The discovery of new forms of ransomware, specially designed to attack operational networks, marks a new development in the field of industrial cyberattacks. By directly targeting production lines, this malware is changing the digital security perimeter of industrial groups by striking at their very heart. What if destabilising production lines was the cyberattackers’ new objective?
The news arrived in a tweet. On 6 January 2020, the researcher Vitali Kremez, from the Malware Hunter Team group announced the discovery of Snake (or Ekans), a ransomware program able to take down industrial networks and paralyse production lines.
2020-01-06: 🆕🔒#Golang #Ransomware "#EKANS" aka "#SNAKE"🐍
🎯Targeted Ransomware|"We breached your corporate network..."
h/t @malwrhunterteam cc @demonslay335 @BleepinComputer pic.twitter.com/mnf4fhYlD4
— Vitali Kremez (@VK_Intel) January 6, 2020
This news caused quite a stir in the cyber community. However, Snake is not the first ransomware program to target OT networks. Back in 2019, the LockerGoga ransomware program caused major disruption, particularly for the Norwegian aluminium producer Norsk Hydro – jeopardising their operational activities and causing serious financial losses. So why all the fuss about Snake then? This is chiefly because this ransomware program is believed to be able to attack even more services used only within industrial networks. With the number of cyberattacks and their complexity increasing, should we now expect industrial production to become a prime target for cyberattackers? After Industroyer, does the advent of Snake mark a new development in the field of cybersecurity for industrial systems?
Manufacturing and the industrial environment
Manufacturing is a sensitive sector with a number of specific characteristics, which are all potential vulnerabilities. The first challenge concerns the life expectancy of equipment, which is designed for an average of twenty years’ use. On most industrial sites, “you’ll find a combination of infrastructure of differing ages, with recent and not so recent network architectures and operating systems, which don’t all feature advanced security standards as upgrades are expensive”, stresses Vincent Riondet, Manager of the Cybersecurity Services and Projects teams at Schneider Electric France. This is the case for example with IT workstations dedicated to the command and control of machines: they often run very old versions of the Windows operating system, which were usually not connected to the Internet. “Many legacy plant control systems may be running outdated operating systems that cannot easily be swapped out or a custom configuration that isn’t compatible with IT’s standard security packages”, adds the researcher Nisarg Desai in a blog article.
And so you’ll find a combination of infrastructure of differing ages with recent and not so recent network architectures and operating systems, which do not all feature advanced security standards as upgrades are expensiveVincent Riondet, Manager of the Cybersecurity Services and Projects teams at Schneider Electric France
Another challenge is the lack of uniformity between the suppliers of equipment, control software and components. Not all of them meet the same requirements, standards or conditions concerning creation, control and other factors. A single vulnerability or a single back door can then bring down the entire production line. As these production lines are often complex, involving stakeholders who do not communicate with one another, they can be particularly vulnerable to outside attacks. And to further complicate matters, some maintenance operations can be performed by off-site operators using USB-based media to update or configure the equipment. Here too, this type of work can provide a channel for cyberattacks, as in most cases the servers are not protected.
Finally, much like the rest of the industrial environment, the production chain, which was long considered as an isolated system, is increasingly less so. The very term IT-OT convergence implies the connection of OT networks, one of the main infection routes. As a result of this connectivity, the production chain is now faced with new cyber risks, already very familiar to the IT world.
From the supply chain to networks, the extent to which manufacturing is exposed to the risk of cyber threats has grown considerably over recent years. And with it, the scope for potentially devastating effects. As an example, the Danish manufacturer Demant, which produces hearing aids, has already been the victim of a blockage of its assembly lines in September 2019. The estimated cost of the ransomware? More than 95 million dollars. Most of these losses stem from lost contracts and the firm’s inability to honour its orders, explained the company.
It’s easy to imagine that a targeted attack against vulnerable operating systems for example, would make it possible to compromise the command and control systems of several companies in the food industry or the pharmaceutical sector, leading to the production of defective products. This would pose a major risk for these companies, which are required to guarantee the complete traceability of their products as part of their quality control systems. There is also a major risk of industrial espionage via targeted attacks. Finally, we should not ignore the fact that certain cyberattacks against production lines could endanger the physical well-being of the operators themselves and also result in serious environmental incidents.
To fully understand the attraction of the manufacturing sector for cyberattackers, we must consider the business model of these industrial companies. Because apart from guaranteed media coverage in the event of sustained disruption, the cyberattackers are above all motivated by the desire for financial gain. Indeed, stopped production lines entail clear losses for businesses, a factor which may make these industrial companies more disposed to pay ransoms promptly. Though with no guarantee of recovering anything.
Industry 4.0: extending the scope of the attack
We wrote about it back in 2018. At a time when the industry of the future is emerging, the development of the Industrial Internet of Things (IIoT), the digitisation of factories and artificial intelligence technology are making OT networks ever more connected and communicative, particularly with regard to IT networks. But this ultra-connection exposes them even more to the threats. “Especially as OT networks often have no network barrier or endpoint barrier”, adds Vincent Riondet. The many different components of OT are therefore all possible entry points, in particular because the convergence between IT and OT is still largely a delicate one or even inoperative in certain cases.
“With industry 4.0, the number of access points has increased in response to a requirement for interconnection, which has been undertaken with no real thought given to security-by-design”, explains Vincent Riondet. The arrival of the industrial IoT and automatic order integration or the arrival of augmented and virtual reality have opened up new vulnerabilities. In May 2017, in collaboration with the Polytechnic University of Milan, another stakeholder in the cybersecurity sector demonstrated that it was possible to take total control of a robot and to install malware on it capable of “reprogramming” it.
Guaranteeing the integrity of the OT sector
How are companies in the sector facing up to these new threats, which mark a new development in the industrial cybersecurity world? For the moment, efforts to guarantee the cybersecurity of the manufacturing perimeter are not uniform in nature. “Improving the security of the OT sector firstly means securing the operating systems of network equipment more effectively”, explains Vincent Riondet. But at the same time, one of the major challenges where manufacturing infrastructure security Is concerned is to fully control network communications.
Encrypting all communications between the machines is therefore an additional step toward greater security. “In addition to appropriate network segmentation, it’s possible to focus on securing data flows by guaranteeing the privacy and integrity of the data”, adds Vincent Seruch, ICS Security Team Leader at Airbus CyberSecurity. “This means mapping all communications on the IT networks and encrypting them using cryptographic methods. But this must also be achieved while taking account of the need to inspect the data flows”. Remote maintenance is another opportunity. The performance of remote updates makes it possible on the one hand to do away with potentially dangerous USB-based media and secondly to limit the risk of errors inherent to excessively frequent changes of operators. The result is greater efficiency where updates are concerned, on condition that access to this remote maintenance is also secured.
The Covid-19 health crisis today raises the question of industrial sovereignty and the relocation of certain factories in strategic sectors back to Europe. The implementation of such a plan could then serve as a life-size test, in as far as this “industrial de-globalisation” would be accompanied by increased automation. The OT sector would be increasingly exposed. It’s a fair bet that between now and then, industrial cybersecurity will have assumed a greater profile.