Call a customer: “we have a problem, the system is running but we have lost supervision"

F&B application, a food product production plant of a medium-sized Italian company: a Ransomware blocks the plant with a machine supervision and monitoring application (SCADA-PLC).

How did it happen?

La network of establishment is as we say "automators", “flat” with little segmentation and no segregation of critical assets (PC/Server factory).

The PCs for mail and other applications with internet access are also connected on the same network: it was enough for the administration to open an attachment called an "invoice" to unleash hell.

Ransomware (one of the multiple and increasingly refined versions of Cryptolocker), starts encrypting the disks of all PCs with shared resources, irreversibly transforming the file extension into .mp3.

 

CRYPTOLOCKER
CRYPTOLOCKER: this screen is creepy, but that's the intent.

 

Among these disks also that of the SCADA/Server, which could be accessed from the offices in order to be able to produce and download reports on the progress of the plant.

The SCADA/Server fortunately continues to work, as all the activity takes place in RAM (communication with the PLC, scanning of the I/O points from the field, reading of signals and measurements, transmission of commands and set-points, presentation and acknowledgment of alarms): however, it is no longer possible to switch views on this computer (only those in cache are manageable and viewable), while the others on disks and directories affected by the ransomware are now encrypted and unusable.

On the other hand, the SCADA/Clients, the display stations, were "clean", which continued to allow operators to check all the data from the plant: in practice, the plant continues to operate and produce, but it is not possible to know until to when.

An orderly shutdown is then decided, to sanitize the computers and restart. When the SCADA Server is also switched off, the plant remains completely blind.

You are looking for the latest back-up of the applications and of the installed configuration: unfortunately it is "dated" and therefore part of the latest application changes are lost.

The license files of the software used are also unusable and must be requested from the supplier, with a charge for regeneration and further loss of time.

The last historical data and alarms collected are lost, those that were not part of the last usable back-up.

This can have an impact on the traceability of produced batches and on the possibility of placing them on the market.

Definitely, 3-4 days of activity to restart, with direct costs for consultants and components to be replaced, and indirect costs for non-production, cancellation of lots and impossibility of producing and damaged reputation.

Clearly here there is a lack of knowledge on Cyber ​​Security, at least on Cyber ​​Crime developments in recent years: what could be done to avoid the problem?

Certainly the basis of every "secure" system (secure in quotes because no architecture can be considered 100% safe) are the policies.

 

If the attachment hadn't been opened there would have been no problems, but the administration employee who physically did it certainly cannot be blamed: in his defense I would like to add that while ungrammatical emails once arrived which "smelled like viruses", those that arrive today in our e-mail are absolutely credible.

We at ServiTecno also got CRYPTOLOCKER: do you want to know how we "saved" ourselves?

However, even just informing the operatives about possible threats and setting up procedures in this regard is not enough: you have to be ready, especially with plan B, or HOW TO START AGAIN QUICKLY AND WITHOUT LOSING DATA?

 

Some advice in this regard from ServiTecno: