One is not exactly channeling Nostradamus to predict that ransomware attacks will hit Industrial Control Systems (ICS). The importance of a reliable, high integrity backup and ability to recover in an acceptable timeframe is the same for ICS and enterprise network ransomware attacks. The difference is the average high value ICS is lacking in automated, consistent backup with off network storage. There is a false sense of comfort from the redundancy in the system, and we still see manual backups on USB drives with all of the issues related to this heavily human action based approach.
Backup should be much easier in ICS because of the minimal changes in many installations. A quarterly or monthly backup of everything but historical data is often sufficient. Whatever an asset owner does for backup and has for Recovery Time Objectives (RTO), it is the confidence in the ability to recover that is key. ICS ransomware is a great tabletop incident response exercise that might have the asset owner revisiting recovery requirements.
Here are four more interesting predictions where Ransomware in ICS may be different:
- There will be more bluffing / poker playing. Many likely scenarios could have the primary control center servers visibly compromised, but the backup control center or even hot standby server not visibly compromised. The attacker might not have access to the backup site, might not know about the backup site, might choose to not impact critical infrastructure prior to ransom demand (take down the primary and threaten ability to monitor and control the refinery, power plant, etc.), might have logic bombs on the PLC/RTU, ... Having visible compromise of something on the ICS and a credible set of detail on the system could be enough to make an asset owner very nervous.
- Ransomware timeframes will be shortened. There is so much redundancy in the system and limited number of computers required to get a minimal monitoring and control capability rebuilt, the threat of ransomware in ICS has a shorter time effective window.
- Some ICS, such as certain manufacturing operations, don't have a major impact if they shut down for a couple of days. They just run more shifts the next week. ICS that have 24x7x365 requirements with large cost and societal impact per minute of downtime will likely be pushed by the criminal to pay quickly because they know a recovery effort is underway.
- Ransomware in PLC's or other Level 1 devices would be the next evolution and more troublesome issue for ICS. People typically don't have redundant PLC's, and these devices can be bricked / require hardware replacement a la the Ethernet/Serial converters in Ukraine. In addition, the ability to perform forensics and determine what PLC's were compromised is extremely limited with the current PLC's and security technology.
Post Author : Dale Peterson, Catalyst for ICS Cybersecurity, Digital Bond,Inc
This post was initially posted here & has been reproduced with permission.