A cyber-threat to industrial control systems is emerging in which attackers demand payments for them not to disrupt a control system or compromise its data. Tony Sacks reports on the phenomenal, and worrying, rise of “ransomware”.
The potential danger to industrial control systems posed by malware is well-known. But the main threats have usually been regarded as being some form of industrial sabotage or, as in the case of Stuxnet, a weapon for nation-states to disrupt or infiltrate the technological infrastructure of countries with which they disagree.
Now a new threat is emerging that could be far larger and could target any organisation that uses industrial controls. The people behind this threat are criminals, and their motivation is extortion.
For several years, this new form of cyber-threat has been growing at an alarming rate – but so far it has been aimed mainly at commercial IT installations. Hackers infiltrate these systems and hold their operators to ransom: if they do not pay up, the criminals threaten to release sensitive data, to prevent access to the system, or to corrupt it. The targets for this “ransomware” have included not only commercial businesses, but also hospitals which have been threatened with sensitive patient information being made public.
The statistics for ransomware are mind-boggling. The cyber-security analyst SonicWall, for example, reports that it during 2015 it detected 3.8 million ransomware attacks. By last year, the number had shot up to 638 million. “The meteoric rise of ransomware in 2016 is unlike anything we’ve seen in recent years,” the analyst says in its recently published 2017 Annual Threat Report.
“By the end of the first quarter [of 2016], $209m in ransom had been paid by companies, and by mid-2016, almost half of organisations reported being targeted by a ransomware attack in the prior 12 months,” the report adds.
The analysis also suggests that UK companies are three times more likely to be attacked than those in the US, although the US suffered the biggest number of ransomware attacks during 2016.
SonicWall attributes the mushrooming of ransomware to a combination of factors including: the availability of low-cost malware that can be used to secure ransoms without the perpetrator needing to be a skilled programmer; the ability for perpetrators to demand that ransoms be paid in untraceable Bitcoins; and the low risk of getting caught or being prosecuted.
One reason that ransomware has had a relatively low profile to date is that many victims are unwilling to admit that they have been targeted in this way. But details of some attacks have emerged.
For example, the San Francisco Municipal Transit Authority had to open its fare gates in November after a ransomware attack disabled its payment and email systems, and 100 bitcoins (about $73,000) was demanded to restore the systems. Also last year, a Los Angeles hospital paid out $17,000 in bitcoins to regain access to its data which was being held “hostage”.
According to a recent IBM report, seven out of ten US businesses that have been infected by ransomware have paid out to remove the threat, with most paying more than $10,000.
Although it is widely believed that ransomware attacks have been targeted mainly at the commercial sector, SonicWall’s figures suggest that 15% of these attacks are targeting the mechanical and industrial engineering sector, with a further 13% targeting the pharmaceuticals sector.
Some experts suggest that the number of attacks on industrial control systems could rise as the commercial sector protects itself better against ransomware.
Many industrial control systems lack strong security, points out Professor Raheem Beyah, from the Georgia Institute of Technology’s School of Electrical and Computer Engineering in the US. “That’s likely because these systems haven’t been targeted by ransomware so far, and because their vulnerabilities may not be well understood by their operators.”
“We are expecting ransomware to go one step farther, beyond the customer data to compromise the control systems themselves,” warns David Formby, a PhD student at the School. “That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities. Compromising the PLCs in these systems is a next logical step for these attackers.”
The two US researchers have demonstrated recently how such an attack could take place. They have shown how attackers could take control of PLCs in a water plant to shut down valves, increase the amount of chlorine added to water in the plant, and display false readings. The attackers could then demand payments to end the sabotage.
Beyah and Formby used a special search program to locate 1,400 PLCs of one type that were accessible directly via the Internet. Such devices usually do offer some form of protection – until they are compromised. Once attackers get into a company’s business system, they can enter its control systems, if they are not properly protected.
“Many control systems assume that, once you have access to the network, you are authorised to make changes to the control systems,” says Formby. “They may have very weak password and security policies that could let intruders take control of pumps, valves and other key components of the industrial control system.
