By Raheem Beyah, Ph.D.
School of Electrical & Computer Engineering
Ransomware has evolved significantly over the years as malware authors have learned and adapted their methods of distribution, approach to extorting victims, and the technology that they use to hold assets for ransom.
In 2015, Symantec issued a technical report about the evolution of ransomware that categorized it into four main types along with key points in ransomware’s history when malware authors pivoted between the different types.
It is this cryptographic breed of ransomware that has been making headlines recently by extorting large payouts such as $10,000 to restore a public school district’s records or $17,000 to restore patient records at a hospital. The FBI estimated that ransomware cost the United States a total of $24 million in the year 2015, with the cost flying up to an estimated $209 million in just the first three months of 2016.
With cybercriminals clearly catching on to the profitability of ransomware, they appear to be starting to look into Industrial Control System (ICS) networks as their next potential victims. In a report released by Fortinet in 2016, evidence shows that attackers seem to be retooling their standard cryptoransomware and targeting it at manufacturing facilities in particular. Another report from Booz Allen Hamilton in 2016 takes this concept one step further by speculating that ransomware will not only shift to the manufacturing sector but also shift to attacking the programmable logic controllers (PLCs) rather than just personal computers.
As further evidence for the truth of these predictions, the world is seeing high profile ransomware attacks creep ever closer to control systems. In November 2016, the ticketing machines at San Francisco’s Muni transit system were infected with ransomware. It took several days to recover from this costly incident. Then, in late January 2017, it was reported that ransomware infected a luxury Austrian hotel, preventing new room key cards from being programmed for guests and essentially locking them out of their rooms. With each hotel room costing upwards of several hundred U.S. dollars per night, the victim decided it was worth paying the attacker roughly $1,600 to restore the systems and continue normal business operations quickly.
It certainly appears as if ransomware (and other forms of malware) is headed toward Level 2 of the Purdue Reference Model (i.e., the controllers). So, if ransomware does make it to PLCs in ICSs, what would the attacker hold for ransom? In traditional ransomware attacks, the attackers have focused on the most valuable component of most businesses—their data. ICS networks usually have little valuable data but instead place the highest value on downtime, equipment health, and personnel safety. Therefore, ransomware authors can threaten all three to make ICS ransomware profitable.
At RSA Conference 2017, my Ph.D. student presented a simulated ransomware attack on a water treatment plant using a testbed in my lab at Georgia Tech’s School of Electrical & Computer Engineering. We built the testbed to mimic the disinfection and storage stages of a city water treatment facility. In the disinfection stage, precise ratios of input water is mixed with chlorine. In the storage stage, the mock up facility keeps a minimum amount of reserved water to ensure demand can always be met.
Our ransomware took advantage of several known weaknesses in popular PLCs to gain a foothold into the network. Then, it pivoted and propagated the malicious payload to other PLCs on the network. The ransomware with worm capabilities was written in Structured Text, which is one of the five native languages of PLCs specified by the IEC 61131-3 standard. Once we were able to control the PLC, we leveraged the limited security mechanisms on the PLCs to lock the asset owner out. Using the email client on one of the PLCs, we were able to communicate with the asset owner to demand the ransom.
The simulated ransomware attack didn’t end well. We ultimately poisoned the city’s drinking water with high doses of chlorine, which would have tremendous consequences were it real life.
One could argue that the removal and replacement of the infected PLCs would resolve the issue. This may be true if one could guarantee that only a few PLCs are affected by an attack. However, given the homogeneity and lack of security systems monitoring in many industrial networks, it is very likely that all of the PLCs will be compromised. Accordingly, the remedy then would require shutting down the entire plant or factory, which could be catastrophic.
Our proof of concept PLC ransomware made it clear that ransomware in ICSs is feasible. To minimize the likelihood of such attacks, we offer several recommendations.
Ransomware has evolved through the years and could be poised to affect the vast majority of our critical infrastructures. The good news is that this threat will be minimized as asset owners monitor their ICS networks and use best practices when securing their systems while vendors provide common sense security solutions on their devices.
Dr. Raheem Beyah, a native of Atlanta, Ga., is the Motorola Foundation Professor and Associate Chair for Strategic Initiatives and Innovation in the School of Electrical and Computer Engineering at Georgia Tech where he leads the Communications Assurance and Performance Group (CAP) and is a member of the Institute for Information Security & Privacy (IISP) and the Communications Systems Center (CSC). He is also a co-founder of Fortiphyd Logic, which provides security solutions for industrial control systems.