Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
LogicLocker
open-in-new
<h2 id="attack-method">Attack method</h2> <p>The attack method used with LogicLocker employs five stages. Initial infection, Horizontal and Vertical movement, locking, encryption and negotiation. Initial infection can take place through various vulnerability exploits. As ICS devices are typically in an always on state, this gives Cyber-criminals ample time to attempt the compromise of the PLC. PLCs generally do not have strong authentication mechanisms in place to assist in protecting themselves from potential attack.<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a> Initial infection could take place through a users clicking of a potentially malicious email attachment.<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a><a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a> Upon initial infection of the PLC, horizontal or vertical movement can be achieved from the PLC to the corporate network depending on the capabilities of the PLC. The next stage of the attack is locking in which the attacker locks out legitimate users to inhibit or prevent restoration efforts. This can be done through password changes, OEM Locking, over-utilization of PLC resources or changing IP/Ports. These different locking methods offer varying degrees of success and strengths. To further ensure a successful attack Encryption is employed to follow traditional cryptoransomware practices for future negotiations. Lastly, negotiations are conducted between the attacker and victim for service restoration. Some PLCs contain an email capability that can be used to send the ransom message as was the case with the MicroLogix 1400 PLC used in the proof-of-concept attack.<a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a><a class="footnote-ref" id="fnref:12" href="#fn:12"><sup>12</sup></a> </p> <h2 id="defense-strategies">Defense strategies</h2> <p>To assist in defense and vulnerability mitigation efforts there are several strategies that can be employed. </p> <h3>Endpoint security</h3> <p><a href="/facts/Endpoint_security/0Lzwd3um">Endpoint security</a> techniques such as password changes, disabling of unused ports and protocols and implementation of <a href="/facts/Access_control_list/t38J9Vao">Access Control Lists</a> (ACL), maintaining proper backups and firmware updates should be used. This can significantly reduce the attack surface presented cyber-criminals.<a class="footnote-ref" id="fnref:13" href="#fn:13"><sup>13</sup></a> </p> <h3>Network security</h3> <p>Increased and vigilant network monitoring should be used to detect abnormalities. Protocol whitelisting on firewalls, network segmentation and automated backups can provide additional security and provide decreased restoration time provided the backups are not compromised in the attack.<a class="footnote-ref" id="fnref:14" href="#fn:14"><sup>14</sup></a> </p> <h3>Policy</h3> <p>The training of employees to properly identify <a href="/facts/Phishing/hvgfz4U8">phishing</a> emails, prohibition of USB devices and incorporating a comprehensive incident response plan should be used to assist in countering this threat.<a class="footnote-ref" id="fnref:15" href="#fn:15"><sup>15</sup></a> </p> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Pin_control_attack/9dCFXgbg">Pin control attack</a></li> <li><a href="/facts/Stuxnet/xa7gvYYF">Stuxnet</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Formby, D., Durbha, S., & Beyah, R. (n.d.). Out of Control : Ransomware for Industrial Control Systems. Retrieved from http://www.cap.gatech.edu/plcransomware.pdf <a href="http://www.cap.gatech.edu/plcransomware.pdf" target="_blank">http://www.cap.gatech.edu/plcransomware.pdf</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"A Malware Experiment Foreshadows Factories Held for Ransom". 