Cybersecurity researchers have revealed the development of a new, custom form of ransomware targeting industrial systems (SCADA). The malware and subsequent attack on a simulated water treatment plant were designed to highlight how cyberattackers could disrupt key services which cater for our critical needs, such as energy providers, water management utilities, heating, ventilation and air conditioning (HVAC) systems or escalator controllers. IT security experts from NSFOCUS, AlienVault, ESET and Nozomi Networks commented below.
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS:
“One of the greatest threats to SCADA implementations and the industrial control systems (ICS) they regulate, is the loss of view and loss of control over these critical components. Anything that causes a denial of service for operators can result in some pretty scary scenarios. From systems running completely out of control on their own, to operators making wrong decisions due their loss of view, these situations are disasters in the making. Due to the primitive security measures implemented on most ICS technologies, and the antiquated operating systems and applications in use, the likelihood of a ransomware infection is quite higher than most would like to admit.”
Javvad Malik, Security Advocate at AlienVault:
“We’ve seen ransomware grow rapidly, and there is growing attraction to hit more critical targets such as hospitals that are more likely to pay larger sums quickly.
In that regard, it is no stretch to imagine attacks against SCADA systems are on attacker wish-lists. However, many attackers will be concerned about the level of scrutiny such an attack could place on them. Many ransomware attackers are cybercriminals wanting to make some money in an easy manner, and probably don’t want the attention associated with being labelled a ‘cyber’ terrorist or having declared an act of war.
Another reason why we possibly haven’t seen such attacks is that SCADA systems have typically been segregated and not publicly accessible. However, there are several factors that indicate that the likelihood of such an attack will increase over time. The scope of what is deemed critical national infrastructure is ever-increasing. There is an increased reliance on the internet to keep systems running which results in more systems being exposed. There is also the drive towards ‘smart cities’ which will further expose critical systems to the public internet. What this means is that even if attackers can’t compromise SCADA systems directly, they can likely compromise systems that SCADA rely on, thus having a similar effect.”
Mark James, IT Security Specialist at ESET:
“Any threat that can have real world consequences is something that needs to be addressed and monitored closely. A lot of the malware we see and hear about is designed in such a way that it spreads and propagates looking for viable targets, but targeted malware is very different. Usually targeted malware is configured and aimed at a particular industry or sector. With so much of our industry digitally operated or maintained this could prove in its worst case scenario very bad indeed. But the same rules apply to any area that may be the target of ransomware, it has to be installed and it has to be able to gain complete control. With the right levels of security we can limit its attack vector and have mechanical failsafes to override anything software can instigate. All environments in our digital world are susceptible to attack and need to be protected. Making sure operating systems, applications and security programs are kept up-to-date is one of the first lines of defence and one that often is overlooked or just not possible on bespoke systems designed to do a single task or job.”
Edgard Capdevielle, CEO at Nozomi Networks:
“The demonstration by researchers of Georgia Institute of Technology at RSA, showing how water treatment PLCs [programmable logic controllers] can be susceptible to ransomware, is cause for concern – but not unsurprising. The difference between an enterprise falling foul of malware, and a water treatment plant, is the severity of the potential impact as the attack vectors are the same.
“For years security experts have warned that industrial controls systems (ICS) and their components, such as PLCs, are susceptible to many of the same threats faced by other organisations – this research proves that reality, this time thankfully without endangering lives. Without wishing to be dramatic, human safety is a risk should these systems be breached. Water, power, energy, and transportation systems are all operated by similar technologies, ones that have historically been hard to protect, and hackers have already turned the lights off in the Ukraine.
“Fortunately innovations in machine learning and anomaly detection are being applied that can help monitor and protect ICS systems, such as the PLCs used in this demonstration. The question that remains is whether experiments by research teams will be enough to demonstrate the potential attacks aimed at critical infrastructure and drive broad adoption of these new technologies that will help keep us all safe.”