New IIoT ransomware exposes industry hardware vulnerabilities

07-06-2022 | By Robin Mitchell

Cyberattacks have come in many shapes and forms, whether it is to damage equipment, steal information, or hold users to ransom. Now, researchers have demonstrated a new potential IIoT attack that goes beyond denial of service or data theft and attacks the very heart of an industrial process. What are ransomware attacks, what have researchers demonstrated, and how does this threaten future industrial processes?


What are ransomware attacks?


A ransomware attack is one where an attacker gains control over a system and holds it ransom against the system owners. For example, an attacker can encrypt all essential files to a company’s operation (such as financial records and IP) and demand payment for encryption keys to remove the encryption. This threat can be made more severe by adding a timer to the encryption key generator that will delete the key if no payment has been made. If a strong encryption algorithm is used, then the destruction of the key is as good as wiping all the encrypted data.

Another example of a ransomware attack would be an attacker gaining control over an industrial site and outright disabling all equipment. Simply rebooting hardware may not allow plant operators to regain control over their equipment if the wider network spans far beyond the plant (i.e., remote networks and other industrial sites). Due to the expensive nature of industrial operations, an attacker only needs to sit and wait until the amount being asked for by the attacker is lower than the money being lost by disrupted operations.

The ability to launch ransomware attacks is being accelerated by multiple factors, including increased internet connectivity of devices, the introduction of digital currencies that allow for account anonymity, and the slow response of the engineering community to security needs.


Researchers demonstrate a new ransomware attack against industrial equipment


While ransomware attacks against consumer devices frequently see news coverage, those against commercial and industrial often go unnoticed, yet these attacks are often far more profitable and damaging to an economy. Protecting against such attacks can be a monumental challenge considering that such environments can have thousands of network-connected devices coming from dozens of different manufacturers. It only takes one of these devices to have a vulnerability that provides an attacker with an entry point and, from there, can launch an attack across the entire network.

Researchers from Forescout Vedere Labs have demonstrated how their earlier research into TCP/IP stack vulnerabilities can be used to attack right at the heart of industrial processes. Called R4IIoT, the vulnerability allows Denial of Service (DoS) attacks to disable industrial equipment, including PLCs, controllers, and smart sensors, which is fundamentally different from previous attacks that focus on mainstream devices, servers, and network routers. As such, rebooting equipment will not restore control, especially for large-scale networks that span the globe.

And it is this global nature of modern industrial processes that makes this attack potentially devastating. Many industrial devices can often be located in remote areas such as pipelines, ships, and containers that are not immediately accessible by engineers, and this allows for an attack to have more of an impact. For example, an oil company may have a ship carrying oil which is initially targeted by an attacker. If their demand is not met after several hours and staff on the ship are finally able to respond, the attacker can simply retarget another piece of equipment that has no nearby staff (such as a control valve for a pipeline).


How do such attacks threaten future industrial infrastructure?


The move to internet-enabled devices allows for industrial processes to be centrally controlled by one major network that allows for remote operation, maintenance, and repair. This use of a centralised network also allows for intelligent cloud-based services to improve operations and increase productivity (such as predictive AI).

However, the use of a central global network also opens up networks that were once entirely sealed from the outside world to cybercriminals, and the increasing number of internet-enabled devices being used in these networks provides more attack vectors for a criminal. As it only takes one device to open up a network to abuse, industrial network operators have to be more vigilant than ever to ensure network security.

Progress cannot be stopped, and going back to non-networked industrial processes with directly programmed controllers is not a solution to the problem. But, engineers responsible for network operations and those who design and manufacture internet-enabled industrial equipment need to take security extremely seriously. It won’t be long before the world sees a major industrial attack that disrupts the global supply of a key resource (food, steel, oil etc.) that will impact day to day life.