Hackers are using industrial control systems (ICSs) to “mine” for cryptocurrency coins, according to a new report from the cybersecurity firm, Trend Micro. It says that the coin-miners are accessing ICSs mainly through unpatched operating systems and that by hijacking the ICS CPUs, they can affect control system performance, leading to a potential loss of control, especially on systems that have low CPU capacity or are running outdated operation systems – “a setup that is not rare in industrial environments”, according to Trend.
The report also warns that ransomware attacks are “a concerning and rapidly evolving threat to ICS endpoints”, resulting in possible downtime and the theft of sensitive data. The merging of IT (information technology) and OT (operational technology) functions in ICSs has made them more vulnerable to cyber-attacks, and if ransomware finds its way on these systems, it can knock out operations for days and increase the risk of designs, programs and other sensitive information finding their way onto the “dark Web”.
Industrial organisations should also be aware of “big game hunters” who first find ICSs that could be compromised and then identify the key systems in the networks that would cause the most disruption, and coerce the victims into paying ransoms. According to Trend, the presence of ransomware in several ICS attacks might indicate that the cybercriminals are starting to recognise these systems and are actively targeting them.
“Industrial control systems are incredibly challenging to secure, leaving plenty of gaps in protection that threat actors are clearly exploiting with growing determination,” warns Trend Micro’s senior manager of forward-looking threat research, Ryan Flores. “Given the US government is now treating ransomware attacks with the same gravity as terrorism, we hope our latest research will help industrial plant owners to prioritise and refocus their security efforts.”
The 2020 Report on Threats Affecting ICS Endpoints urges closer cooperation between IT security and OT teams to identify key systems and dependencies such as OS compatibility and up-time requirements, with a view to developing more effective security strategies. It makes several recommendations, including the following:
• Patching systems promptly with security updates. Although this is “a tedious process”, it is necessary to avoid systems being compromised. If patching is not possible, Trend suggests that users should consider network micro-segmentation or virtual patching of networks.
• Restricting network shares and enforcing strong username/password combinations. These can prevent unauthorised access through credential “brute-forcing”.
• Using intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). These can flag possible network anomalies, detect malicious traffic, and help with device visibility. They can also help in profiling device-to-device communications, establishing network traffic baselines, and addressing malicious network activities, making it easier to identify network traffic anomalies later on.
• Installing anti-malware software. This can address legacy worms and viruses that can stay dormant in removable drives and air-gapped systems. For ICS endpoints in air-gapped environments that do not have security software installed, or where security software cannot be updated because of the lack of internet connection, standalone tools can scan and check for the presence of malware.
• Setting up USB scanning kiosks. These stations can scan for malware from removable drives used to transfer data in between air-gapped endpoints.
Looking at where ICS cyberattacksare happening, Trend reports that the US is experiencing the highest level of ransomware attacks, while India is suffering the largest number of coin-mining attacks. German ICSs is the biggest victim of “greyware” – such as unwanted applications, adware and hacking tools – because adware is sometimes bundled with software tools.
The types of ICS cyber-attacks detected in Trend Micro’s ten most vulnerable countries
Source: Trend Micro Smart Protection Network infrastructure
Trend warns that legacy malware is continuing to thrive in IT/OT networks. Despite being a threat for years, worms, such as Autorun, Gamarue, and Palevo, which propagate through removable drives, are still being detected commonly in ICS endpoints
Trend Micro’s technical director, Bharat Mistry, points out that ICSs “are seen as soft targets with many systems are still running legacy operating systems and unpatched applications. Any infection on these systems will most likely cause days if not weeks of outage.”