Ransomware and control system cyber security

The purpose of a denial-of-service (DoS) attack is to shutdown computing services or systems. In IT, a DoS attack is a cyber attack where the attacker seeks to make a machine or network resource unavailable by disrupting services. DoS is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. However, it does not matter if the service/system is shutdown by the attacker or by the end-user in response to the attacker– the system is still shut down. In fact, if the attacker can get the end-user to shut the system down, there are no “fingerprints” for forensics.

The May 12, 2017 WannaCry ransomware attack was effectively a DoS attack because its threat had some end-users shutdown their manufacturing systems, effectively a DoS attack. Specifically, Renault halted auto production at several sites including Sandouville in northwestern France. Renault-owned Dacia of Romania shut down their plants on Saturday to prevent the spread of ransomware in its systems. Nissan’s manufacturing plant in Sunderland, northeast England, was also affected by the cyber assault though “there has been no major impact on our business” a spokesman for the Japanese carmaker said. This is not the first time that the threat of a cyber attack has shut down manufacturing facilities. Similar cases occurred years ago with the Slammer worm where a number of manufacturing plants preemptively shut down. This is not to say that ransomware attacks are not a concern to control system applications. In 2016, there were at least two ransomware attacks that affected manufacturing production and electric distribution facilities. Consequently, there needs to be more thought on when to shutdown industrial control systems from cyber attack threats.

One of the primary recommendations to address the WannaCry cyber attack was to keep patches current. However, this can be very problematic in a control system environment. Control system patches need to come from the control system supplier and the patch management cycle may be on the order of months or years depending on the criticality of the system to facility operation.

 Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • With the arrival of a ransomware variant that propagates over the LAN several common security definciencies need to be addressed: - often security assessments show bad firewall rules, e.g. an exclusive filter on IP address leaving all services exposed. - absence of disaster recovery planning. The organization around mass recovery and reconstitution requires different controls then recovery of a single server from backup. - size of the containment zones, network segmentation within control systems is not sufficient to prevent network worms from spreading. - handling a controlled process shutdown for systems that lost all servers / stations to operate the plant while the controllers using non-open technology are still controlling the process. Systems with safety systems generally have a hardwired connection to control PSD from the operator console, but not all process control systems make use of safety systems and hardwired connections are generally only feasible in DCS environments, not in SCADA environments with longer distances.

    Reply

RSS feed for comments on this page | RSS feed for all comments