Is Industry 4.0 Ready for the Ransomware Threat?

Ransomware is the latest trend in criminal malware. It infects computers, encrypts data and demands a ransom payment in the form of bitcoins. The encryption is so strong that it has not yet been circumvented. Locky and other ransomware have the potential to become much more than an annoyance.

Recently one case was reported where patient data was encrypted at a hospital. That might seem bad enough but what would happen if computers that control medical devices are infected by the virus and they show a ransom letter instead of doing their job? Documents, photographs, films and other personal data are usually the prime targets for encryption rather than system files and applications. However, databases and license key files have also fallen victim to unauthorized encryption.

There have not yet been any reports of embedded systems being affected by Locky or similar viruses but this is still theoretically possible. Locky has mostly affected office computers and is spread by e-mail attachments infected with a macro virus. In addition to local files, Locky can also reach unmapped network shares and cloud storage. If production networks are not separated from office networks, Locky can easily find its way into the factory environment. Any data stored on production network shares is vulnerable to encryption. Another scenario to consider is what might happen when using a computer infected with Locky to access a production system remotely.

Connecting control systems which use standard protocols and software to an office network is a double-edged sword. Access to the office network makes production networks easy to manage and data easier to access. However, an operating system like Windows developed for standard IT environments needs to be secured appropriately. Such measures are not always possible in production networks either as the resources are not available or the application is not certified by the provider. Boundaries between office and production networks are not always as impenetrable as they should be. Threats such as Locky will continue to increase in the near future and beyond and could encrypt sensitive data leading to serious damages. Recent events should serve as a final warning for system administrators and IT security managers to take notice and tighten their security. Closing one more port or adding an extra DMZ is better than opening up the firewall for the sake of accessing a share quickly.

If the worst comes to the worse and a virus strikes, it is critical to have a well thought-out, up-to-date and tested disaster recovery concept. Off-site backups of data and images of operating systems and applications can help to get a system back up and running quickly after the infected systems have been quarantined.