New wave of ransomware could put utilities at risk
The recent outbreak of WannaCry Ransomware has affected more than 150 countries and has crippled the National Health Service in United States. Closer to home, more than 500 Singapore IP adrdessess were affected, and 15 or more cases reported in Hong Kong. Compared to other parts of the world, Singapore and Hong Kong emerged relatively unscathed from the vicious WannaCry ransomware. However, the stakes for protecting against ransomware are about to get higher as malicious tools evolve to target Industrial Control Systems (ICS) and threaten critical infrastructure.
Researchers have demonstrated proof-of-concept ransomware attacks against programmable logic controllers (PLC) used in many operational environments, including utilities. Unlike attacks against corporate networks, which can result in expenses and revenue loss, ICS attacks could shut down critical operational systems, damage or destroy physical equipment and threaten human safety.
Ransomware economics
Ransomware so far has been a high-volume business, blocking access and encrypting files on corporate networks and even individual computers. Not everyone pays, but if the ransom is low enough, many do pay in order to save time or avoid the inconvenience of recovering files. Paying ransom is neither recommended by experts, nor is it a guarantee files will be decrypted.
These targets provide a relatively low return for attackers, but the high volume of targets and the ease of exploiting them make it worthwhile. Hollywood Presbyterian Medical Center, for example, paid $17,000 last year to regain access to its network.
The cost of an attack can be far greater than the ransom. A small city-owned utility in Michigan suffered a ransomware attack in April 2016 that effectively shut down its e-mail and phone systems. The article indicates it cost about $2 million to clean up after the attack. The utility had "to recover control of its communications systems, identify digital vulnerabilities and apply security upgrades that would prevent or severely limit the impact of another ransomware attack.
Although utilities and hospitals are potentially high-value victims, in both of these cases corporate and administrative resources were targeted. Such attacks are serious, but less so than if critical control systems for water treatment or patient care had been at stake. So far, most successful attacks on critical infrastructure have been carried out by nation states, such as the 2015 breach of the Ukraine power grid. These exploits against critical infrastructure have not involved ransomware.
Evolution of the ransomware business model
Researchers from the Georgia Institute of Technology demonstrated proof-of-concept ICS ransomware at the RSA 2017 Conference in February. As detailed in their paper, they attacked commercial PLCs in a simulated water treatment plant using the LogicLocker ransomware worm. This enabled researches to bypass weak authentication mechanisms ultimately, "locking legitimate users from easily recovering the PLC, and replacing the program with a logic bomb that begins to dangerously operate physical outputs threatening permanent damage and human harm if the ransom is not paid in time." In the simulation, chlorine was dumped into the water supply.
Because of the premium on uptime in operational environments, PLCs often go for long periods without patching or fixing vulnerabilities. The researchers were able to find 1,846 vulnerable Internet-facing PLCs. "This only represents a small portion of the total potential attack surface," they wrote, because attackers can easily target user devices on a corporate network and use compromised access to pivot to thousands more PLCs.
PLCs are attractive, high-value targets. The ransom in such a case would be commensurate with the risk. Such attacks, however, are sophisticated and require knowledge of the underlying physical process behind the control system. Such intel can be gained via reconnaissance, if an attacker breaches a network and remains undetected.
Maintaining control of an infrastructure
Traditional perimeter defenses such as antivirus are not enough to block ransomware. The Michigan utility cited believed it was protected, only to discover that its antivirus did not detect the malicious code. And unlike traditional malware, ransomware typically does not need administrative privileges to execute and take data hostage. Instead, it exploits basic read, write and edit permissions on files, which are needed by most every employee in an organization. Making matters worse, once the ransomware infects one machine on a network, it can easily spread through network drives or by stealing and reusing credentials on connected machines.
As we have reported, the most effective way to mitigate the risk of ransomware is to prevent unknown applications from gaining the read, write and edit permissions needed to encrypt files. This applies to ICS as well as to corporate networks. Proactive measures can be taken before a threat becomes reality. Implementing application whitelisting in top-hierarchy control computers such as Human-Machine Interfaces (HMIs) represents one of the most critical steps in securing an ICS network.