Industrial control system, the next hot target of

  • Detail

The next hot target of extortion software: the storm of apt attack on industrial control system

solarwinds supply chain is sweeping the world. At the same time, it also rings an alarm for the security of industrial control system. Similar to notpetya and havex, which once affected the industrial control system, Sunburst and supernova malware (backdoor) in solarwinds supply chain attack with fast running speed have once again proved to the world that the current firewall, anti-virus system Intrusion detection system can do nothing about such attacks. With the integrated development of OT network and enterprise network, the huge power of supply chain vulnerabilities like solarwinds has aroused great interest of extortion software organizations. If we can kill or even control the key process of the OT network of the industrial control system, the chips for ransom may no longer be to decrypt the data, but to spend money to eliminate disasters or even to exchange money for life

according to the evaluation report on extortion software attacks against industrial control systems released by Dragos and X-Force this week, extortion software attacks against industrial entities have increased by more than 500% in the past two years (see the figure below)

the proportion of extortion software in the network attacks related to industrial control systems () data source: dragos

it is worth noting that, similar to other types of network crimes that need to gradually cool the extrudates and introduce traction equipment and finalized models, the rapid growth of extortion software events against industrial control systems seems to be synchronized with the global novel coronavirus pandemic. The researchers pointed out that the attacker of blackmail software used the user's attention to health and safety to conduct initial access operations using the phishing bait with the theme of novel coronavirus

North America accounts for half of the total

in the following years, the geographical distribution of blackmail software attacks against industrial control systems:

it can be seen that North America is the hardest hit area for industrial control blackmail software, accounting for nearly half of the total, and Europe (31%) and Asia (18%) rank second and third

industrial blackmail software in the manufacturing industry tripled

in terms of industry distribution, the manufacturing industry is the fastest growing area of industrial blackmail software, and the number has tripled from 2018 to 2020. In the past two years, the manufacturing industry is also the industry with the most frequent extortion software attacks, accounting for 36% of the attacks

in some cases, the attackers' key targets are refrigeration facilities and biomedicine, and pharmaceutical manufacturers are researching and developing virus vaccines and distribution methods, which may undermine the research, development and distribution of important drugs

the three giants of industrial control blackmail software

from 2018 to 2020, Dragos and X-Force recorded 194 blackmail software attacks against industrial control systems (including manageable service providers and telecommunications companies that provide ot infrastructure and environment to industrial control systems). There are nine most rampant families of industrial control system blackmail software, among which Revil (sidinokibi, 17%), Ryuk (14%) and maze (13%) ranked in the top three. (figure below)

in addition, according to fireeye's report this summer, seven ransomware families have been found to start targeting the operation technology (OT) software process, and dozens of industrial control system software processes have been included in the blacklist of ransomware killing processes

threat trend of industrial control extortion software

analysis also found that extortion software will become one of the main threats to industrial control system in the future. More and more ransomware organizations begin to incorporate data theft and ransomware into their attack technologies. Compared with the operations of damaging intellectual property rights and other key data, ransomware may bring greater impact and losses

new ransomware like ekans, which can kill the process of key industrial control systems, may become the basis and mainstream of future industrial control system attacks

in addition, the report also predicts that some national hackers will use blackmail software as a cover and disguise. (Editor: for example, the Iranian pay2key organization's recent action against Israel.)

according to the report, 12 The data leaked by the overload emergency stop device may also provide victim data for the industrial control system attacker, which can guide the future ICs destructive attacks

mitigation suggestions

in order to fight against extortion software in the ICs environment, researchers suggest that asset owners and operators adopt effective defense in depth security strategies, focusing on the following:

ensure understanding of network interdependencies, and conduct analysis to identify potential weaknesses and vulnerabilities that may damage business continuity and production

ensure that MFA (multi factor identity authentication) is enabled as much as possible in all it environments, especially security equipment, key network services (such as active directory) and hosts, O & M and third-party Supplier personnel

ensure the effectiveness of daily backup and maintenance of enterprise and operation network system data through disaster recovery simulation test. Offline backup is the safest choice. However, if it cannot be realized due to cost reasons, it is necessary to restrict the network access permission of backup data to read but not write. Testing the storage backup rebuild plan is also extremely important

formulate incident response plan for blackmail software of industrial control system, and conduct stress test on the response plan by means of shooting range, etc

establish a business air raid shelter. When the enterprise is completely captured by blackmail software and the attack mitigation work is in progress, some businesses can still operate temporarily in the air raid shelter without interruption

the industrial threat detection mechanism is used to identify malware in the OT system, and in-depth defense measures are strengthened at the network level. This purchase of production capacity has greatly enhanced the investigation ability of defense and analysts

Copyright © 2011 JIN SHI