traffic grew by 34%, partly in response to growing cloud application adoption.
  • Android devices saw increased security protections but remained vulnerable to overlay attacks.

On the other side of the ledger, the often-seen exploit kits Angler, Nuclear, and Neutrino disappeared in mid-2016. What’s more, unique malware samples collected fell to 60 million in 2016, compared with 63 million in 2015, a 6.25% decrease. Total attack attempts dropped for the first time in years, to 7.87 billion in 2016 from 8.19 billion in 2015.

Kevin Parker is senior content manager, CFE Media,

For more information click on the related links below: 

Author Bio: Senior contributing editor, CFE Media