Sixty percent of small companies go out of business within six months of falling victim to a data breach or cyberattack of any kind, says Layr, a commercial liability insurance provider. And cyberattacks—especially ransomware—are tough on larger businesses as well.
In the October special report on cybersecurity, we focused on ransomware and looked at new breeds of the malware, which now combine an effective means of extortion beyond encrypting data and asking for a ransom payment (aka data theft/extortion). In this article, I’d like to delve into ransomware attacks in more detail and look at its targets and ways of protecting process control and automation systems.
In the FE October feature article, we found that new breeds of ransomware, especially the “sleeper” type, can lurk inside a system for days or weeks before going into action, meaning that if you do backups on a regular basis, there’s a chance your backups may also be infected. How ransomware gets into your system in the first place could be due to several reasons, for example:
- Someone within the company clicked on an email link
- Someone clicked on a link on a “fake” website
- Someone downloaded an executable file and activated it
- Someone plugged in an infected thumb drive to a computer, which failed to scan the thumb drive for viruses
- Someone responded to an email or phone call from a “tech support person,” who was really a hacker, and gave away privileged logon/password information
- Any of the above, which helps a hacker/criminal gain access to your network and play around there for days or weeks, discovering the lay of the land and masquerading as a legit person on your network
How worried should you be about a ransomware attack?
“Everyone should worry about ransomware and have a plan to help prevent and deal with it,” says Steve Pflantz, CRB associate/senior automation engineer. “It can happen to anyone, but in reality the size and prominence of the company may affect how much one may be targeted. Do not ignore these threats and risks no matter what.”
Food and beverage processors should be very worried about ransomware, says Quade Nettles, Rockwell Automation cybersecurity services product manager. If a food and beverage company became a victim of a cyberattack and their production systems were compromised, this could lead to the potential loss of IP (intellectual property as opposed to internet protocol) and production being shut down, causing lost revenue, and generating supply chain issues.
While ransomware can shut down an entire operation completely for days at a time, if ransomware hackers are wandering around a system and potentially making changes to controls, the result could be just as devastating as a full shutdown. “One small change in the formulating, bottling or canning process, for example, could have substantial ramifications including product recalls and public health issues,” says Barak Perelman, VP of OT security at Tenable. “While there is currently no evidence that food and beverage manufacturers specifically are being targeted, all OT systems are vulnerable, and the DHS definitely considers the industry a key part of the growing concern with critical infrastructure cyberattacks.”
A common way ransomware penetrates a control system is by first penetrating the IT network and then finding its way into the control system, says Nettles. For a lot of manufacturers, disconnecting systems completely from the internet is not feasible, so to protect themselves they use a combination of countermeasures, which include perimeter hardening and segmentation (splitting a network into subnetworks) with firewalls, endpoint security, and intrusion detection systems.
With many organizations converging their IT and OT systems and others adopting IoT technology in order to boost efficiencies and reduce costs, new attack surfaces and vectors are being exposed that could easily be exploited, adds Perelman. Because many attacks are opportunistic, anyone without a secured OT infrastructure should take steps to secure it. Securing the organization on the front end enables the company to enjoy all of the benefits of these initiatives without exposing it to unacceptable and unforeseen risk.
Many forms of ransomware use the shotgun approach—try anything on everything—but the latest ransomware attacks are being more targeted at specific companies and systems, including backup systems, says Rob Pike, CEO and founder of Cyemptive. “Everyone should be worried about the more recent progression attacks and AI technology that is a thousand times stronger in offensive, bad actor use cases vs. defensive, cyber-protection use cases.” The chances of defending any form of encryption attacks require technology that can detect real-time encryption.
Most cyber protection technologies today do not actually detect encryption but rather the API calls to the OS (operating system) encryption libraries following activation of the hack, says Pike. The problem is now advanced hackers do not use those OS libraries, but instead use their own embedded encryption library where the well-known cybersecurity providers can’t detect or alert on data being encrypted. Cyemptive, on the other hand, uses real time encryption detection, not detection after the compromise has occurred, and therefore, can detect and prevent ransomware before it compromises the system.