16 February 2017. <a href="http://electronicdesign.com/iot/malware-experiment-foreshadows-factories-held-ransom" target="_blank">http://electronicdesign.com/iot/malware-experiment-foreshadows-factories-held-ransom</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Formby, D., Durbha, S., & Beyah, R. (n.d.). Out of Control : Ransomware for Industrial Control Systems. Retrieved from http://www.cap.gatech.edu/plcransomware.pdf <a href="http://www.cap.gatech.edu/plcransomware.pdf" target="_blank">http://www.cap.gatech.edu/plcransomware.pdf</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Chirgwin, Richard (15 February 2017). "Meet LogicLocker: Boffin-built SCADA ransomware". The Register. Retrieved 2017-02-20. <a href="https://www.theregister.co.uk/2017/02/15/logiclocker_scada_ransomware/" target="_blank">https://www.theregister.co.uk/2017/02/15/logiclocker_scada_ransomware/</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>"Proof-of-concept ransomware locks up the PLCs that control power plants". Boing Boing. 2017-02-14. Retrieved 2017-02-20. <a href="https://boingboing.net/2017/02/14/proof-of-concept-ransomware-lo.html" target="_blank">https://boingboing.net/2017/02/14/proof-of-concept-ransomware-lo.html</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Khandelwal, Swati. "This Ransomware Malware Could Poison Your Water Supply If Not Paid". The Hacker News. Retrieved 2017-02-20. <a href="http://thehackernews.com/2017/02/scary-scada-ransomware.html" target="_blank">http://thehackernews.com/2017/02/scary-scada-ransomware.html</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>"A Malware Experiment Foreshadows Factories Held for Ransom". 16 February 2017. <a href="http://electronicdesign.com/iot/malware-experiment-foreshadows-factories-held-ransom" target="_blank">http://electronicdesign.com/iot/malware-experiment-foreshadows-factories-held-ransom</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>Formby, D., Durbha, S., & Beyah, R. (n.d.). Out of Control : Ransomware for Industrial Control Systems. Retrieved from http://www.cap.gatech.edu/plcransomware.pdf <a href="http://www.cap.gatech.edu/plcransomware.pdf" target="_blank">http://www.cap.gatech.edu/plcransomware.pdf</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>Formby, D., Durbha, S., & Beyah, R. (n.d.). Out of Control : Ransomware for Industrial Control Systems. Retrieved from http://www.cap.gatech.edu/plcransomware.pdf <a href="http://www.cap.gatech.edu/plcransomware.pdf" target="_blank">http://www.cap.gatech.edu/plcransomware.pdf</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>"A Malware Experiment Foreshadows Factories Held for Ransom". 16 February 2017. <a href="http://electronicdesign.com/iot/malware-experiment-foreshadows-factories-held-ransom" target="_blank">http://electronicdesign.com/iot/malware-experiment-foreshadows-factories-held-ransom</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>Formby, D., Durbha, S., & Beyah, R. (n.d.). Out of Control : Ransomware for Industrial Control Systems. Retrieved from http://www.cap.gatech.edu/plcransomware.pdf <a href="http://www.cap.gatech.edu/plcransomware.pdf" target="_blank">http://www.cap.gatech.edu/plcransomware.pdf</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> <li id="fn:12"><p>"Proof-of-concept ransomware locks up the PLCs that control power plants". Boing Boing. 2017-02-14. Retrieved 2017-02-20. <a href="https://boingboing.net/2017/02/14/proof-of-concept-ransomware-lo.html" target="_blank">https://boingboing.net/2017/02/14/proof-of-concept-ransomware-lo.html</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></p></li> <li id="fn:13"><p>Formby, D., Durbha, S., & Beyah, R. (n.d.). Out of Control : Ransomware for Industrial Control Systems. Retrieved from http://www.cap.gatech.edu/plcransomware.pdf <a href="http://www.cap.gatech.edu/plcransomware.pdf" target="_blank">http://www.cap.gatech.edu/plcransomware.pdf</a> <a href="#fnref:13" class="footnote-back-ref">↩</a></p></li> <li id="fn:14"><p>Formby, D., Durbha, S., & Beyah, R. (n.d.). Out of Control : Ransomware for Industrial Control Systems. Retrieved from http://www.cap.gatech.edu/plcransomware.pdf <a href="http://www.cap.gatech.edu/plcransomware.pdf" target="_blank">http://www.cap.gatech.edu/plcransomware.pdf</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></p></li> <li id="fn:15"><p>Formby, D., Durbha, S., & Beyah, R. (n.d.). Out of Control : Ransomware for Industrial Control Systems. Retrieved from http://www.cap.gatech.edu/plcransomware.pdf <a href="http://www.cap.gatech.edu/plcransomware.pdf" target="_blank">http://www.cap.gatech.edu/plcransomware.pdf</a> <a href="#fnref:15" class="footnote-back-ref">↩</a></p></li> </ol>