The cybersecurity firm, Recorded Future, which tracks cyberattacks on healthcare organizations and government entities, claims that there have been more than 140 ransomware attacks against state and local governments and health care providers in 2019 alone. Those 140+ cyberattacks held the computers, IT systems and data of schools, health systems, police stations, hospitals, libraries and other community institutions hostage until a ransom was received. The worst part? That statistic doesn’t include ransomware attacks against private companies and enterprises.
Ransomware is a particularly malicious form of cyberattack that encrypts data and denies access to IT systems and applications that are necessary for an organization to function. The keys to those systems are then dangled in front of an organization until they succumb to the pressures of not being able to operate and pay a ransom for them. And it’s becoming increasingly common. Did you hear about the recent ransomware attack on a Mississippi school district?
The reason for it is simple – profit. Cyber criminals are looking to make cash quickly and in larger quantities that they can get from individuals. This is often referred to as “Big Game Hunting.” And, as Dennis Egan, the Director of Healthcare East for cybersecurity company, CrowdStrike, recently explained in GovCyberHub, it can be very profitable. In fact, it can be so profitable that some malicious actors will even team up to execute ransomware attacks. According to Dennis:
“The concept of “Big Game Hunting” can be explained by the fact that the adversary, or adversaries, are executing on a more intricate and strategic campaign targeting larger organizations for a higher ransom return. It is also fairly common now for smaller, individual e-crime adversaries to band together in a more coordinated effort, effectively commercializing their attack methodologies.”
The idea of individual hackers and hacker groups banding together to extort money from organizations is a frightening one. And it’s something that should be of particular concern to companies, organizations and enterprises that rely on industrial and commercial equipment to do their jobs.
The IIoT – huge potential and bigger ransom risk
As we’ve discussed at length on the Modern Equipment Manufacturer, today’s original equipment manufacturers are under increasing pressure from their customers to make their devices smarter and more connected. This means that all kinds of commercial and industrial equipment is being designed and built that connects not only to building management systems (BMS), but also to the cloud.
While the benefits of BMS and cloud connectivity are incredible – ranging from remote monitoring to remote management to enabling advanced data analytics and increased automation – connecting these devices to the cloud also opens the door to hackers. But is the commercial and industrial equipment that an organization uses really a ripe target for cyber criminals?
I would say, “Yes.” The same way that the electronic health records (EHR) of a healthcare system, or the digital card catalog of a small library could be the targets of a ransomware attack, the commercial and industrial equipment used by a company could be a target.
At the end of the day, these systems are essential in some way to the operation of an organization or enterprise. If the connected water treatment equipment at a wastewater facility, or the connected lighting in a retail store, or the heating or elevators in a commercial office building were compromised and denied, the organization that relies on that equipment would be impacted in some way.
These systems seem innocuous, but they’re essential for operations and getting work done. Without the water treatment equipment, wastewater isn’t being treated and reused. Without the lighting systems, the retail store would be too dark for customers to shop. Without the HVAC systems or elevators, employees in a commercial office high-rise would be too uncomfortable to work – if they could even get to their desks.
Those lost sales and that lost productivity cost companies money. Don’t believe me? Just look at this fall’s United Auto Workers’ strike against GM. According to a recent CNBC article, “Wall Street analysts had estimated the strike cost GM more than $2 billion in lost vehicle production…” That strike lasted 40 days, which means that the strike costs the company about $50 million per day in lost vehicle production.
If a hacker found a way to take down the assembly line of a GM factory, or find a way to keep the workers off of the factory floor, they could ask a pretty high ransom to undo what they had done. So, yes, I think commercial and industrial equipment could be a target for ransomware. And it could also be a target for other kinds of attacks.
In his interview with the GovCyberHub, Crowdstrike’s Dennis Egan explained the multi-step approach that hackers take when they access a target’s systems:
“There are several stages to these attacks. It is often the case that a master dropper infrastructure…is distributed via spam, allowing for credential harvesting…Once credentials are harvested, reconnaissance is performed to analyze and assess the conditions of the environment and, ultimately, we then see lateral movement, an indication that the adversary has begun to achieve action on their objectives.”
It’s the “lateral movement” that I’d like to talk about. When hackers access a system, they often start by making multiple accounts or credentials for themselves that they can utilize should their harvested credentials no longer work. From there – once they have multiple ways of accessing a system – they can begin the process of moving through a target’s IT infrastructure and systems.
This was the case with the cyberattack that impacted retail monolith, Target. In that instance, a HVAC company had credentials stolen, which where used to access one system on Target’s network. From there, the hackers were able to move laterally across the network until they were able to upload credit card skimming software on the point-of-sales systems. The entire timeline and process of the attack was detailed expertly by Brian Krebs on his Krebs on Security blog.
The cost of that Target breach was about $162 million in 2013 and 2014. That number is now much higher following lawsuits and other costs, with some publications reporting that it now cost almost $300 million in total.
Regardless of whether IIoT devices and other commercial and industrial equipment are hit with a ransomware attack, or used as an entry point to the network, it’s clear that equipment owners and manufacturers have to think more about security as their equipment becomes more connected. There’s too much money at stake, too much potential for ransom, and too much damage that can be done to an end-customer’s bottom line and brand reputation to take the security of connected devices lightly. And now, there’s even legislation in the works that could force equipment manufacturers to take security seriously even if they didn’t before.
In my next article on the Modern Equipment Manufacturer, I’ll take a detailed look at some of the new regulations and legislation that could force equipment manufacturers to get serious about security.