OT networks often rely on Windows systems for various ICS applications including HMIs, historians, and data gateways. Beyond that, they also commonly rely on Windows systems to run associated IT-networks.

A successful ransomware deployment into either of these networks may prevent engineers from controlling plant operations and lead to an unplanned shutdown. This creates an immediate cost on the organization due to lost productivity. In the worst case, unplanned shutdowns may lead to physical failures that can damage equipment, potentially endangering lives in the process. The downtime from such an event could also span many months depending on the system. Specialized industrial equipment often cannot be replaced with existing components and take months to produce.

How THE MALWARE is Deployed

Ransomware may find its way onto an ICS network through a variety of sources. As with any other organization, it may start with phishing attacks targeting employees. Phishing will typically attempt to either install malware or steal remote access credentials. Another common technique is for an attacker to compromise an industry website and implant malware or exploits. When unsuspecting engineers browse to or load software from this site, the attacker gains access to their system in what is known as a watering hole attack. The attacker can move laterally from a point of infection and deliver ransomware to critical targets.

Exploits targeting VPN portals or other externally exposed IT infrastructure may also provide a beachhead for a ransomware deployment. This is what happened at a manufacturing plant in Italy earlier this year when it was infiltrated through a vulnerable FortiGate VPN server. The attackers exploited CVE-2018-13379 to obtain credentials and then accessed a Windows system through the VPN. Next, Mimikatz was used to obtain other credentials and move laterally through the network until a Domain Admin account was compromised. The (Read more...)