LogicLocker is a proof of concept demonstrating a ransomware attack on supervisory control and data acquisition (SCADA) networks common in critical infrastructure facilities. LogicLocker locks out legitimate users from programmable logic controllers (PLCs) in water treatment plants and threatens to dump harmful amounts of chlorine into the water supply if the ransom is not paid.

While LogicLocker is not a real attack, it sheds light on the very real security weaknesses of industrial control system (ICS)/SCADA networks, which will likely put them in the crosshairs of opportunistic, distributed crimeware attacks like ransomware. It’s vital critical infrastructure organizations gain visibility to both IT and operational technology infrastructures, how the two are connected and how elements in each could be used as attack vectors or targets. Not understanding the risk of these interconnected environments could lead to data loss, downtime and even disaster if ransomware attackers ever made good on their promises.

How LogicLocker Works

A cross-vendor worm, LogicLocker was demonstrated on three PLC models, uses the native sockets API and exploits a weak authentication mechanism. The paper and demonstration released by the three researchers from Georgia Tech deals with Allen Bradley MicroLogix 1400 PLCs and Schneider Modicon M221 PLCs; another PLC model was demonstrated at Black Hat conferences. The attack is carried out remotely – requiring no human interaction – as ICS devices are in an “always-on” state.

The LogicLocker attack begins by targeting PLCs directly connected to the internet or by using standard malware to infect a workstation in the corporate network (e.g., phishing); the successfully compromised device is then used to propagate to the to the control network, if these are not properly segmented. Attackers could also use one of the many published ICS-CERT vulnerabilities that allow remote code execution or by breaking the weak authentication mechanism. The final phase of the attack is to change the PLC’s password to prevent access from the legitimate admin. With complete control of the device, the attacker can make their ransom demands (and potentially start dumping chlorine).

What Skybox Users Can Do Now

As there is little room for error or downtime in critical infrastructure, Skybox recommends the following action to be proactive against this and other threats:

  • Patch or mitigate critical vulnerabilities in ICS devices
  • Continuously monitor threats relevant to your organization’s industry and region
  • Change default passwords and deploy configuration policies in line with best practices
  • Properly segment IT/corporate and operational technology networks
  • Minimize the attack surface (i.e., limit devices accessible via the internet, allow only legitimate access through proper configuration of firewall access rules, etc.)

 

Resources

Learn how Skybox® Vulnerability Control and Skybox® Threat Manager prioritize risk in the context of your unique environment, normalizing threat intelligence and correlating information with your network and assets.

See how Skybox® Firewall Assurance correlates configuration and policy data with best practices and identifies security gaps, prioritizing them with added vulnerability intelligence.

Bridging the Gap Between IT and OT Network Security

Shamoon 2 Distributing DistTrack Wiper in Saudi Arabia