There are two sessions at S4x17, Jan 10-12 in Miami South Beach, covering actual ransomware incidents in ICS. Marcelo Branquinho of TI Safe will go over two case studies that occurred in South America on the Main Stage, and RSA will discuss an ICS ransomware case in the US that also involved the FBI. All three cases will be anonymized, but there is some very interesting detail on how the companies dealt with the incidents.
This article comes on the heals of a ransomware incident on San Francisco’s Muni Train and Bus ticketing system, and likely a large number of other ransomware attacks that are never made public. I don’t think it is a bold prediction that ransomware in ICS will increase.
Given that change is minimal in ICS, even a quarterly high confidence, off network backup is likely to be sufficient for recovery without unacceptable loss of information. High confidence and off network are key. We often find in assessments that the hot standby system is used as the “backup”, and interview and inspection shows more of an occasional good effort backup spread over servers, laptops and USB drives.
The bigger issue with ransomware in an ICS may be around the time to recover and the confidence in the ability to recover. Is the Recovery Time Objective (RTO) truly an acceptable outage time and is the asset owner certain it can be met? This also has ramifications for the attacker. They will need to shorten the time they give for payment, which means the asset owner will have a shorter time to decide to pay or not … another good scenario for a tabletop incident response exercise.
Should be two interesting sessions and lots of good discussion at S4x17.