Evaluating the Risk of Ransomware in Energy Systems
Updated: Jul 5, 2021
On October 5, 2021, I presented at the UIUC Power and Energy group seminar, ECE 590i. My presentation, Evaluating the Risk of Ransomware in Energy Systems, discussed research from my Spring 2020 class, CS 563: Advanced Computer Security with Prof. Bates. For this term project, we had to pick an individual research project and apply techniques studied in our literature review class to produce novel research results. Although the original project was for a computer security class, I picked a topic that applied to my interest in power systems, and I felt that the results of my research would be interesting to the power and energy group as well. Here are some highlights from my presentation.
We know that ransomware can be a huge headache for companies. In addition to slowing down work, it is costly to recover from, whether by trying to restore files manually or by paying the ransom. As trends indicate growing concern over ransomware and evidence that industrial control systems may be targeted more, an evolving area of research is what this means for ICS. Specifically, can the ransomware targeting these systems infect the right resources prevent them from operating safely, or does it just shut down the IT side of things?
It can…. In February of 2020, ransomware infected HMIs, polling servers, data historians in oil pipeline company, forced company to shut down operations for 2 days even though PLCs weren’t infected.
Ransomware is financially motivated malware that encrypts files or blocks access to data, and demands payment in order to unlock the files. Some companies pay, some don’t- but even if you don’t pay it can expensive to recover from. For industrial control systems, like transportation, energy, oil & gas, or manufacturing, losing access to computing resources can actually shut down physical processes, or in the worst case, cause safety incidents.
However, it is generally considered harder to create a successful campaign that will penetrate the OT network, and if it requires a higher investment from attackers, financially motivated attackers may be less likely to focus on these targets. The goal of my research was to figure out if evidence of this tradeoff exists in historical data, and also to analyze what types of OT devices would need to be infected to actually cause operational impacts on a power grid.
First, let’s talk about what separates an ICS target from and IT target from a ransomware perspective. ICS systems tend to have legacy systems, which means old and known vulnerabilities may exist – very attractive for ransomware. In addition, companies lose money immediately if they cannot deliver product, which means availability of systems is a high priority, even more so than confidentiality. Next, what makes energy systems unique among ICS systems? A successful attack impacts everyone in range immediately and can have cascading public health and safety consequences. Patching may be less common across all ICS, but compared to other industries, updates may actually be impossible if they reduce backwards compatibility with other devices. Even if updates are approved, you can’t just restart the systems every night, it has to come at scheduled maintenance intervals, which may be years apart. Another constraint on power systems is the constant need to balance load and generation, which requires high visibility of the system at any given time.
The power industry regulatory bodies set standards for cybersecurity and issue fines for non-compliance. I couldn’t find similar entities governing manufacturing, some in healthcare (FDA – but mostly makes “recommendations” not “requirements”
With this knowledge in mind, I wanted to start with a survey of ICS security events in order to find out how prevalent these kinds of attacks really are. It is difficult to find publicly available data about security events, but the best publicly available data I found was from the US Cybersecurity and Infrastructure Security Agency (CISA) and their NCAS database, and I also found a useful set from Kaspersky. I studied 2016 to present as that seems to be the time with ICS ransomware has been rising. I broke down ICS security events by which ones were ransomware issues, which ones impacted the energy sector, and which ones were ransomware events that affected the energy sector.
The datasets I have are admittedly small, but ICS ransomware events seem to be about half ICS events. Half or fewer events impacted the energy sector. Only one or two events energy ransomware occurred every year. This data seemed to support my hypothesis that ransomware attacks on energy systems were rare. The cases where they did exist were almost exclusively collateral damage of larger campaigns, rather than targeted attacks.
The second part of my study was to simulate what would happen if a power grid did experience a ransomware attack on OT equipment. I used a software called PowerWorld and chose a standard 37 bus case. I assumed ransomware would make a resource totally unavailable. I chose 4 components to simulate a ransomware attack on, drawing from information on successful ransomware attacks on other ICS systems.
For this presentation, I focused on the application server, which is one of the more severe cases. Infecting the application server with ransomware means that data can still be measured and because of this stability is achieved, but the servers that find the optimal dispatch to minimize costs cannot be used.
I programmed the dynamic load throughout the day to mimic a normal day. It simulates low, medium, and high loads, reaching a peak of 90% of generation capacity. When the optimal dispatch is turned off, the marginal costs increase, but we can see that it’s still proportional to the total amount of load. These losses add up to $110,000 over a single day, which is pretty significant for as small of a system as this is. If you can imagine a system with thousands of buses instead of 37, it is easy to see how this could get out of control.
The main takeaways from the database analysis part of this study was that ICS malware is definitely on the rise, and ransomware that targets or accidentally hits ICS systems is keeping pace with it. However, there is not much evidence of targeted ransomware attacks against the energy sector. From the simulation part of my study, it seemed that the easiest devices to compromise on the OT network had the least impact. Without infecting actual PLCs, the situation that would cause the most impact is compromising the database server, which would reduce the system to manual operation. At the least, ransomware may cause the cost of generation to significantly increase.
Even if the system is capable of operating, it would be interesting to study what decisions utilities are likely to make if they did experience an attack on the OT network. An oil pipeline attacked I mentioned at the beginning made the decision to shut down operations after the historian was infected, but I’m not sure if a utility would make the same decision. Another remaining question is what the best way to protect ICS devices from ransomware infections given the limitations we discussed at the beginning.