Unlike most industries, ransomware is not the biggest threat facing critical infrastructure facilities today. The vast majority of attacks carried out against such facilities are sponsored by nation-states that are much harder to detect and have more dangerous goals than just making a quick buck.
LogicLocker, a recent proof of concept of a ransomware attack for taking over controllers in water treatment plants, has focused attention once again on how cyberattacks could impact the critical infrastructure our communities depend on. Though this PoC has been attention-getting and should serve as a warning to prepare for when such attacks become a reality, ransomware is not the biggest cyberthreat to infrastructure facilities today.
Ransomware belongs to a larger ecosystem of cybercrime called “distributed crimeware,” which also includes malware like banking Trojans, infection tools such as exploit kits and mass-distribution mechanisms such as phishing and malvertising. The criminals staging these types of attacks want to make as much money as they can as quickly and easily as possible — and candidly, have targets that are much easier to attack.
Attacks on Industrial control system (ICS) facilities are much more complicated in nature than those of “opportunistic” cybercriminals. They also require major investment from the attackers. What’s more, the groups who carry out these kind of attacks put great effort into hiding them, so they may continue undetected. A pop-up saying you’ve been hacked a la ransomware is not in their repertoire.
Attacks on the ICS and supervisory control and data acquisition (SCADA) networks that support critical infrastructure tend to be targeted attacks. The primary reasons distributed cybercrime is unlikely to be a threat currently include:
1. Motive: Unlike nation-state attacks, distributed cybercrime is driven fundamentally by ROI. If the financial gain doesn’t outweigh the investment to develop tools and techniques, distributed cybercrime will pass on the target.
2. Distribution and Targets: From water treatment to manufacturing, nuclear energy to pharmaceuticals, the ICS devices of critical infrastructure varies greatly. This makes critical infrastructure less attractive to cybercriminals who are using a distributed crimeware model, as they always prefer infecting the most targets possible with automated, pre-packaged, one-size-fits-all attacks.
3. Testing: Testing attack techniques against ICS targets would require buying and assembling the actual controllers and the equipment of the target facilities – no easy feat.
4. Consequences: In the case of ransomware, if the ransom’s terms aren’t met, the attacker presumably makes good on their threat – usually by deleting the victim’s files. While incidents and infiltrations to an ICS facility happen from time to time, causing real damage to an ICS facility is much harder, as evidenced by the small handful of successful attacks.
While it is imperative ICS managers keep their eyes on the more dangerous and far more likely threat of targeted attacks by nation states, they should be simultaneously implementing a systematic vulnerability and threat management plan to minimize risk to the facilities. This should also include a crisis plan that can be put into action in the case of the possibility of infiltration. Though rare, the potential impact is enormous. For example, if a ransomware attack on an ICS facility were successful and demands unmet, we could see consequences similar to those of successful targeted attacks like Stuxnet and the attacks on Ukrainian power plants. This would include damage to the facility, loss of critical services to the community and potential dangers to workers or recipients of critical infrastructure services.
Today, other industries do present easier opportunities for ransomware, and so the focus of the majority of cybercriminals may not be on developing customized attacks to target critical infrastructure. Better ROI can be found elsewhere. But the minute the ROI meter for targeted attacks on ICS facilities ticks to “lucrative,” those facilities need to have preventative measures already in place. Also, ICS managers can’t assume they’re not going to be targeted simply because they’re not low-hanging fruit.
As most cyberattacks against ICS facilities are carried out at the level of management, monitoring or UI — and not on the devices themselves — vulnerability management plays a big role in critical infrastructure security. ICS facilities should do everything they can to verify their systems are patched or that they have indirect mitigation, such as stricter access control or an increase in monitoring focus by the security folks.
In any case, whether the next attack on an ICS facility comes from ransomware or by other means, the the big picture remains the same — the critical infrastructure on which our communities rely is vulnerabl. Therefore, the security teams at these facilities should be assessing every scenario (not just ransomware) of how they could be compromised, and then taking prioritized action based on the threat posed. Awareness and preparation are key to decisive defensive action — not “if” but when the attack comes.