We are all aware of massive ransomware attacks, which severely hit industrial companies. Colonial Pipeline incident taking place last May, is one of the more famous ones.
In all attacks (also during the Colonial incident), the ransomware target and impacted companies’ IT systems. The affected company shut down ICS networks as a method of isolation and protection.
We can summarize and say that ransomware attacks as we know it today, don’t aim ICS networks and have just secondary effect on it.
We all know that the “bad guys” move faster and already hold up in their sleeve the “next” surprise. We need to ask ourselves, is there any option to target ransomware attacks directly on ICS devices?
Unfortunately for us and our customers the answer is YES. In the last few month, I encountered several publications discussing the possibility that ICS devices would be direct target for ransomware attack. The following publication by Red Balloon Security https://redballoonsecurity.com/ransomware-installation-on-embedded-devices-is-possible-because-weve-... is highly interesting as it covered in details how such attack can take place.
What solution we got to improve security against such threat:
- Use Check Point Firmware and risk assessment tool to examine the firmware of the customer ICS devices
- Use Claroty CTD for online scanning and getting alerts cocnering any possible new vulnerability that might allow remote code execution for the ICS devices
- Use Check Point IPS to patch possible vulnerabilities that might allow remote code execution for the ICS devices.