Month: October 2018

Cryptomining in ICS

New technology now allows operators of industrial infrastructure such as oil and gas platforms, mine sites, manufacturing plants and utilities to have remote visibility and control over their production processes.  The disadvantage of this new technology is that it provides avenues for cybercriminals to exploit.  Therefore, advanced cyber security techniques are required to ensure the operating environment remains safe and secure from malicious actors who are always innovating to achieve their aims.

This article discusses a new technique that normally would not be associated with cyber-crime called ‘Cryptomining’.


The advent of blockchain technology allowed for the creation of the first decentralised virtual currency, Bitcoin. This was the first of many virtual currencies that could be ‘mined’ by a computer through the process of verifying cryptographic chains.

The use of technology has grown exponentially over the last few years. It allows a miner to compete with other crypto miners to solve complicated mathematical problems with cryptographic hash functions that are associated with a block containing the transaction data.  The reward for cracking the code is the authorisation of the transaction and a small amount of cryptocurrency.

Cybercriminals are capitalising on the rise of crypto mining, and the integration of industrial technology with the internet.

These malicious actors are starting to recognise the value in utilising the processing power of these operating systems as a method for mining cryptocurrency.

ICS targeted by crypto miners

The technology has resulted in ‘Cryptojacking attacks’ where the intent is to consume compute cycles within the target control system to perform the crypto mining activity.  The goal for this type of attack isn’t to steal or take control of the infrastructure but to consume a small amount of computer power on the system to generate cryptocurrency. This can result in performance degradation of the system.  The payload of this type of attack has been found to be delivered in malware that is becoming increasingly widespread.

Potential impact

Some would argue that actors targeting processing power, rather than company bank accounts or confidential data, are a lesser threat to an organisation.

However, the impact on a company’s systems can be both financially and physically disastrous.

All computing devices, from an employee’s laptop to an interface controlling air flow into a mine, are capable of a certain amount of processing based on their hardware specifications. In operational technology, these capabilities are only enough for the device to function correctly and allow for it to deal with minor failures. If the device does not have the adequate processing power, it will cease to function as expected, instructions given to the system will be ignored, and a manual reboot or complete replacement will be necessary. Cryptomining does exactly this. Cryptomining technology accesses processing power of a device and utilises that power to perform its mining function.

Hopefully, the targeted device is a regularly used machine and the slow down or failure of its function will be recognised by an operator, and processing will be stopped to fix it. This ‘best case scenario’ results in costs associated with stopping all systems associated with, and replacing or fixing, the compromised device. However, the infected machine could be part of a safety or redundancy system that is only used in an emergency. Only when it is needed will the system fail, resulting in potentially catastrophic physical damage or loss of life.

A secondary consequence is the bandwidth usage of cryptocurrency mining operations. Cryptomining software will regularly be in contact with its Command and Control (C2) server, creating high levels of data traffic that adds greater stress to operational technology communications infrastructure.


Traditional cyber security practices, such as the use of anti-virus software and firewalls, are a good start for the protection of an industrial network’s perimeter. However, the innovation of recent cyber attacks expresses the importance of a solution that is resilient and adaptable.

Cryptomining software and data traffic can often go undetected by common malware signature databases and firewall rulesets.

ICS specific detection solutions provide visibility of what and how devices in a network are communicating. These solutions often raise alerts based on the anomalous behaviour of devices. Sudden higher traffic levels from a device will lead to an immediate investigation. If a safety redundancy device is consistently operating, network visibility allows for actionable intelligence to immediately address the issue.

Passive network monitoring solutions provide insights and visibility against malicious crypto mining activities, with minimal impact on network bandwidth.


Honeypot technology

There is a growing importance placed on detection technologies in both threat research and damage mitigation. In every war, intelligence is of the utmost importance for deployment of resources and exploitation of an adversary. The cyber battlefield is no different, as discovery and understanding of the enemies’ avenue for attack is the best method for preventing damage to an organisation.

The adversary is also changing, from opportunistic broad-spectrum attacks to more targeted, developed threats.

In the cybersecurity arena, forensic analysis is the process of deconstructing an attack’s exploitation, transmission vector and payload to determine exactly how and, if possible, why a system was compromised. It is important for evaluating a networks’ vulnerability, creating defences against attacks, as well as predicting how potential attacks may operate.

What is a honeypot?

A ‘honeypot’ in cybersecurity describes an apparently vulnerable network device with the capacity to covertly monitor and record attacks against it. The honeypot is set up to appear enticing and legitimate to an attacker, without actually compromising important data if attacked.

What is its purpose?

A honeypot can capture the attack methodology, attack signature, information on targeted systems, network vulnerabilities and, potentially, information on the attacker. This intelligence allows the cybersecurity industry to be more adept at detection of current attacks and prevention of future attacks. Attack signatures can be added to intrusion databases, a methodology can be dissected and understood in order to develop defence strategies, and vulnerabilities can be exposed and patched before they can be exploited. A greater understanding of a cyber adversary is also integral to the ability of the cybersecurity industry to evolve and adapt.

Awareness of the motives of attackers creates a great advantage for security professionals to predict how the cyber threat landscape is developing, and allow for pre-emptive countermeasures to be deployed.

Malicious actors are aware of the existence and purpose of honeypots and are constantly wary of being trapped. Therefore, effective honeypot deployment involves making the device look as real as possible. This includes protecting the device with proper security technology and having the device retain data and traffic that appears legitimate. However, in order to protect legitimate data, these honeypots are often located outside of the company’s secure network, in a fake network or ‘Demilitarised Zone’ (DMZ).

Honeypots in Active Defence

Honeypots are increasingly being adopted by operators who are seeking to strengthen their cybersecurity regime using countermeasure technology.  The devices provide the opportunity to observe the actions of an attacker and build an understanding of the tactics, techniques and procedure being used against systems or facilities.  A well-implemented honeypot deployment can provide the following:

  • Highlight risks and assess the seriousness of a threat.
  • Provide impact assessments based on the observations of the activities of the threat.
  • Direct further investigative activities and allow for incident response planning.
  • Deliver specific Threat Intelligence to the organisation.
  • Act as a decoy to bolster defence systems.

Future Use of Honeypots

ICS systems will continue to be attacked, with potentially greater success, as new tools and easily accessible information becomes more widely available.

This will allow the technical knowledge, sophistication and new methodologies for attacks to develop over time.  Honeypots are a useful tool that can indicate malicious intent and methodologies to provide operators with the intelligence required to build a or strengthen the security posture of an organisation.

Threat Landscape Report: Virtually No Firm is Immune from Severe Exploits

With over 100,000 known exploits, most organizations cannot patch vulnerabilities fast enough to keep up. This indicates that cybercriminals are not only developing new technologies and strategies to exploit potential victims, but they are also becoming more selective in the way they leverage those exploits, focusing on those that will generate the biggest bang for the buck.