Windows isn’t the only target of ransomware
Ransomware can find its way through to SCADA and control systems if there are connections to IT systems, says Pflantz. Your configurations and data can be at risk, so back it up and have a disaster recovery plan. And this is not a problem exclusively for Windows operating system users. Granted, that is the major OS software used—and, therefore, the most popular system to be attacked—but others can be at risk. “Don’t assume you are not a target if you don’t use Windows,” says Pflantz.
The idea that if the Windows operating system and Windows-based applications are not used, then a site is “safe” is a common misnomer, says Alan Raveling, OT cybersecurity architect for Interstates, a Control System Integrators (CSIA) Certified Member. “Network attached storage (leveraged for backups) and other network appliances are vulnerable to ransomware, though the garden-variety ransomware may not be able to interact with the devices.”
|The Hirschmann EAGLE40 next-generation industrial firewall features 1 Gbit/s bandwidth and protects against both physical and virtual threats with stateful and deep packet inspection modules. Source: Belden|
Just an aside here: Keep in mind that Windows SAMBA shares (whether residing on EXT4 or NTFS disks) on a UNIX or Linux server, which are accessible as mounted drives on Windows machines, are just as likely to have their data encrypted as disk drives on the same Windows computer—if that machine is attacked by ransomware. All drives—network, local and USB—on a Windows machine can be encrypted by ransomware as long as access is allowed. In theory, non-shared, mounted EXT4 drives on a Linux server should not be visible to the world of Windows computing and malware—not to say an appropriate script written by hackers with root access couldn't find a mounted Linux hard disk and do damage.
Also, if you’re running UNIX/Linux servers with SAMBA as I am, make sure the latest version of SMB protocols is being used—should be SMB 3.x—and Windows 10 by default handles SMB 3.x. If you notice on your Windows 10 machine (find in Windows Features panel; Turn Windows Features on or off) that SMB version 1 is in use, make sure you’re not also connecting to older equipment—for example, Windows 2003 Server or XP—as any SMB protocol version 1.x is no longer considered secure. A final note: Windows 7 computers and 2008 Servers used SMB 2.x network protocols, which Microsoft now suggests disabling if no longer needed.
While getting technology right is one important part of prevention, companies must also adopt proper processes and train their employees on practicing good habits—like not falling victim to a phishing attack, Nettles adds. It is common for food and beverage companies to have non-Windows OS based assets and they can be protected as well using the same countermeasures highlighted earlier.
Follow basic preventive measures to help protect your operation
Whether or not you choose to employ an advanced solution like Cyemptive, you should still be following the basics to prevent an infection in the first place. The best means of protecting a network is to deploy a zone-based security defense (ISA/IEC 62443)—and then utilizing compact industrial firewalls that are protocol-aware, offering deep packet inspection (DPI), like the Tofino Xenon and EAGLE40, which can discern individual commands and addresses for EtherNet/IP, ModbusTCP, DNP3, OPC and others, says Sven Burkard, industrial solution consultant at Belden, a CSIA Partner Member. A similar software-based strategy can be applied using Tripwire Industrial Visibility (TIV), which also has DPI capabilities, only significantly more (45+ of them) as it is intended to protect the ERP/MRP and business network.
|The Tofino Xenon industrial security appliance provides comprehensive network protection features loadable security modules for customization of systems. Source: Belden|
Such preemptive hardware and software deployments can offer a significant preventative countermeasure to several vulnerabilities associated with WannaCry, Petya, iEncrypt, and EKANS (aka Snake) to name a few. This is especially true since many of these attacks take full advantage of an un-segmented network’s vulnerabilities, allowing it to spread. And it does this over time to maximize its impact. It is because of this that every user should look to deploy a segmented network, following IEC 62443, and consider using software like Tripwire’s to look for file and configuration changes, discover assets and assess their vulnerability, and monitor inter-device communication awareness.
