The Claroty Blog

The Threat of Ransomware on the Shop Floor - Fact or Fiction?

| Steve Ward

Over the past few months there has been an increasing volume of discussion around the potential of ransomware attacks targeting critical infrastructure/industrial control networks. 

The thesis – which we agree with – goes something like this: 

“We need to recognize that nation-states are not the only threat actors that will be attracted to the industrial control networks that run the world and power our critical infrastructure. Criminals are smart and recognize that the critical nature of this networks makes them a prime target for extortion. We’re going to see them target ICS in the near future.” 

The thesis is supported by a number of disclosures and news reports of ransomware being found on the shop floor. To date, the assessment is that this ransomware wasn’t targeted at the ICS networks but rather found its way there in a spill over or “collateral damage” fashion. 

Despite this, there have been a few well publicized examples of proof of concept designs specifically targeting ICS. We’ll leave alone the one that caused a good deal of controversy recently and point you to the Georgia Tech PoC that was presented at RSA 2017. What we can logically assume is that if researchers wearing white hats with limited resources/funding can develop these proof of concepts, then well-funded, profit mongering cyber criminals can’t be far behind. In fact – as we all know – often times these “good guy” PoCs serve to give the bad guys some really good ideas.   

Consider what Dale Peterson had to say on the issue on the back of S4x17: "Ransomware incidents are occurring in industrial control systems (ICS). We hadtwo recent incidents from Brazil discussed at S4x17, and we have detailed reports from our contacts of many more. The details indicate it is standard, not tailored to ICS, ransomware for computers that has found its way into an ICS. Unfortunately, ICS are likely to see smarter ransomware and targeted attacks to get it onto ICS PLC’s, RTU’s and controllers"  

Dale isn’t alone in his belief that bad stuff is coming. We've been saying for some time now that the threat landscape in ICS/OT is evolving from the "cyber pearl harbor" scenario everyone has always talked about (nation on nation/terrorist on nation) to one in which criminals will be engaged. Leave alone what Dale or Claroty think on the subject – your peers seem convinced that troubled waters are brewing as well. Consider a recent Tripwire study which found that 96 percent of IT Security professionals expect an increase in cyber attacks against the “Industrial Internet of Things” (a.k.a. ICS). It seems clear, we all see the writing on the wall.  

Soooooo…if everyone is pretty much in agreement that criminals are coming, what should we do about it? Obviously, you have existing fires to fight on the IT side of the house. The priorities there are seemingly endless as the threats are already at the door.

Should you be making the case to rush new solutions and controls into production for your ICS environment NOW even though the threat hasn’t fully manifested? 

Is “HELL YES!” too strong of a response? 

We have to take the lessons learned from the failures in IT security over the past 10-15 years, learn from them and avoid repeating them in ICS. The stakes are far too high.

See, one could argue rather reasonably that the ‘cat and mouse’ or ‘whack-a-mole’ approach to IT security that we’ve relied upon for the past 10-20 years has been ‘effective enough.’ We’ve played a game with our adversaries wherein we see the early stages of trends in their attack methodologies and rush countermeasures to market. When we’ve done it well, we’ve been ahead of the bell curve and cut off major damage. When we’ve done it poorly, we’ve reacted far too late and responded after much bloodletting. When averaging things out – we’ve done ‘ok’…I suppose. To truly accept that conclusion, however, you’d have to be willing to accept that the billions in lost Intellectual Property, the tens of millions of stolen identities, the massive intelligence gains through campaigns like the one targeted at OPM weren’t that bad… 

But the stakes are so much bigger in ICS. In ICS, we aren’t talking about data theft, we’re not talking about micro-level impact where individuals, companies or certain Government agencies/agendas are impacted - we’re talking about a macro level issue related to the potential disruption of essential services that drive the global economy and support day to day life.

We cannot afford to rely on the same (sub)standard we used in IT Security over the past 10 years. We have to act ahead of the threat – we have to do something now.

What to do? 

There are a broad variety of steps to take…one that we advocate (admittedly a bit self-servingly BUT with greater good in mind) is immediate implementing the deepest possible monitoring capability for your ICS networks. Real-time monitoring and anomaly detection is a core security requirement in this space. If you can’t see what’s happening, you won’t know what’s coming until it is way too late. 

We believe the threats are growing – and we believe ransomware is coming – we also believe we can help by delivering extreme visibility all the way down to Level 0 and detecting attacks at every level of the attack lifecycle. 

We should talk – but if you’re still not convinced of the growing threat, we at least encourage you to start talking about this with industry peers, watchdogs like ICS-CERT, groups like SANS ICS, et al. 

Until we connect...keep fighting the good fight – the one you’re in today, and the one that looms over the horizon.

Subscribe to the Blog