Is critical infrastructure prepared for OT ransomware?
As extortion tactics evolve, operational shutdowns are the next step
Feature The Colonial Pipeline ransomware infection has become a cautionary tale about how borking critical infrastructure can cause real-world pain, with fuel shortages leading to long lines and fistfights breaking out at gas stations.
Or as Jen Easterly, boss of Uncle Sam's Cybersecurity and Infrastructure Security Agency, warned Congress on Wednesday: "Societal panic and chaos." She and other security and law enforcement chiefs hammered home a reality in which nation-states operating against American infrastructure could cause physical havoc and destruction – particularly in the field of industrial operational technology systems.
The Colonial Pipeline ransomware attack targeted the oil distributor's backend IT systems. To date, such infections against fuel and internet providers, banks, hospitals and other critical sectors that keep life running have only targeted business networks.
Some security analysts worry that ransomware designed to shut down operational technology systems and processes – such as those used in power plants, water treatment facilities, and manufacturing plants – is the next big thing. Fortunately, there's still plenty of money to be made from traditional ransomware infections, and infosec experts say this should keep the criminals busy – at least for the time being.
"Dragos assesses with low confidence that ransomware groups may increasingly develop and deploy ransomware specifically designed to disrupt operational technology (OT) processes," the OT security shop warned in its most recent quarterly ransomware analysis.
"Such disruptions would not only affect operational capabilities but also compromise safety, thereby increasing the urgency and potentially compelling victims to meet ransom demands more readily," the report noted.
Extortion has gone beyond financial loss to safety.
Dragos regularly responds to ransomware infections in industrial environments. And this assessment – albeit one with "low confidence" – stems from criminals' increasingly vile extortion tactics – designed to increase the pressure on victim organizations to pay ransom demands, according to Abdulrahman Alamri, a senior adversary hunter at Dragos.
"Look at the methods of extortion, the way they create a significant impact on the victims," he told The Register. "It's been increasing for the last two years, especially for industrial organizations."
Plus, he added, as governments step up their efforts to dismantle ransomware gangs and prosecute their members, the criminal groups adopt new techniques to increase pressure on victims to pay up.
EKANS ransomware
"We have seen in the past groups that added to their arsenal the ability to kill OT processes," Alamri observed.
The code he was referring to is EKANS – a ransomware variant with capabilities including forcibly stopping some industrial control system (ICS) operations.
"While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static 'kill list' shows a level of intentionality previously absent from ransomware targeting the industrial space," the security shop warned in 2020.
Alamri explained that it hasn't yet been deployed in a cyber attack, but the capabilities for serious mischief do exist.
"Extortion has gone beyond financial loss to safety," he warned. "We have seen ransomware groups announce their alignment with different regimes. Imagine what would happen if this was used as a weapon."
The threat isn't only coming from nation-state attackers, however. While a destructive attack from Russia or China that shut down the energy grid or water facilities would likely be considered an act of war, criminals gangs could give adversarial governments plausible deniability.
Once financially motivated crews like Lockbit or BlackCat/ALPHV can buy these capabilities, Dragos CEO Robert Lee expects to see OT-specific ransomware become much more commonplace.
"Criminal actors no longer needed to develop their own capabilities, malicious software vulnerabilities, etc.," Lee explained. "They literally buy off-the shelf tools that are commonly used, and then just worry about operating them."
Like traditional ransomware on steriods
This hasn't happened yet, according to CISA.
"You could draw parallels with PLCs being taken down," CISA Industrial Control Systems cybersecurity lead Matt Rogers told The Register.
Last December CISA, along with the FBI, National Security Agency and others warned that Iran-linked cyber thugs had exploited Israeli-made programmable logic controllers (PLCs) used in "multiple" water systems and other operational technology environments at facilities across the US, according to multiple law enforcement agencies.
"Was it ransomware? No. The device was effectively reflashed and all the code was stripped off of it," Rogers explained, noting that these incidents did produce a similar impact on the OT systems – although with an easier recovery for defenders.
"The ransomware business model is buying and sharing tools," he added. "Developing abilities that specifically infect OT systems cost money, and they are already making money hand over fist, so why bother?"
Of course, shutting down industrial controls would be "very bad" and prompt a "much more voracious" response from law enforcement, according to Rogers. "If you can't handle the traditional IT ransomware, you're certainly not going to be able to handle OT ransomware recovery," he said.
- FBI confirms it issued remote kill command to blow out Volt Typhoon's botnet
- Congress told how Chinese goons plan to incite 'societal chaos' in the US
- We know nations are going after critical systems, but what happens when crims join in?
- LockBit shows no remorse for ransomware attack on children's hospital
OT configurations, as well as backup and recovery for these systems and processes, is more complex than standard business IT environments. A lot of the time, critical infrastructure owners and operators contract directly with the OT and ICS vendors to handle updates and operations.
