25 Mar Ransomware in the Industrial Automation Sector
The cyber-security threat landscape is becoming increasingly complex and diverse. Cyber-criminals are consistently rearming themselves with new techniques and technologies that threaten the entire IoT and IIoT (industrial internet of things) landscape. Over the past couple of years ransomware has emerged as the preeminent cyber-threat to companies in the industrial automation sector.
Ransomware in Industrial Automation
It is estimated that ~ 70% of companies in this sector have experienced at least one ransomware attack over the past five years. The majority of those attacks resulted in production degradation and/or compromise of proprietary data. What is a ransomware attack? What are its stages? What damage can be done?
In simple terms, ransomware is a form of malware that infects an IoT device or machine. The infection can impact individual control files or expand to infect and entire ecosystem of devices and machines. As the name implies, the malicious actor then demands a “ransom” for the return of access to systems and files.
The Stages of a Ransomware Attack
- Campaign: Campaigns can take several forms but the most common is the use of email. These sophisticated phishing attacks are engineered to encourage the recipient to download the embedded malware.
- Infection: This is the point where the malware has been embedded into the device or machine. The infection remains dormant and invisible.
- Search: Now that the malware has a foothold it will begin to search for operating files to contaminate. This can include on-premise files as well as files stored within a cloud environment.
- Encryption: This is the final stage of the attack. The malicious actor uses symmetric encryption to compromise as much system and operating data as possible. This can bring individual assets or an entire asset ecosystem to a complete halt.
- Extortion: The attack culminates with a demand for a ransom payment. The attacker demands payment for access to the decryption keys that will allow for return to data access and operational control.
Since 2019, ransomware attacks on industrial control systems (ICS) have seen a dramatic year over year increase. The scope is sobering. It is estimated that there are ~ 300,000 malware attacks initiated every day. As a comparison, there were ~ 90,000 back in 2012. While this is a global problem, companies in the US have been particularly vulnerable.
No industry segment is immune from cyber-attack. Cyber-criminals display little prejudice when applying their craft. However, some industries are higher on the target list than others. Industrial automation companies find themselves in that unfortunate position. There are several reasons for that:
- High profitability: Companies within the industrial automation segment tend to operate at healthy profit margins. This makes them prime targets for cyber criminals looking for a big payday.
- More vulnerable: Historically, industrial automation companies have spent less effort and money on cyber-security initiatives. This has started to change but there remains a residual legacy effect.
- High value data: This segment produces high-volumes of high-value data. The higher the value of data, the more the targeted company will pay for its return.
- Diverse supply chains: Industrial automation companies typically have a very broad base of suppliers, partners, customers, etc. Ransomware can be used to compromise a broader set of data and open the door to additional ransom opportunities
Ransomware attacks can have a devastating—and long-lasting—impact on the targeted enterprise. As these attacks become more sophisticated the havoc they create is more widespread, harder to detect and more difficult to mitigate. The crippling effects from these cyber-attacks can include the following:
- Loss of critical data: A ransomware attack can result in the temporary—or sometimes—permanent loss of sensitive data. This data can be related to asset performance, financials, suppliers, etc.
- Disruption of operations: Depending on the scope of the attack, a single asset, an entire factory, or a chain of interconnected factories can be disabled. After the ransom is paid it can take weeks or months to recover to normal operational status.
- Degradation of supply chain: Suppliers can be impacted by a ransomware attack on an industrial automation company. Suppliers may be hesitant to continue a business relationship with a company that appears vulnerable to cyber-attack.
- Loss of reputation and market share: Operational and financial disruptions can create a loss of confidence within the company’s targeted market. Market share can be temporarily or permanently impacted.
- Financial loss: In addition to the ransom that must be paid, all the above will contribute to financial loss and degraded bottom-line performance. This can negatively impact the ability to invest in future technology and innovation.
The Solution – Endpoint Security
How can industrial automation companies combat this year over year increase in ransomware attacks? How can they get ahead and stay ahead of these threats? The solution lies in the ability to embed AI-enabled security into the extreme endpoint of the device, machine, or process (i.e., “the edge of the edge”). This Edge-native AI approach to cyber-security offers a paradigm-shift in the approach to protecting industrial automation companies from ransomware attack.
Edge-native AI offers the following advantages when compared to traditional approaches to cyber-security:
- Machine and device centric: Endpoint security is embedded directly into the asset’s MCU or MPU. Security that can be customized for a specific device or machine.
- Customized algorithms: Predictive AI and ML algorithms that live, train, and learn directly on the targeted asset. The ability to predict upcoming cyber events.
- Real-time alerts and reactions: Endpoint security that enables quicker detection and reaction to ransomware infections. Mitigate the spread and impact of an attack.
- Local monitoring and data processing: Processing critical data at the endpoint eliminates security risks associated with cloud processing. Protection that is more robust and more cost-effective.
- Scalable and flexible: An Edge-native AI solution can be deployed on a single asset, multiple assets, or across an entire ecosystem of industrial automation sites. This improves the consistency of the security solution application.
Ransomware attacks will likely continue to increase, and industrial automation companies will continue to be targets. However, new Edge-native AI technologies will provide much-needed protection and mitigation.