The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
May 12, 2021 | Sam Galpin
Ransomware and related forms of extortion have become a big business on the dark web. The malware is bought and sold and the infrastructure and expertise to maximize and process the payments are all for sale as services. The potential to hold a company’s primary revenue stream hostage makes a control system an attractive target. The attack may not even need to reach the control system. Colonial Pipeline may have shut down to minimize risk in the presence of uncertainty or simply because the required operational information from the IT networks and databases were not available. In an ideal world with state-of-the-art defenses, the attack would be detected and defeated before it could inflict any damage. In the real world, the first indication of compromise is likely to be the ransom note. Surviving ransomware is about what happens next.
If, like many, you have not thought about this you need to. The delivery of the ransom note calls for immediate activation of the cyber incident team and response plan. The team and plan are the foundation of defense in depth. President Eisenhower captured the underlying reality well. “In preparing for battle, I have always found that plans are useless, but planning is indispensable.” Notoriously, battle plans do not survive first contact with the enemy. What is important is the knowledge developed during the planning process. This is not a trivial intellectual effort. It is not something to improvise under the pressure and chaos of an unfolding cyberattack. A tabletop exercise including both IT and OT personnel is a reasonable starting point. Some of the obvious questions to ask are examined briefly below.
Let us start by assuming that the attacker has disabled all the Windows workstations on the control network. Under these conditions it is probable that PLCs and other controllers are still running. This is, of course, uncertain. The HMI screens are displaying ransom notes. The operators are blind.
The most urgent question is what is the process state? Do we have a safety problem? Is there any urgent action we need to take? How do we know? How do we do it? Is it possible to continue operations without the HMI, perhaps with local displays and controls located at process equipment? These are not simple questions. They can only be answered by the engineers and operators who know the plant and equipment intimately. They will need time to work through options and contingencies, and perhaps run some tests. Obviously, the major OT team objective is to minimize the process and production recovery effort and maintain safety while the IT team struggles with the computers and network issues.
The IT team has three primary missions. The first is to contain the extent of the problem. Are there network connections that should be broken or equipment that should be shut down? What actions need to be taken to protect forensic evidence? The second is to support the OT recovery efforts. Are there adequate backups? Have the recovery procedures been tested? What will be required to safely recover minimal HMI? How long will it take? The third is to clean up the malware and take actions to prevent reinfection. How will you know you have succeeded?
None of these tasks are easy. That is what makes ransomware a good business for the attackers. The value proposition the attackers offer is simple: You are in a world of hurt. We know exactly why and how to fix it. Pay us, and we will tell you exactly what to do to recover. Nobody wants to pay a ransom, but in the absence of an alternative plan the pressure to pay will be very high. Defined known costs win over unbounded uncertainty.
IT/OT convergence and the emergence of IoT and IIoT has radically changed the landscape of both control systems and industrial cyber security. What makes the industrial space different is that the systems interact directly with the physical world. The physics of processes have not changed. The convergence is not just about networks and protocols but also includes safety and the constraints imposed by process physics. Cybersecurity is a journey. Incident response in this context is not a computer science exercise. It requires participation from all the operations disciplines. The benefits of the effort go beyond the plan. It builds the multidisciplinary understanding needed to thrive in a converged digital world.