Stuxnet taught us that well-resourced nation-states could sabotage critical industrial control systems (ICSs) to do their bidding. But that attack required internal access and an infected USB stick to launch the targeted malware and, ultimately, interrupt uranium enrichment in an Iranian nuclear facility.
Nowadays, all it takes is remotely deployed ransomware like Scythe to get into our utilities. Scythe disrupts the firmware on a programmable logic control (PLC) through a firmware bypass vulnerability and can even masquerade as firmware updates to take over the firmware installation process. Easier still, users in the business operations or system operators simply click on a link and allow ransomware in the door.
Risk to Human Safety
Either way, it's a scary scenario with potential for damaging impact on humans and the environment. And those scenarios are already playing out.
Ransomware is targeting critical municipal services, such as water or power, shutting down production systems, and even impacting entire municipalities as in the case of Johannesburg in July. In these cases, paying the ransom, even at hundreds of thousands of dollars, is a tiny fraction of the cost compared to not paying the ransom (measured in lost business and expensive, often unsuccessful attempts at restoring systems).
For example, in late August, a ransomware attack on the Texas PUC impacted 23 agencies and involved multiple Texas law enforcement and IT agencies in the (so far) $12 million response to the attack. Although nobody was denied critical services in that case, it's significant in the scope and spread of the attack through the various connected agencies.
Big One Still to Come
"It is either pure luck or a conscious choice by attackers that U.S. utilities haven't been severely damaged by compromise, yet. It's not because other countries are less secure. We use the same devices in the U.S. grid as they do — the same technologies, infrastructure and architecture," says Barak Perelman, CEO of Indegy. "This means we need to beef up our cyber defenses for utility operations before the worst happens and we are targeted."
Perelman gives the industry about five years to buttress their ICS environments before big disasters befall society. We may actually have less time. For example, real attacks on critical OT/ICS systems from nation-states jumped 27 percent in 2019 (from 0 percent in 2017), based on our SANS 2019 survey on OT/ICS security.
Perelman suggests proper backups, layered security and continuous user education to improve security around and in these systems. As a resource, he points to Indegy's OT Security Checklist.
Meanwhile, PLC and system control manufacturers are trying to update their own systems for more embedded security to meet customer demand. Progressive vendors like Mocana are working with these manufacturers on tamper-proofing their devices at the firmware layer.
This level of security should prevent firmware-layer attacks like Scythe from executing and hopefully reduce complexity and associated costs with layering on more and more security. Whether or not utility companies are willing to upgrade their equipment ahead of their normal replacement cycles, however, is another question.
"Utility leaders need to look at risks from a cost perspective and make decisions around whether or not to swap out their hardware," says Hope Frank, CMO of Mocana. "Consider the cost of downtime, safety, reliability and operational risk against contained solutions that are managed and updated by the equipment manufacturer."
Utilities also need a plan of action to follow, should they get hit with ransomware. A good resource is the Public Power Cyber Incident Response Playbook released by the State of Texas after the August ransomware attack on the state's agencies. This free resource outlines how to develop an incident response plan, industry partners to reach out to, and how to get state and federal assistance when an incident causes an outage.