ICS environments are the control systems found in various industries such as manufacturing, oil, and gas, electric power generation, etc. Additionally, ICS security is concerned with the protection of these control systems, including the hardware and software in place to monitor, analyze and control the safe operation of these systems. It is a common misconception that the security threats (such as ransomware, etc.) to the IT systems cannot affect these control systems. However, over the past few years, the ransomware attacks (such as Ryuk, Lockbit, Revil, etc.) on ICS systems are evidence that the control systems also fell victim to these IT security threats.
Ransomware is malware that makes the victim organization’s critical data inaccessible by encrypting it. The attackers generally threaten to make that data public, if the victim doesn’t pay the ransom they demand. It has been shown by Claroty’s “Global State of Industrial Cybersecurity” report that about 80% of the respondents participating in the survey admitted that their organization experienced a ransomware attack in the past year, and about 47% admitted that these attacks mainly impacted their ICS/OT systems.
Ransomware attack trends in past years
Many industries in the past few years have been hit by serious ransomware attacks. Below mentioned are a few case studies:
May 2021 – WSSC Water Attack
On May 24, 2021, the US-based water company WSSC Water was hit by a ransomware attack. The attackers were able to gain access to the company’s internal files and encrypted that data. The primary services of WSSC are water filtration and providing wastewater treatment plants. The attacker was trying to increase the amount of sodium hydroxide levels in the water which if successful, could have harmful effects on the health of people. However, the attackers were unsuccessful in affecting the water quality as the operator immediately noticed the change and brought the chemical levels to a desired level.
As per the reports, the company removed the malware a few hours after discovering the attack and restored the encrypted data from backups. The incident had no impact on the company; however, the threat was immense. If the attackers could compromise the security of the control systems, their malicious actions could impact the health of about 1.8 million of the companies’ customers.
June 2021 – JBS Foods Attack
JBS SA is a brazil based meat processing company that became a victim of a ransomware attack. This attack disabled the company’s beef and pork slaughterhouses in various parts of the world, specifically the US, Canada, and Australia. In June 2021, the company revealed that it had paid an 11 million US dollars ransom to the attackers. The attack was laid by the Revil ransomware group and had successfully hindered the normal operation of the control systems.
May 2021 – Colonial Pipeline Attack
The largest oil pipeline in the US, Colonial Pipeline, became a victim of a ransomware attack by a group named Darkside in May 2021. The attack affected the pipeline’s computer systems forcing the company to shut down the pipeline for several days. Attackers gained access to the colonial pipeline network through an exposed VPN password, stole large amounts of data, and later threatened to leak it on the internet. They demanded a ransom of 4.4 million dollars to release the data. As a consequence of the attack, the company brought all the OT systems offline for several days, leading to massive gas shortages and higher gas and oil prices at the pumps. It was suspected that an unpatched vulnerability might have misled the company’s employee to provide the access credentials to the attackers.
January 2021 – WestRock Attack
In January 2021, the second-largest paper and packaging company, WestRock, was hit by a ransomware attack that brought down the company’s production plants at various places in the world. The attack impacted the company’s core control systems and resulted in their lagged operations. WestRock caters to and has big customer giants such as Home Depot, Heinz, etc. To recover from the attack, the company paid 20 million dollars to the attackers.
Challenges to address
Ransomware targets Availability risks
The major challenge that these ICS/SCADA environments face is that the ransomware attacks mainly take advantage of the risks associated with the compromised availability of these systems. As the availability of these systems is paramount, the ICS companies cannot afford the downtime of these systems, and hence they find it easier to pay the ransom, with the expectation that they will get access to their files immediately. This trend of paying the ransom to continue operations has been witnessed in many cases, including the most recent attacks mentioned above.
Legacy systems and unpatched assets
Since these systems are designed to work uninterrupted for months or even years, the companies often end up with legacy systems that are not updated during these long periods of operation. Consequently, there are many unpatched vulnerabilities in these systems, which make them an easy target of these attacks.
Improper security parameters
Most organizations deploy flat networks to accommodate the interoperability and ease of communication between the devices. It makes it easier for the attackers to breach the network on a scale. For example, ransomware such as WannaCry, Revil, etc. can disrupt the working of the entire facility due to a lack of network segmentation.
No division in IT and OT User Management
Many organizations share the same credentials for the IT and OT systems. It is the primary reason for privilege escalation and lateral network movement. According to Security Brief, about 44% of organizations had shared credentials between their IT and OT systems.
How do companies respond to the attack?
Detecting and monitoring the network
The primary remediation method for these attacks is network monitoring and detection. Companies use various detection techniques to detect any abnormal behavior in the network, such as inconsistent changes in the internal network activity, unusual API requests, anomalous outputs from ICS sensors and other machinery, differences between behavior and logs of control systems, etc. Sometimes, the attacks are difficult to discover, so companies also run random analytics on most prone devices and monitor their outputs. In addition to these external threats, internal threats are also taken care of by monitoring the user log activity. Hence it helps in the overall monitoring of the network in the event of an attack.
Enforcing security standards
Companies enforce industry security standards such as ISO/IEC, NIST, etc. to manage the risk and that too in a cost-effective manner. They ensure that the systems in place are compliant with these standards. Additionally, for endpoints security, they ensure that proper IT protection mechanisms are in place. It may include deploying malware protection systems, IDS/IPS systems, properly configured firewalls, encrypted internal files, etc.
There are a few more security mechanisms that organizations enforce, such as:
- Ensuring the principle of least privilege
- Limiting access to the internet for the systems which do not require it
- Conducting regular security tests to determine the safety of these ICS devices
- Looking for misconfigured security settings (such as default passwords, encryption settings, etc.)
- Patching and updating systems at regular intervals
Business Continuity Planning (risk assessment)
Business continuity planning, that is, planning for the recovery after the attack happened, helps get the systems into normal working. In this process, firstly, risk assessment is done from the perspective of how the ransomware might impact the critical processes and systems in the facility. Next, It involves preparing for the recovery from such risks. For instance, having a backup of all critical data off-site at a secure location, building redundancies, securely segmenting the networks, etc. are some of the proactive measures that can be taken. There must be a system to notify the clients in the event of the attack and cater to their needs to ensure continuity.
Spear phishing awareness
Spear phishing is an email that is posed to come from a legit source and is targeted at a department in the organization to steal confidential information. Spreading awareness among the employees regarding spear phishing is vital for securing critical information from attackers. Conducting workshops to train the employees regarding spear-phishing helps them be proactive in such events.
Though most of us think that ransomware is an IT threat, the ICS systems are not forsaken. These control systems are at greater risk because of their insecure designs when connected to the IT infrastructure. In addition, the attackers focus on affecting the availability of these systems with the intention of causing maximum pain to the company. With this strategy, the attackers expect that the company will be more willing and ready to pay the ransom and they could easily achieve the financial reward. With the cyber security space constantly changing due to the new attack vectors, organizations need to adapt to the change, prepare and act accordingly.