Brandon Ellis, president of elliTek, Inc., a CSIA Partner Member, identifies several concerns and potential remedies for preventing intrusions. For example, malicious changes of data could affect product safety and cause regulatory problems as Perelman suggested earlier. While a VPN is generally thought of as a prevention tool, it can be a vector of attack—as well as the famous memory stick in the Stuxnet attack of an Iranian nuclear centrifuge facility. For more insights from Ellis, see the FE Interview, “Keeping machines and OT networks and IT safe from cyberattacks.”
Email is not the only channel to receive ransomware/malware
You’d think email would be the number-one source for ransomware and malware. After all, not a single day goes by when I don’t get at least one phishing email with an attachment, a poisoned link or fake return address. But, I can understand how easy it might be to click on something, especially when you receive 300 emails per day on average. However, when checking emails, as I scroll through them all, I keep an eye on the From and Subject fields with my mouse on the Delete button—and kill off the junk before I even read the email.
“Human behavior is the cause of 90%-plus of all incidences,” says Belden’s Burkard. “Email attachments, people clicking on things they should not, and downloading third-party software are most common. All are preventable with company internet firewalls and education.”
Phishing emails are still the largest threat vectors for all cyber-attacks, says Rockwell’s Nettles. Two other threat vectors are unpatched vulnerabilities and infected removable media like USB drives. This highlights the need for proper processes to ensure removable media are scanned and cleaned before use and for companies to have a defined patching process.
Users are still the most likely way an attack or breach happens, says CRB’s Pflantz. “Mitigate this with increased awareness, thorough training and carefully controlling system users and access. People must be careful and follow procedures in place no matter how trivial things seem. Remember the major company that had credit card data stolen because an HVAC tech at a local store was the path into the system? Ransomware can happen the same way. Awareness of cyber risks and proper cyber hygiene need to be part of your company’s culture. Period.”
Interstates’ Raveling says facilities need to consider all the ways files or data can enter the manufacturing network and create strategies to address them. Portable media used to copy code or files can be infected. Third-party support or vendors may utilize laptops that are infected. Downloading content from the internet can also introduce infected files into the network.
Communications that leverage social engineering tactics may be of a concern for food and beverage, but these types of attacks may be more focused at the front office for financially focused activities instead of trying to convince an engineer to run a remote access application due to a “supposed” faulty piece of equipment, adds Raveling.
Though email is the one of the common known ways, there are thousands of possible ways to break into any environment today, says Cyemptive’s Pike. Every element of the infrastructure is prone to hacking. Hackers today have many ways of getting into networks without any help from inside. Computing, network and process control technologies being deployed are full of known holes being compromised, and the market is struggling with how to deal with the massive these compromises.
And sometimes in the least expected ways, a virus can propagate into a plant-wide IT/OT system. Tenable’s Perelman says, “We have seen devices that are infected directly from the manufacturer as well as cabling that contains a virus. This, of course, is in addition to the vulnerabilities that affect devices already deployed in the network.”
“Cabling that contains a virus.” Really? My first thought was that wire, of course, can not contain a virus on its own. With that being said, a quick search on the internet revealed a proof-of-concept that was actually demonstrated with a “cable”—well, not the cable itself, but a microchip buried under the USB connector sheath at one end. Who would have thought? So if you’re working for MI6 or NSA, you’re probably quite familiar with the “tool.”
Though IT departments work like crazy to educate, isolate and defend against cybersecurity attacks—whether through email or some other vector—it needs to be stopped before it reaches the OT network, says elliTek’s Ellis. “Our primary goal then is to do our best to ensure that any malicious attack, should it get through to one of our connected networks, stops at our gateway and that it cannot ‘bridge’ to the secondarily connected network, whichever that may be (IT or OT).”
