sb-au logo
Story image

New wave of ransomware could put utilities at risk

13 Sep 2017

The recent outbreak of WannaCry Ransomware has affected more than 150 countries and has crippled the National Health Service in United States. Closer to home, more than 500 Singapore IP adrdessess were affected, and 15 or more cases reported in Hong Kong. Compared to other parts of the world, Singapore and Hong Kong emerged relatively unscathed from the vicious WannaCry ransomware. However, the stakes for protecting against ransomware are about to get higher as malicious tools evolve to target Industrial Control Systems (ICS) and threaten critical infrastructure.

Researchers have demonstrated proof-of-concept ransomware attacks against programmable logic controllers (PLC) used in many operational environments, including utilities. Unlike attacks against corporate networks, which can result in expenses and revenue loss, ICS attacks could shut down critical operational systems, damage or destroy physical equipment and threaten human safety.

Ransomware economics

Ransomware so far has been a high-volume business, blocking access and encrypting files on corporate networks and even individual computers. Not everyone pays, but if the ransom is low enough, many do pay in order to save time or avoid the inconvenience of recovering files. Paying ransom is neither recommended by experts, nor is it a guarantee files will be decrypted.

These targets provide a relatively low return for attackers, but the high volume of targets and the ease of exploiting them make it worthwhile. Hollywood Presbyterian Medical Center, for example, paid $17,000 last year to regain access to its network.

The cost of an attack can be far greater than the ransom. A small city-owned utility in Michigan suffered a ransomware attack in April 2016 that effectively shut down its e-mail and phone systems. The article indicates it cost about $2 million to clean up after the attack. The utility had “to recover control of its communications  systems, identify digital vulnerabilities and apply security upgrades that would prevent or severely limit the impact of another ransomware attack.”

Although utilities and hospitals are potentially high-value victims, in both of these cases corporate and administrative resources were targeted. Such attacks are serious, but less so than if critical control systems for water treatment or patient care had been at stake. So far, most successful attacks on critical infrastructure have been carried out by nation states, such as the 2015 breach of the Ukraine power grid. These exploits against critical infrastructure have not involved ransomware.

Evolution of the ransomware business model

Researchers from the Georgia Institute of Technology demonstrated proof-of-concept ICS ransomware at the RSA 2017 Conference in February. As detailed in their paper, they attacked commercial PLCs in a simulated water treatment plant using the LogicLocker ransomware worm. This enabled researches to bypass weak authentication mechanisms ultimately, “locking legitimate users from easily recovering the PLC, and replacing the program with a logic bomb that begins to dangerously operate physical outputs threatening permanent damage and human harm if the ransom is not paid in time.” In the simulation, chlorine was dumped into the water supply.

Because of the premium on uptime in operational environments, PLCs often go for long periods without patching or fixing vulnerabilities. The researchers were able to find 1,846 vulnerable Internet-facing PLCs. “This only represents a small portion of the total potential attack surface,” they wrote, because attackers can easily target user devices on a corporate network and use compromised access to pivot to thousands more PLCs.

PLCs are attractive, high-value targets. The ransom in such a case would be commensurate with the risk. Such attacks, however, are sophisticated and require knowledge of the underlying physical process behind the control system. Such intel can be gained via reconnaissance, if an attacker breaches a network and remains undetected.

Maintaining control of an infrastructure

Traditional perimeter defenses such as antivirus are not enough to block ransomware. The Michigan utility cited believed it was protected, only to discover that its antivirus did not detect the malicious code. And unlike traditional malware,  ransomware typically does not need administrative privileges to execute and take data hostage. Instead, it exploits basic read, write and edit permissions on files, which are needed by most every employee in an organization. Making matters worse, once the ransomware infects one machine on a network, it can easily spread through network drives or by stealing and reusing credentials on connected machines.

As we have reported, the most effective way to mitigate the risk of ransomware is to prevent unknown applications from gaining the read, write and edit permissions needed to encrypt files. This applies to ICS as well as to corporate networks. Proactive measures can be taken before a threat becomes reality. Implementing application whitelisting in top-hierarchy control computers such as Human-Machine Interfaces (HMIs) represents one of the most critical steps in securing an ICS network.

Article by Cynthia Lee, regional director, ASEAN, CyberArk.

Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
Kaspersky finds red tape biggest barrier against cybersecurity initiatives
The most common obstacles that inhibit or delay the implementation of industrial cybersecurity projects include the inability to stop production (34%), and bureaucratic steps, such as a lengthy approval process (31%) and having too many decision-makers (23%). More
Link image
Why it's crucial to normalise proper security training for remote working
Knowing and implementing best practices for remote security can save money, time and headaches. It starts with a quality solution to safeguard the workforce.More
Link image
How to better protect your organisation's most valuable asset - its data.
Data resilience strategies are becoming increasingly critical in relation to the skyrocketing value of data and the proliferation of malicious entities wishing to steal it.More
Story image
Ping named identity solution Leader by ISG
Recognised for Identity & Access Management in the 2020 Provider Lens Cyber Security – Solutions & Services Quadrant Report Australia.More
Link image
Webinar: Best practices for keeping your video chats secure
Video collaboration providers nowadays operate exclusively on a multi-tenant, public cloud - and security and privacy concerns have come into the spotlight. Here's how to secure your communications.More