OT systems are an established target for ransomware, as are the critical devices within them. The public and private sectors must take a more holistic approach to protecting this layer.
The large number of high-profile incidents in 2021 should remove any doubt that malicious actors are targeting industrial control systems (ICS) with ransomware.
Attacks on these systems have originated at the data-heavy enterprise/IT level as well as the control rooms at the core of operations. With global conflict raising threat levels in governments and industries around the world in 2022, the threat likely has been elevated.
Unfortunately, we are still playing catch-up when it comes to providing a sufficiency of security controls within ICS. The most critical existing gap is at the device level: The actuators, sensors, safety equipment and electronic control units (ECU) that keep our power grids online, telecommunications networks fast and secure and manufacturing plants operating in a safe state.
The lack of on-device ransomware protection can result in a single-device compromise — or multiple device lockouts via lateral spread across a network. While we haven’t yet seen credible evidence of such attacks in the field, it is clear the combination of increased activity and a lingering security gap put us at an inflection point. Embedded devices need more ransomware protection — right now. Yet it will require significant time and investment to bring sufficient security to this level — far more time than it requires to develop and deploy ransomware that will be effective at this level.
Directives such as last year’s Executive Order, issued in the wake of multiple high-profile attacks, help to raise awareness around ICS ransomware threats. But no directive or security standard I have reviewed goes far enough. Ransomware and ICS, firmware and embedded device security are frequently discussed. But so far, government and industry leaders have yet to pull these pieces together into effective guidance or plans of action.
We may still have time before an attacker compromises an essential system by bringing ransomware a step lower into ICS technology and down to the device level. These three facts should provide the incentive to improve protection before attackers make the case for us:
Fact 1: Firmware insecurity is a serious concern, particularly for embedded devices
It has taken the better part of two decades to bring robust security controls to devices and networks at the enterprise and control room levels. We have yet to extend similar controls down to embedded devices that work directly in ICS physical processes.
The firmware of many of these devices is a particular concern. Firmware consists of programs and data that engage directly with device hardware, is vital to the functionality of devices, yet it often lacks robust protections.
Fact 2: Embedded devices are a legitimate ransomware target
Because embedded devices generally contain limited data, a ransomware attack may seem counterintuitive. But there is evidence that attackers have targeted firmware itself for ransomware loads, and also used firmware as a means to spread ransomware to other sensitive systems.
Many critical ICS devices are for sale on the open market, usually with four-figure price tags. And while it requires advanced skills to reverse engineer them to uncover exploitable vulnerabilities, malicious actors have demonstrated that they have the time and resources to do just that, especially when payouts from ransomware attacks on ICS have reached eight figures.
Fact 3: Established protections will not prevent on-device ransomware
Most embedded devices sit behind perimeter defenses and access controls, which has led to some complacence around providing them with host-based protections. But there are important differences between how these devices function and interact with users.
Unlike with an attack on a single PC, ransomware will not activate on an embedded device because someone clicks on a malicious link or downloads a ransomware payload. Embedded device compromise likely will be the result of an attack that takes a wide-scale approach to the enterprise by targeting servers and policy systems — which can allow attackers to send malicious commands directly to endpoints without any human interaction.
In the likeliest scenario, these commands will originate in compromised engineering workstations or through vendor monitoring/update channels, then spread directly, device to device, much like worms did back in ‘90s and 2000’s.
Firewalls, role-based access control and other protections are ineffectual if ransomware is spreading over authorized communication paths and protocols. They also can’t prevent east/west ransomware spread once a device is compromised, since this activity will occur inside the protected perimeter.
To raise security standards, we must highlight the ransomware threat to embedded devices
I worry that a year from now we will be in the same position, or worse yet, scrambling to upgrade on-device security in response to ransomware attacks that hold our critical infrastructure hostage or leave it severely damaged. To avoid that, we need to take the following steps:
- Recognize the elevated threat to embedded devices. In the current global unrest, threat actors are being encouraged to find exploitable weaknesses in essential infrastructure. Embedded devices are often mission-critical, and therefore legitimate targets for ransomware and other cyberattacks.
- Invest more in firmware engineering and security. Many industries are still reluctant to make a deep investment in the securitization of firmware, despite the potential severity of attacks that reach this level. ICS operators must request and budget for more security, and manufacturers must bring more native protections to their products.
- Ensure supply chains have sufficient replacement devices on hand. Device replacement could easily be the only option for restoring operations after a ransomware attack at this level. Currently, it is unlikely supply chains could produce sufficient replacements in the event that many devices failed in one attack.
- Back up device configurations. Not all ransomware attacks will result in total loss of a device. End users should make sure all device backups are current and accessible.
|Dr. Ang Cui is the Founder and CEO of Red Balloon Security, a leading cybersecurity provider and research firm that specializes in the protection of embedded devices across all industries. In addition to publishing innovative research, he frequently provides commentary and thought leadership on the most pressing challenges in cybersecurity today. Dr. Cui earned a Ph.D. in computer science from Columbia University, where he worked extensively in the Intrusion Detection Systems Lab.|
- Ransomware catalyzes industrial security revolution
- Shifting to a zero trust security model
- Protecting critical infrastructure through application performance monitoring
- Addressing the growing threat of firmware attacks on enterprise edge computing platforms
For more Embedded, subscribe to Embedded’s weekly email newsletter.