Embedded Devices Remain Susceptible to Ransomware Threats
OT systems are an established target for ransomware, as are the critical devices within them. The public and private sectors must take a far more holistic approach to protecting this layer.
The large number of high-profile incidents in 2022 should remove any doubt that malicious actors are targeting industrial control systems (ICS) with ransomware.
Attacks on scalping strategies have originated in the data-heavy enterprise/IT level as well as the control rooms fundamentally of operations. With global conflict raising threat levels in governments and industries around the world in 2022, the threat likely has been elevated.
Unfortunately, we are still playing catch-up when it comes to providing a sufficiency of security controls within ICS. The most critical existing gap is at the device level: The actuators, sensors, safety equipment and electronic control units (ECU) that keep our power grids online, telecommunications networks fast and secure and manufacturing plants operating inside a safe state.
The lack of on-device ransomware protection can lead to a single-device compromise – or multiple device lockouts via lateral spread across a network. While we haven't yet seen credible evidence of such attacks in the field, it's clear the mixture of increased activity and a lingering security gap put us at an inflection point. Embedded devices need more ransomware protection – right now. Yet it may need significant time and investment to bring sufficient security for this level – much more time than it requires to build up and deploy ransomware that will be effective at this level.
Directives such as last year's Executive Order, issued in the wake of multiple high-profile attacks, help to raise awareness around ICS ransomware threats. But no directive or security standard I've reviewed goes far enough. Ransomware and ICS, firmware and embedded device security are often discussed. But to date, government and industry leaders have yet to pull these pieces together into effective guidance or plans of action.
We may still have time before an assailant compromises an important system by bringing ransomware one step lower into ICS technology and down to the device level. These 3 facts ought to provide the incentive to improve protection before attackers result in the case for us:
Fact 1: Firmware insecurity is a serious concern, designed for embedded devices
It has had the better a part of 2 decades to bring robust security controls to devices and networks in the enterprise and control room levels. We've yet to increase similar controls right down to embedded devices that actually work directly in ICS physical processes.
The firmware of many of these devices is a particular concern. Firmware includes programs and data that engage directly with device hardware, is vital towards the functionality of devices, yet many times, it lacks robust protections.
Fact 2: Embedded products are the best ransomware target
Because embedded devices generally contain limited data, a ransomware attack may seem counterintuitive. But there's evidence that attackers have targeted firmware itself for ransomware loads, as well as used firmware as a means to spread ransomware to other sensitive systems.
Many critical ICS products are on the market around the open market, usually with four-figure prices. And while it takes advanced skills to reverse engineer these to uncover exploitable vulnerabilities, malicious actors have demonstrated that they have time and resources to complete just that, particularly when payouts from ransomware attacks on ICS have reached eight figures.
Fact 3: Established protections will not prevent on-device ransomware
Most embedded devices sit behind perimeter defenses and access controls, which has led to some complacence around going for host-based protections. But you will find important differences between how these units function and interact with users.
Unlike by having an attack on one PC, ransomware won't activate on an embedded device because someone clicks a malicious link or downloads a ransomware payload. Embedded device compromise likely would be the consequence of an attack that takes a wide-scale approach to the enterprise by targeting servers and policy systems – which can allow attackers to transmit malicious commands directly to endpoints with no human interaction.
In the likeliest scenario, these commands will originate in compromised engineering workstations or through vendor monitoring/update channels, then spread directly, device to device, similar to worms did back in '90s and 2000's.
Firewalls, role-based access control along with other protections are ineffectual if ransomware is spreading over authorized communication paths and protocols. Additionally they can't prevent east/west ransomware spread once a system is compromised, since this activity will occur within the protected perimeter.
To raise security standards, we should highlight the ransomware threat to embedded devices
I worry that a year from now we will be within the same position, or worse yet, scrambling to upgrade on-device security in response to ransomware attacks that hold our critical infrastructure hostage or leave it severely damaged. To prevent that, we need to go ahead and take following steps:
- Recognize the improved threat to embedded devices. In the present global unrest, threat actors are being asked to find exploitable weaknesses in essential infrastructure. Embedded products are often mission-critical, and therefore legitimate targets for ransomware along with other cyberattacks.
- Invest more in firmware engineering and security. Many industries continue to be unwilling to make a deep purchase of the securitization of firmware, despite the potential harshness of attacks that reach this level. ICS operators must request and plan for more security, and manufacturers must bring more native protections to their products.
- Ensure supply chains have adequate replacement devices on hand. Device replacement could be easily your best option for restoring operations following a ransomware attack only at that level. Currently, it is unlikely supply chains could produce sufficient replacements in the event that many devices failed in one attack.
- Back up device configurations. Not all ransomware attacks will result in total loss of a device. Customers should make sure all device backups are current and accessible.