The global site of the UK's leading magazine for automation, motion engineering and power transmission
23 September, 2021

Hackers harness control systems to mine for crypto-coins

05 July, 2021

Hackers are using industrial control systems (ICSs) to “mine” for cryptocurrency coins, according to a new report from the cybersecurity firm, Trend Micro. It says that the coin-miners are accessing ICSs mainly through unpatched operating systems and that by hijacking the ICS CPUs, they can affect control system performance, leading to a potential loss of control, especially on systems that have low CPU capacity or are running outdated operation systems – “a setup that is not rare in industrial environments”, according to Trend.

The report also warns that ransomware attacks are “a concerning and rapidly evolving threat to ICS endpoints”, resulting in possible downtime and the theft of sensitive data. The merging of IT (information technology) and OT (operational technology) functions in ICSs has made them more vulnerable to cyber-attacks, and if ransomware finds its way on these systems, it can knock out operations for days and increase the risk of designs, programs and other sensitive information finding their way onto the “dark Web”.

Industrial organisations should also be aware of “big game hunters” who first find ICSs that could be compromised and then identify the key systems in the networks that would cause the most disruption, and coerce the victims into paying ransoms. According to Trend, the presence of ransomware in several ICS attacks might indicate that the cybercriminals are starting to recognise these systems and are actively targeting them.

“Industrial control systems are incredibly challenging to secure, leaving plenty of gaps in protection that threat actors are clearly exploiting with growing determination,” warns Trend Micro’s senior manager of forward-looking threat research, Ryan Flores. “Given the US government is now treating ransomware attacks with the same gravity as terrorism, we hope our latest research will help industrial plant owners to prioritise and refocus their security efforts.”

The 2020 Report on Threats Affecting ICS Endpoints urges closer cooperation between IT security and OT teams to identify key systems and dependencies such as OS compatibility and up-time requirements, with a view to developing more effective security strategies. It makes several recommendations, including the following:
Patching systems promptly with security updates. Although this is “a tedious process”, it is necessary to avoid systems being compromised. If patching is not possible, Trend suggests that users should consider network micro-segmentation or virtual patching of networks.
Restricting network shares and enforcing strong username/password combinations. These can prevent unauthorised access through credential “brute-forcing”.
Using intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). These can flag possible network anomalies, detect malicious traffic, and help with device visibility. They can also help in profiling device-to-device communications, establishing network traffic baselines, and addressing malicious network activities, making it easier to identify network traffic anomalies later on.
Installing anti-malware software. This can address legacy worms and viruses that can stay dormant in removable drives and air-gapped systems. For ICS endpoints in air-gapped environments that do not have security software installed, or where security software cannot be updated because of the lack of internet connection, standalone tools can scan and check for the presence of malware.
Setting up USB scanning kiosks. These stations can scan for malware from removable drives used to transfer data in between air-gapped endpoints.

Looking at where ICS cyberattacksare happening, Trend reports that the US is experiencing the highest level of ransomware attacks, while India is suffering the largest number of coin-mining attacks. German ICSs is the biggest victim of “greyware” – such as unwanted applications, adware and hacking tools – because adware is sometimes bundled with software tools.

The types of ICS cyber-attacks detected in Trend Micro’s ten most vulnerable countries
Source: Trend Micro Smart Protection Network infrastructure

Trend warns that legacy malware is continuing to thrive in IT/OT networks. Despite being a threat for years, worms, such as Autorun, Gamarue, and Palevo, which propagate through removable drives, are still being detected commonly in ICS endpoints

Trend Micro’s technical director, Bharat Mistry, points out that ICSs “are seen as soft targets with many systems are still running legacy operating systems and unpatched applications. Any infection on these systems will most likely cause days if not weeks of outage.”

Trend MicroTwitter  LinkedIn  Facebook




Magazine
  • To view a digital copy of the latest issue of Drives & Controls, click here.

    To visit the digital library of past issues, click here

    To subscribe to the magazine, click here

     

Exhibition

Drives Show 2022The next Drives & Controls Exhibition and Conference will take place in Birmingham, UK, from 5-7 April, 2022. For more information on the event, visit the Show Web site

Poll

"Do you think that robots create or destroy jobs?"

Newsletter
Newsletter

Events

Most Read Articles