Ransomware has been making headlines for the last few years for the impact it’s having on businesses and government entities. The increasing prevalence of these attacks has been a wake-up call to industries around the globe, who are realizing that cyberattacks are a matter of when, not if. But the most alarming new trend in cyber crime might be the attacks on critical infrastructure and operational technology (OT) systems.
While most attacks have targeted traditional information technology (IT) networks, Hayley Turner, director of industrial security at Darktrace, said more and more malware is directly aimed at OT systems. This can have wide-ranging effects on corporate ledgers, human safety, environmental safety and even national security.
In early September, Turner sat down with us to discuss recent trends in ransomware, why more attacks are going after critical infrastructure and how attackers are getting in. This is a transcript of Part 1 of her Expert Interview Series installment with Industrial Cybersecurity Pulse. It has been edited for clarity.
ICS Pulse: Let’s start by talking about ransomware. There has obviously been a rise in ransomware attacks against critical infrastructure in recent months. What might be responsible for this trend?
Hayley Turner: I think one of the main things here is the increased connectivity of the ICS (industrial control system) environment, or the operational technology environments, that a lot of critical infrastructure run. Once upon a time, to infect these environments with ransomware, you’d need to physically gain access, perhaps with infected media like a USB stick. But these days, they’re far more open, they’re far more connected, they’re far more accessible, and that connectivity is coming from a range of different places. But certainly over the last 18 months, with the pandemic and a range of different lockdowns, a lot of companies have had to increase the level of remote connectivity, for example, for third-party contractors and OT engineers, and it opens up a whole bunch of new avenues for attackers to leverage. But there’s also the adoption of new technology platforms like ICS cloud, ICS-as-a-service, the industrial IoT (Internet of Things) devices that we’re deploying onto these environments, as well.
“When we’re talking about critical infrastructure, it’s such a pressure point, and you can understand why attackers go for it.”
So this increased connectivity, it makes them more accessible. But the thing is, a lot of the ransomware attacks that we’re seeing are genuinely accidental in their impact on the operating environments of critical infrastructure. In fact, a lot of ransomware-as-a-service operators will specifically say, “Our product is not to be used against critical infrastructure.” But the reality is, once an attack has been launched, it’s very, very difficult to contain.
The extreme example of that being NotPetya. I think it was originally targeted toward the Ukrainian financial system and shut down the port of LA, for example, amongst many other things. So there is that accidental impact where these attacks are spilling over, or they’re impacting some crucial IT systems and resulting in some manual shutdowns. Colonial actually is another good example there where there’s no evidence that the attacker’s intent was to shut down the pipeline, but the impact at the end of the day is the same.
All that being said, we’re also seeing a lot more direct and deliberate targeting of ICS environments. And when we’re talking about critical infrastructure, it’s such a pressure point, and you can understand why attackers go for it. If you’re running a hospital, a gas pipeline, an electricity grid, and an attacker has managed to shut down your systems, you’re going to feel an awful lot of pressure to give into the attacker’s demands, because society is basically counting on us to get it back up and running.
ICSP: It does seem like the barrier to entry has been lowered. You used to need a lot of technical expertise in order to launch a ransomware attack against a major company. That doesn’t seem to be the case anymore.
Turner: Yeah, absolutely. And I think that’s a big part of the reason why we’re seeing the increase in volume of attacks and more attackers entering the scene is the barrier of entry has been lowered in a number of ways. Commodity malware that you can purchase online is part of it, the increased connectivity is part of it and then obviously the incentives add another dimension to it. But you used to require highly specialized ICS knowledge to attack one of these environments. These days, you could have some IT ransomware that perhaps has a small OT-specific module appended to it, and off you go. So definitely the barrier of entry has been reduced dramatically.
ICSP: Why is ransomware a particular concern for critical infrastructure and industrial environments?
Turner: Ultimately, it’s the high stakes involved. When you can impact the operating environment of any industry, but critical infrastructure industries in particular, the stakes are high across a range of different domains. The financial impact, first of all, can be enormous. Operational downtime can run into the millions of dollars in expense per day, for example, depending on the industry and the scope of the compromise. And then there’s that compounding impact of the reputational damage that goes along with it.
There can also be broader economic implications. If that company is a part of a critical supply chain, for example, companies upstream and downstream from the affected company, if they can’t get their products and services to market, it ultimately has a flow-on effect. When the Colonial Pipeline attack happened and the gas supply or the fuel supply on the U.S. East Coast was impacted, we felt that at the price of petrol here in Australia. So the flow-on effects can be quite significant.
“There’s ransomware that we’re seeing that has been specifically designed to impact an OT system.”
Obviously, if it’s critical infrastructure, there can be a national security risk attached to it, as well. And probably one of the most important things that make these attacks particularly of concern is that it can cause physical damage, physical harm to human safety, to the environment. You might be talking about environments with high pressure, high temperatures, high voltage, for example. A sudden unplanned shutdown of these operations could have very significant implications for either the environment, with the release of toxic chemicals, for example, or to human safety, as well.
ICSP: What are some of the different paths attackers can take to compromise critical infrastructure via ransomware?
Turner: Unfortunately, there are a number of different ways that ransomware impacts these environments at the moment. Obviously, there’s the traditional, direct route of introducing the ransomware directly into the operating environment. You’re plugging that USB stick into an ICS workstation, for example. But far more common these days is that we see attackers using traditional IT attack methodologies to get onto the enterprise network — perhaps a phishing email, a watering hole attack — creating that initial foothold in the IT environment and then either moving laterally and deliberately pivoting into the operating environment, leveraging IT/OT convergence channels, or indeed accidentally spilling over. WannaCry, I think, was a great example where the attack came in by IT, and it spilled over into some ICS environments. So there’s that sort of route, as well.
But what we’re seeing people becoming a lot more concerned about is where ransomware is impacting operations without ever actually reaching that environment where it’s able to impact IT systems that have the, I guess, unintended effect or the flow-on effect of shutting down OT, either because of a level of interdependence between these systems. Some companies may be set up that without particular levels of visibility, for example, over the operating environment from IT systems that are running in the enterprise network, they can’t have confidence in those operations, and they need to shut them down. Or examples where the company can’t be confident that they have sufficient visibility over their environment and over the areas of convergence between their industrial and their enterprise networks, that once the attack has taken hold in the IT environment, they feel that they need to have a manual shutdown, because they don’t have confidence that it’s been contained. I believe Colonial was an example of that, where in an abundance of caution, they had to power down their systems so that they could be confident that the ransom agent didn’t come in and do it for them.
ICSP: While most of these ransomware attacks of late have come in through IT systems, is it also possible to ransomware an OT system?
Turner: Yeah, absolutely. There’s ransomware that we’re seeing that has been specifically designed to impact an OT system. Traditional ransomware tends to have a pretty significant impact anyway, given there is a lot of IT equipment that tends to run at the upper levels of an OT environment, but we’ve seen examples — EKANS, for example, the ransomware which impacted the Honda factory last year — that had actual ICS mechanisms in its kill list. It was designed to shut down aspects of an operational environment. We’re definitely seeing an increase in that sort of direct targeting.