From a control system perspective, limiting or not allowing e-mail or web access via the system is a big positive step, says CRB’s Pflantz. Those are the most common avenues to get into a system, and in most cases, the control system can operate without any of these internet services. “The control system and associated hardware and software are critical parts of the operation, so don’t sacrifice the safety and integrity because of convenience.”
Most processors have regular plant network connections and computers for employees to use in manufacturing spaces if that type of information and access is needed, says Pflantz. It really does not belong on the control system, so carefully “controlling” your control system use and access adds to safety behind firewalls and protection software.
Can a ransomware be kept from running?
Depends is the short answer. “Ransomware is not a virus, it is encryption-based,” says Cyemptive’s Pike. “There is no signature that can be created for effectively dealing with ever-evolving ransomware—it has to be stopped before entry into the network. Cyemptive can do this; we handle defense differently and can handle ransomware among many other attacks and prevent the attacks from spreading within the network.”
|Rockwell Allen-Bradley’s Stratix 5400 industrial Ethernet managed switches support layer 2 switching and layer 3 routing using a combination of Gigabit Ethernet, Power over Ethernet and GE fiber ports. Source: Rockwell Automation|
Forms of isolation can also help keep malware from spreading across networks. If you’re not sure about a program you downloaded, isolate it. “Run any questionable applications in a sandbox environment or in a VM (virtual machine) that is network-isolated,” says Belden’s Burkard. Additionally, don’t give all users administrative rights. Last, use zones and conduits (ISA99/IEC 62443) with firewalls or switches with respective ACLs (access control lists), which is a highly recommended standard for most users that do not have a plan (as the malware cannot replicate if blocked/isolated in a zone).
The effectiveness of firewalls in preventing ransomware from spreading is very dependent on the design of the networks within a facility and the rules with which the firewall has been configured, says Interstates’ Raveling. Antivirus software can help to prevent some ransomware from running but if the attacker is exploiting zero-day vulnerabilities, it may not stop the ransomware from executing. Application whitelisting may prevent malware from running unless it is taking advantage of tools or scripting languages which have been whitelisted by the manufacturer’s IT or operations group.
Many ransomware attacks are very sophisticated and can go undetected inside manufacturer networks, says Rockwell’s Nettles. There is potential a firewall or end point security program could prevent a ransomware program from running, but it is important the firewall and end point security program are configured correctly to identify and prevent the attack.
We can’t emphasize this enough: To stop malware propagation, a processor should have the different security zones or operational zones physically segmented so that if one zone becomes compromised, they can isolate the compromised zone and not allow it to bring the whole network down. Routers, hardware firewalls and managed switches can be used to design segmentation into networks.
|A segmented network (a network with several subnetworks) makes it easier to contain a malware if it manages to penetrate a specific subnetwork, such as the corporate network whose addresses are 10.10.0.x. Since the corporate network is isolated by firewalls and routers from other control subnetworks (10.10.1.x and 10.10.2.x), data from other than specific host requests on the corporate network (or the internet) can be blocked by the routers and the firewalls, making it difficult for any communication from other than a designated source. This is known as whitelisting, where only designated hosts/machines are allowed to communicate from subnet to subnet or the internet. Diagram source: NIST|
Other takeaways: Use common sense
Luckily, greatly reducing the risk of a ransomware attack doesn’t come down to how much money you throw at the problem, says Tenable’s Perelman. Because many ransomware attacks exploit a lack of basic cyber hygiene, organizations can help protect themselves by getting back to the basics—having complete visibility into all assets (IT and OT) as well as their vulnerabilities and maintaining systems either through patching or compensating controls.
Think before you click, says Burkard. Think before you connect. Don’t have flat networks—use segmentation. It is not IF you will have a malware or compromise that can affect operations, but rather WHEN.
