Ransomware: industrial class distraction?

July 21, 2017
With Petya still threatening PCs around the world, and WannaCry fall-out still lingering, many have called out for immediate action to protect our systems.

With Petya still threatening PCs around the world, and WannaCry fall-out still lingering, many have called out for immediate action to protect our systems. Many who work in industrial cyber security have been quick to point out that the nature of this threat directly concerns our critical industrial and automation infrastructures.

Is this hype? Another sky-is-falling cry from security vendors? An industrial class distraction?

I've gone on record saying that I believe our current predicament is a direct threat to industrial automation. There are a few reasons why:

WannaCry was a ransomware campaign, but WannaCry isn't the problem. The problem is that an arsenal of weapons-grade exploits are now freely available to all. WannaCry was simply the first to utilize them to any scale.

At the time of this writing, EternalRocks has already long surpassed the capability of WannaCry. Its true intentions aren’t known yet, but its sophistication is far superior to WannaCry, and it operates in a much stealthier manner. Now we have the Petya/Golden Eye attack. This is just the crest of the wave from the Shadow Brokers leak. The tsunami is yet to come.

Perhaps worse is the unknown threat from tools and exploits that haven’t been leaked. We don’t know the true extent of what’s out there, but what we do know about the tools that have been leaked is that they are highly effective.

There's a somewhat misplaced belief that ransomware isn't applicable to ICS, that ransomware somehow only applies to commercial businesses or traditional enterprise networks. Perhaps even that control systems are adequately protected and therefore immune. Yet we know that a reasonably sophisticated attacker who targets a control system will get in.

If we assume for a minute that your industrial automation system is well prepared for a disaster, and that key systems have validated and available backups, the forced encryption of operator consoles, engineering workstations, historians - the loss of these systems wouldn’t be devastating, but it would be a huge and costly inconvenience. Now imagine a truly targeted attack that combined ransomware with something more damaging to the ICS itself. Perhaps something to alter process logic, or falsify reading, or stifle alarms. In these cases, the loss of control and loss of view caused by cryptolocking key systems could have significantly higher consequences. I'm not going to map out what such an attack might look like, but think about that for a moment.

The leaked exploits don't have to be about ransoms. EternalRocks is proof of that: it's more sophisticated and as of yet hasn't shown its intent. It was discovered by a CERT researcher who caught it in a honeypot, who describes it as “sneaky.” How many similar “sneaky” campaigns are underway? Are they targeting ICS? We don't know.

So perhaps it is a distraction, but I would argue it’s a necessary one. I often say that the best cyber defense is a strong imagination. In this case I recommend reading everything you can about the new tools that are available, imagine how they might be weaponized against an ICS, or how they might be modified to do so, and plan accordingly. Because, speaking of distractions, there are now theories circulating that these ransomware attacks might be deliberately misleading: red herrings to mask more nefarious acts.