Ransomware and control system cyber security

May 16, 2017

DoS is typically accomplished by flooding the targeted machine to overload systems and prevent some or all legitimate requests from being fulfilled. However, it does not matter if the service/system is shutdown by the attacker or by the end-user in response to the attacker– the system is still shut down.

The purpose of a denial-of-service (DoS) attack is to shutdown computing services or systems. In IT, a DoS attack is a cyber attack where the attacker seeks to make a machine or network resource unavailable by disrupting services. DoS is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. However, it does not matter if the service/system is shutdown by the attacker or by the end-user in response to the attacker– the system is still shut down. In fact, if the attacker can get the end-user to shut the system down, there are no “fingerprints” for forensics.

The May 12, 2017 WannaCry ransomware attack was effectively a DoS attack because its threat had some end-users shutdown their manufacturing systems, effectively a DoS attack. Specifically, Renault halted auto production at several sites including Sandouville in northwestern France. Renault-owned Dacia of Romania shut down their plants on Saturday to prevent the spread of ransomware in its systems. Nissan’s manufacturing plant in Sunderland, northeast England, was also affected by the cyber assault though “there has been no major impact on our business” a spokesman for the Japanese carmaker said. This is not the first time that the threat of a cyber attack has shut down manufacturing facilities. Similar cases occurred years ago with the Slammer worm where a number of manufacturing plants preemptively shut down. This is not to say that ransomware attacks are not a concern to control system applications. In 2016, there were at least two ransomware attacks that affected manufacturing production and electric distribution facilities. Consequently, there needs to be more thought on when to shutdown industrial control systems from cyber attack threats.

One of the primary recommendations to address the WannaCry cyber attack was to keep patches current. However, this can be very problematic in a control system environment. Control system patches need to come from the control system supplier and the patch management cycle may be on the order of months or years depending on the criticality of the system to facility operation.

 Joe Weiss