Protecting HMIs from ransomware threats
When it comes to on industrial cyber security issues, a good backup is the best defense. It is the one activity that increases automation system robustness against hardware failures as well as internal and external cyber threats. This is especially true with the backups of the databases associated with an automation system human-machine interface (HMI).
The cyber threat landscape changes daily. One increasing threat that you have surely heard of in the main stream media is ransomware. This attack essentially finds files that might have value, encrypts them and then asks for money for the key. This attack is not initiated by the idle teenage hacker. Many of the purveyors behind this kind of attack have 24/7 staffed call centers, sophisticated software distribution schemes, and easy methods to accept Bitcoin payment. If you pay them it is quite likely that you will get the data back. If ransomware routinely destroyed data, why would anyone pay? That’s bad for business.
Hospitals are the latest targets of this kind of attack for a couple of reasons. First, they have a lot of valuable and sensitive data, which because of healthcare privacy laws, is not always backed up or duplicated. Since the data is not removed from the hospital servers they aren’t required to report it as a breach. This allows everyone to keep it hush-hush. Even the U.S. Secret Service suggests that an owner just pay up and that in the future they invoke better network security and backup procedures. How does this relate to industrial control systems?
Like hospitals, many HMI databases are not routinely backed up. These databases which manage point data (status, values, etc.) are likely derived from commercial off-the-shelf (COTS) software and are exactly what the people behind the Ransomware are looking to encrypt. Imagine one day all the operator stations lock up. When you go check the server, you see a little window that asks for the key to unlock the database for only $2,000 in Bitcoin.
While plants might not seem like something that would be specifically targeted, ransomware is commercially available (remember: it’s a business) and there are a lot of purveyors who love this business model. With so many players, it is indeed possible that a plant’s system be unintentionally exposed to this type of threat through a USB memory stick, service laptop, or a leaky firewall.
All is not lost, however. If the plant has a recent backup, then all the plant has to do is run a malware removal tool and reinstall the database from the backup made the previous month.
After this is done, most security professionals suggest the following steps to make future attacks less likely:
- Monitor for failed logins on your servers
- Strong passwords for the service accounts (20 characters or more)
- Password-protect the backups.
Can’t find that backup? "Brother, can you spare some Bitcoin?"
This post was written by Bruce Billedeaux. Bruce is a senior consultant at Maverick Technologies, a leading automation solutions provider offering industrial automation, strategic manufacturing, and enterprise integration services for the process industries. Maverick delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, business process optimization and more.
Maverick Technologies is a CSIA member as of 4/12/2016