The Future of SCADA/ICS Ransomware

It’s in the PLC’s, not the Computers

Ransomware incidents are occurring in industrial control systems (ICS). We had two recent incidents from Brazil discussed at S4x17, and we have detailed reports from our contacts of many more. The details indicate it is standard, not tailored to ICS, ransomware for computers that has found its way into an ICS. Unfortunately, ICS are likely to see smarter ransomware and targeted attacks to get it onto ICS PLC’s, RTU’s and controllers.

There are a number of reasons why PLC’s will be targeted:

  1. The PLC is the device that monitors and controls the process. It communicates with sensor’s and actuators. It sends commands to turns things on and off, spin faster or slower, raise or lower the temperature, … With the increase in automation, many Factories, Power Plants and other physical processes cannot be run manually. Even if the process can be run manually it raises costs and lowers productivity, and will erode public confidence if the ransomware attack becomes public.
  2. The vast majority of the deployed PLC’s are insecure by design. If an attacker can access the PLC he can change the logic or program and even upload his own firmware. No hack is necessary because these are legitimate and functions that lack even the requirement for a username/password.
  3. Recovery from PLC ransomware is much more difficult and expensive than Computer ransomware. Defeating ransomware on a computer involves having effective backup and an acceptable recovery time objective (RTO). Recovery from PLC ransomware will require replacing hardware. The simplest ransomware impact is to load bad firmware that overwrites the firmware upload process. This “bricks” the PLC and requires replacement or return to factory of the affected cards.

Developing an attack that modifies a process in a way that damages equipment, a la Stuxnet, is difficult and requires significant time and engineering and automation skills. Figuring out how to upload bad firmware requires no engineering and automation skills and takes a good hacker a couple of days. The bad firmware ransomware attack will also work wherever the PLC is used; it is not implementation specific. And we have an example to inform the world in the bricking of the serial-to-Ethernet gateways in the cyber attack on the Ukrainian Power Grid in December 2015.

The good news is the leading vendors that make PLC’s and other controllers, such as GE, Rockwell Automation, Schneider Electric and Siemens, have made significant strides in adding security to their PLC’s. Digitally signed code, secure algorithms, role based access control and more enforced at the PLC. So owner/operators can make the risk based decision on whether to move up the upgrade or replacement of the PLC’s to mitigate the ICS ransomware risk or continue to rely exclusively on security perimeters.