CISA recommends industrial orgs follow best practices and employ prevention measures for traditional ransomware. But then there's also OT-specific advice – like backing up OT configurations and ladder logic, Rogers noted.
"Organizations need to be a lot better about actually being able to recover from an attack," Rogers observed. "That's like the biggest deal with ransomware right now. It's true for IT. It's certainly true for OT, and then the impact of critical infrastructure going down just as far, far worse."
It typically takes victim companies at least five months to recover from an infection, he reported. "That's not going to be acceptable for critical infrastructure."
200 percent increase in attempts against utilities
OT and IoT security firm Armis, in its 2023 attack landscape analysis, reported a 104 percent year-over-year increase in attempted intrusions across the board, while utility-specific attempts over this same time period grew by 200 percent.
This increase represents attack attempts targeting any physical and virtual assets within utilities' environments – including IT, IoT, OT, ICS, building management systems and others, Carlos Buenaño, Armis CTO of OT, explained.
Buenaño experienced this firsthand while working for an energy biz. "In a window of five minutes, I could actually see our demilitarized zone trying to be accessed, and using brute force to get into the OT environment," he told The Register.
Armis identified engineering workstations, SCADA servers and PLCs as the riskiest OT and ICS devices outside of the healthcare industry. The 12-month analysis named engineering workstations as the year's most targeted OT device.
"The fact is: we need to be prepared, because just the fact that we haven't seen successful ransomware attacks against OT doesn't mean that they haven't been attempted," he warned.
However, securing OT presents its own unique challenges. These environments can't be taken down for frequent maintenance, which means that vulnerabilities remain exposed for extended periods between scheduled outages.
"The attackers know the vulnerabilities, they know that these devices are critical and very, very difficult to protect for so many reasons," Buenaño explained. "They are designed to continue running and finding that shutdown window to remediate, update firmware or even replace them when they are end-of-life can be very complex and require a lot of scheduling and strategy."
There's also the issue of OT devices being exposed to the internet. Armis found over the last year that about 80 percent of engineering workstations and 60 percent of SCADA servers had internet access – increasing organizations' attack surface and risk.
Not-so-secure by design
Plus, many industrial control devices come with default passwords – which aren't changed by the operators – and some don't even support multifactor authentication.
All of these issues came into play in the case of the Iranian crew breaking into US-based water facilities. They likely broke in by using default passwords for internet-accessible PLCs. And in at least one case, the cyber attack forced a Pennsylvania water authority to switch a pumping station to manual control.
The solution, according to Ilan Barda, founder and CEO of OT cyber security company Radiflow, relies on a two-pronged approach.
"In some places the solution will be in resiliency, meaning the ability to replace the devices," Barda told The Register. This could mean a hot redundant system, meaning multiple units performing the same function, or a cold redundant system, where one is fired up if the master system fails.
"This needs to be done based on analysis of the importance of the devices and the impact of having them shut down," he explained.
In addition to resiliency, there's also the need to protect the devices themselves better, and ensure authentication and access controls are all enabled, Barda added.
"Currently the level of security is usually a very simple username and password – if at all," he said. "They are not using, in most cases, multifactor authentication. And in many cases you also have the same access being used for the vendor as well as for some third-party maintenance."
Availability versus security
Limited access and stricter authentication methods aren't frequently used "because it's much easier to work without those," Barda lamented. "The concern is that if you put too many of these security measures in place, it might actually interfere with your operations."
And therein lies the rub: critical infrastructure is all about uptime and availability – and security, fairly or not, is seen as the enemy of availability.
"A lot of these organizations are still prioritizing availability over actual cyber security," explained Andy Thompson, an offensive cyber security research evangelist at CyberArk. "So even though there may be free and available guidance, they're not adhering to it, because it has potential availability ramifications if done incorrectly."
Plus, there's also a massive budget and skills gap between critical infrastructure sectors and organizations within the same industry.
"Critical infrastructure of water treatment varies from very large metropolitan organizations, all the way down to small municipalities," Thompson told The Register.
"Smaller municipal water treatment facilities, due to so many things like limited budgets, outdated infrastructure, limited expertise within these organizations, are target-rich, resource-poor organizations that make for fantastic targets of opportunistic ransomware attackers."
Thompson pointed to CISA's resources for securing water systems – these are also available for other critical infrastructure sectors in the US – and noted many of the government recommendations come down to basic security hygiene.
This includes using strong, unique passwords and turning on multifactor authentication, if possible. Also, using network segmentation and air-gapping critical systems.
"If this is critical infrastructure, protect it like it's critical infrastructure," he declared. "This is a standard operating procedure in IT environments, and it should be extended into OT as well." ®