“Outside of deploying the Cyemptive platform, a few basic suggestions we would recommend—however noting that this will not protect you from ransomware—are to ensure you perform backups, restore your backups weekly, and verify backups can be restored on different networks on a regular basis,” says Pike.
Chances are you will use multiple platforms, techniques, services and products in the war against malware and ransomware. “Anyone who claims that by buying their single product or service will result in complete protection is at best lying to you and at worst giving you a false sense of security, which may lead to greater impact when your company is attacked,” says Interstates’ Raveling. With the proper procedures, recovering from a ransomware attack should be no different than recovering from any other wide-scale disaster.
Determine and document your company’s requirements for data record retention, employ a comprehensive backup solution with, if possible, multiple backup locations, adds Raveling. Work with the process engineers to determine if or how lines can run in isolation and for how long they could run in that state. It’s also important to test these plans regularly to ensure backups work, technology functions as planned, and that personnel know their roles and can execute their tasks when required.
Work as a team and get more accomplished
Don’t forget the human connections, advises elliTek’s Ellis. “The most effective smart factory integrations I have seen occur within organizations in which the IT professionals and OT engineers have mutual respect for the individual skillsets, associated needs, and top priorities needed on each side. My advice would be to focus on creating a positive working culture between these two departments. At every customer experience I have enjoyed, those where IT and Engineering were both welcomed to the meeting were also those that had some of the most impressive, efficient, and secure MES based M2M deployments. Or course, they also attributed that to their use of our MES appliances!” says Ellis.
For those earnestly thinking about setting up a cybersecurity program, Ellis has a few recommendations to get started. “What I often encourage our clients to do is simply begin with a risk analysis. By asking yourself a few basic questions you can begin to form a reasonable plan for cybersecurity.”
For example, Ellis continues, the easiest question is: Do you have data that is extremely critical, and where is it being stored? Next, is that data being backed up and how often? How are the backups managed? Are they being kept on the same server that contains the critical data, and can these backups be affected just as the working data should a cyber-attack occur?
For many, placing critical data onto a cloud-based server provides an effective means of backup separation and protection; however, you should investigate items such as who owns and has access to the cloud? What are the ramifications if this data (albeit locally hosted or cloud-based) is exposed? Are you in danger of violating your own (or others) proprietary information such as trade secrets, confidential information, or even HIPPA agreements?
By working together with your IT and OT experts and an integration partner, an effective risk assessment and prevention plan can be created that meets all of a manufacturer’s needs, says Ellis.
For more information:
elliTek, Inc., www.ellitek.com, www.iiota.com
Rockwell Automation, www.ra.rockwell.com
Useful cybersecurity links:
“How to Protect Your Networks from Ransomware,” Download, U.S. Government. Interagency, 25 AUG 2020*
“Guide to Industrial Control Systems (ICS) Security,” NIST Special Publication 800-82 (Rev.2); Stouffer, Pillitteri, Lightman, Abrams, North; NIST; 3 SEP 2020.
“Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing,” University of Minnesota, Food Protection and Defense Institute: White Paper, September, 2019
“NIST Cybersecurity Framework (Documents), Version 1.1;” NIST, April 2018
“IEC 62443: Industrial Network and System Security,” Tom Phinney, Honeywell Integrated Security Technology Lab, ISA Presentation, 3 SEP 2020*
“CISA Releases Securing Industrial Control Systems: A Unified Initiative;” CISA, 17 AUG 2020*
“Industrial Control Systems: ICS CERT Advisories;” ICS-CERT, 17 AUG 2020*
“NSA and FBI Expose Russian Previously Undisclosed Malware Drovorub in Cybersecurity Advisory;” FBI, 13 AUG 2020
Drovorub Fact Sheet & FAQs; NSA, 17 AUG 2020*
Gibson Research, Search for open RDP (TCP 3389) port; GRC, 18 AUG 2020*
Note: *Date link was recorded