By Daniel Ehrenreich, SCCE, ICS-OT Cyber Security Expert
Industrial Control Systems/Operation Technology (ICS-OT) cyber security practitioners were traditionally educated to worry about cyber-attack vectors, such as those directed against the organisation’s IT Zone. None can be blamed for that misunderstanding because ransomware, distributed denial of service (DDoS), and exposure of confidential information are all IT-directed attacks.
When I asked if ICS-OT directed ransomware at Purdue Levels 1 and 2 is likely to happen, most respondents instantly thought about incidents like the Colonial pipeline, Norway Aluminum, and JBS meat, etc. After a few moments of thinking about the technological aspects of the ransomware processes, most replied, “yes, it can.”
From a technology point of view, they were right. When I asked if they would pay ten dollars to receive the decrypting key to restore the encrypted HMI or PLC, knowing that professional attackers are expecting payment of millions for the decrypting key, all replied, “yes, for such an amount, I will not hesitate”. However, when I explain that most of the published incidents related to industrial operations were IT-directed ransomware attacks, they agreed to spend ten minutes listening.
This paper does not deal with cyber-attacks such as manipulating the PLC or the HMI programs or placing a logic time bomb in the system, but it aims to explain why ICS-OT-directed ransomware (delivery of the decrypting key for money) is unlikely to happen.
IT-directed ransomware
Before reading about ICS-OT-directed cyber incidents, I briefly explain the IT-directed ransomware. We all know it involves encrypting databases and programs, but not everyone knows that a ransomware attacker might demand a ransom payment in three phases.
When such an attack occurs, IT users receive a red-screen message indicating that the database was encrypted and that they cannot operate the business processes. Organisations that hold updated backup files for the data and a Golden Image for the processes may refuse to pay the ransom and restore the business operation.
Upon receiving that disappointing message, the attacker might reply, “I leaked all your data, including privacy information, and if you disagree to pay, I will publish or sell the information.” Now, the backup files are useless, and the organisation must negotiate.
When the attacker feels the payment will arrive soon, his appetite might grow and send you a new message: ”I also have information on all your customers, suppliers, and their details. If you do not pay extra, I might attack them as well, and they will blame you”.
From the above, you may instantly learn that ransomware attacks are a highly profitable business operation, and professional attackers expect to receive high ransom payments for the two or all three demands explained above.
ICS-OT Directed attacks
Some people might mistakenly believe that the above-outlined explanation also applies to ICS-OT operations because, technically, the encrypting process may also work in that zone. This assumption is correct, but we must elaborate deeply on it.
Data stored in the ICS-OT zone is usually not confidential, except in systems that run a secret technological process (food, pharma, etc.). Therefore, a smart attacker will not invest in exfiltrating operation-related data from the ICS-OT zone.
Once an attacker decides to penetrate the ICS-OT zone, he might do that to manipulate the process, cause an operation outage, or damage or risk lives. This can be done through an internally or externally generated cyber-attack or through the supply chain.
Furthermore, we often say that once an attacker penetrates the ICS-OT zone, the game is over because he can harm the system within minutes, manipulate the database and/or the process, causing an outage, damage, or risk lives.
Restoration of the ICS-OT zone
Technically, decrypting the ICS-OT database and the process files is possible, assuming the encryption was correctly conducted and the attacker delivered a reliable decrypting key. However, remember, you cannot trust that assumption for ICS-OT.
Consequently, any part of the decrypted ICS-OT system that an attacker earlier encrypted for receiving the ransom might not operate safely. You may obtain the decrypting key if you wish, but you cannot use it for a system that controls a critical safety-oriented process.
Obviously, these recommendations apply to safety-oriented systems. If you deal with simple processes such as counting produced packages in a warehouse or collecting data from mechanical utility meters, you may try to restore the operation with the decrypting key if you are confident that it will comply with the SRP (Safety-Reliability-Performance) Triad.
ICS-OT operations must be periodically evaluated according to the SRP Triad. If you cannot be assured that the restored ICS-OT will safely operate, you must clear the affected zone (PLCs, HMIs, Control Servers, etc.), reinstall all appliances from a stored Golden Image, and copy the required operational data from the historian server. After that, you must perform in-depth testing of the repaired system. Complete system reinstallation is your only choice.
Conclusions
Industrial operations must be prepared to ensure business operation continuity with increasingly interconnected (negligently converged) architectures between the IT and ICS-OT zones and a growing amount of communicated data across the organisation. To achieve the desired cyber security goals, the IT and OT experts must collaborate to correctly select and deploy the cyber defence measures. The role of management at industrial and utility-related facilities is to allocate the needed resources and hire manpower to be at least one step ahead of attackers.