“There are common misconceptions about what is connected to the Internet,” he adds. “Operators may believe their systems are air-gapped and that there’s no way to access the controllers, but these systems are often connected in some way.” For example, they may include access points for maintenance, troubleshooting and updates.
The American researchers obtained three PLCs and tested their security, including password protection and susceptibility to settings changes. They then combined the PLCs with pumps, tubes and tanks to create a simulated water treatment plant. Instead of the chlorine normally used to disinfect water, they used iodine. They also added starch to their water supply, which turned bright blue when a simulated attack added iodine to it.
“We were able to simulate a hacker who had gained access to this part of the system and is holding it hostage by threatening to dump large amounts of chlorine into the water unless the operator pays a ransom,” Formby explains. “In the right amount, chlorine disinfects the water and makes it safe to drink. But too much chlorine would make the water unsafe.”
As other ransomware targets become more difficult, Beyah suspects that attackers may turn to easier targets in industrial control systems.
“It’s quite likely that nation-state operators are already familiar with this and have attacks that they could use for political purposes, but ordinary attackers have had no interest in these systems,” he remarks. “What we hope to do is bring attention to this issue. If we can successfully attack these control systems, then others with a bad intention can also do it.”
As well as improving password security and limiting connections to the Internet, Beyah says that PLC users need to install intrusion monitoring systems to alert them if attackers are in their control networks. Beyah and Formby have formed a company to make their strategies for protecting systems available to control system operator.
If it is not tackled effectively, ransomware has the potential to be hugely disruptive to the world of industrial controls, and to the companies and organisations that use them.
Building security into the heart of industrial controls
Many industrial components in service today have their origins in a more innocent age before the arrival of cyber-criminals. Their defences are often minimal or non-existent.
In recent years, equipment suppliers have beefed up their cyber-security but there are often still chinks in their armour. According to the Russian cyber-security specialist, Kaspersky Lab, the only way to guarantee immunity from attacks is to base your equipment on an operating system that is designed from the outset to be secure.
Kaspersky has spent the past 14 years developing such a system which it is now launching commercially. Called KasperskyOS, the system has been built from scratch and is designed to almost eliminate the risk of undocumented functions, thus thwarting the threat of cyber-attacks.
The secure-by-design operating system, based on a newly-developed microkernel, is aimed at embedded systems and IoT (Internet of Things) devices with strict cyber-security requirements. Kaspersky is aiming the system at OEMs, systems integrators and software developers.
“We knew from the very beginning that designing our own operating system would be a huge undertaking – a project that would require vast resources for many years before it could be commercialised,” recalls Kaspersky Lab’s chairman and CEO, Eugene Kaspersky. “Today we see clear demand for strengthened security in critical infrastructure, telecoms and the finance industry, as well as in both consumer and industrial IoT devices.
Kaspersky stresses that the new OS is unlike conventional systems such as Windows and Linux where compatibility and universality are vital requirements. “When it comes to our target audiences – hardware developers, Scada systems, IoT and so on – this approach is no-go: what matters here is security.
“In simple words, it’s a system that does what it’s instructed, and is unable to do anything else,” he continues. “With traditional operating systems, that’s impossible.”
Although there have been other attempts to create secure operating systems, they have either been extremely expensive or academic exercises. “No project has ever reached the stage of full-scale deployment or commercialisation,” Kaspersky argues.
“With some applications, even the smallest risk of a cyber-attack is a disaster,” he points out. “When security has to be guaranteed, we have to build something new. Something that is secure by design.”
The OS has already been implemented in several products, including:
• a specialised PLC from the German firm, BE.Services;
• a secure network router from the Russian manufacturer, Kraftway; and
• strengthened security for Sysgo’s PikeOS real-time operating system (using a version of KasperskyOS, called Kaspersky Security System, which enhances the security of conventional operating systems).
Kaspersky Lab admits that it cannot guarantee complete immunity from cyber-attacks. “There is no such thing as 100% security,” concedes Andrey Nikishin, its head of future technologies business development, “but KasperskyOS guarantees our customers the first 99%.” He points out that any attempts to inject a malicious payload will not be executed. “KasperskyOS is therefore immune from the typical cyber-threat agenda of today.”
For further information please visit: https://os.kaspersky.com