Would you pay a thousand dollar ransom for your hot water?

Kevin Pratt, previously Lead Anti-Fraud Analytics Scientist at Teradata, MSCS, JD

Imagine receiving an email demanding $1000 ransom to restore the gas and electricity to your hot water heater  (along with your furnace!)

ransom for hot water

How long would your family be willing to go before paying up?  Or, suppose utilities at your corporate headquarters would not function until a ransom is paid.  What is your burn rate while you await a return to a heated building?

Ransomware and Extortion

Extortion is one of organized crime’s oldest modus operandi.  It now arrives through cybersecurity penetration and ransomware that can lock up both business records and industrial control systems.  It hits utilities, hospitals and other essential service providers (as well as the internet connected controls in your home).

What is ransomware? It is a type of evil computer virus that locks companies out of their entire computer systems until the ransom is paid.  It can be as lucrative as drugs for organized crime.

Utilities operate Industrial Control Systems – boring software that runs the physical operations  of the utility – the power plants, valves, and distribution systems.  Like the old water pipes in Flint Michigan, those systems are a hodge-podge of software that is often antiquated with a mix of weakly guarded access points.  Thus, they can be easy to hack into – sometimes literally just with a phone call.  In many older systems, the business office also directly links to the operations controls, and thus offers a broad threat surface to attackers who want to inflict pain.

Is this scenario really a risk?

Absolutely.  Last month ransomware shut down an entire hospital in California with a demand for $3.4million.  Less was actually paid by the hospital, and the criminal honored his/her promise to unlock the hostage records and systems – so the outcome was “tolerable.” Ransomware Strike

But as with any “hostage” situation, there is always the risk that the hostage will never be returned even after the ransom is paid.  Recall the negotiations in Bridge of Spies

Ransomware on industrial control systems is a scary – and the vulnerabilities exist
This is the understated description from US Experts
and the European Cyber Crime authorities:
"Supervisory Control and Data Acquisition (SCADA), Industrial
Control Systems (ICS) and Automatic Identification Systems
(AIS) are complex systems composed of various hardware and
software components, often from different vendors. They were
often designed with little consideration for network security.
Mergers and acquisitions, poor assessment management,
absence of patch management policies and a lack of knowledge
transfer prior to staff turnover can all negatively impact the
cybersecurity of Industrial Controls. Together with the persistence of legacy
systems and the difficulties in maintaining a continuous cycle
of updates, a steady increase in the number of opportunities to
exploit vulnerabilities can be expected.
The threat theatre is increasingly characterised by organised
groups or non-state actors and individuals resorting to
asymmetric attacks enabled by the universal connectivity the
Internet provides and the availability of the necessary tools
and attack information. Loss of control over technology as a
result of globalisation, the need for online accessibility, and
foreign ownership of critical infrastructures is also increasing

The time period from when a vulnerable system is breached
by a malicious outsider to the breach being discovered and
vulnerabilities identified and patched, is currently on average
about 200 days. (emphasis added)"
Europol. The Internet Organised Crime Threat Assessment, p.44 (2015)

Yes, that’s right –your family or your business might have to wait 200 days for the heat and hot water to be turned back on!

Advanced analytics help control utilities risk

Because the operations software used by utilities is such a mix of old and new, the Department of Homeland Security has put a priority on recommendations to help control the risks of shutdowns caused by various cyber-attacks.  The first step involves collecting and preserving logs from the many machines and components so that preventive and forensic analysis can be effective.   These logs are more than traditional performance and maintenance logs.

Utilities have used real-time dashboards for many years to monitor the performance of their systems.  That is one kind of analytics, but high quality advanced analytics goes much further. 

Old style analytics typically involved comparing a current sensor reading against its own historical record, or against an aggregate of similarly operating sensors.  This was useful for finding certain kinds of anomalies to produce “green-light or red-light” notifications.  A line graph, pie chart and maybe a “speedometer” were all that was needed to understand the isolated phenomenon.

Advanced analytics looks further – for links among disparate data, for flows of information that combine or divide, and for patterns that may involve cycles, different states, inconsistencies and transient timing.  Advanced analytics focus to identify gaps, anticipate problems and observe unexpected holistic changes in the environment.  Advanced analytics help close the gaps that criminals exploit to introduce ransomware or other threats.   To speed understanding of complex systems, Advanced analytics produce visualizations of the connection of thousands (or tens of millions) of events.  The cluster-link graph in Figure1 shows  such drill-down into risks found on a large enterprise’s 1000+ servers. 
links of vulnerabilities to servers

Fig. 1  Graph showing vulnerabilities linked to servers in large enterprise.  While root activity (a potential vulnerability) is linked to almost all servers – probably in course of normal administration, privileged commands are being applied only to three servers.  In this graph, the two large nodes in upper right were known to be servers undergoing  maintenance with much root activity.

When we employ advanced analytic techniques we can associate when and where data travels, who the users are and their methods of access, what software is operating and what parts are getting used the most. 

A simple example is work we recently did to answer this concern:  Are those terminated employees who  still have access to the system scraping and taking confidential information?  We brought together records of their roles, ordinary activities, authorized access, and where they walked through the offices to look for unusual behaviors and intellectual property extraction (yes, sometimes at 3 am!).

A more complex example is from a different company that was seeking out new and potentially risky communications.  The company had a slowly changing pattern of sequences of communications defined by habitual  information needs of its customers.   We visually mapped out those patterns and then compared recent activity across millions of links to the past.  We quickly spotted recently broken communication lines, which the company tracked down and fixed.  But we also identified new patterns.  It turned out those were service improvements being implemented by one branch of the company, but it could have been bad guys creating “back doors” in preparation for  a future attack on the company’s computer systems.

Ransomware always starts with a backdoor – somehow the attackers find a way in to plant the virus that will lock up all the company’s operational software or business data so that ransom can be demanded.  Advanced analytics help prepare the defense and reduce those risks.  It is the constant effort of applying advanced data science to the big and disparate data at utilities that helps keep the promise of a hot shower every day all week. 

Are your critical service providers well protected?

Overview of US industrial control systems cyber vulnerabilities
The Internet Organised Crime Threat Assessment 2015
Ransomware strikes California Hospital
More information about advanced analytics at Teradata Corporation

Kevin B. Pratt has been Chief Scientist at ZZAlpha LTD. since 2010
He was also Lead, Anti-Fraud Analytics, Sr. Analytics Scientist in the Teradata Big Data and Advanced Analytics Group until June 2016.
There was and is no connection whatsoever between ZZAlpha LTD.and Teradata Corp.