Cryptomining in ICS

New technology now allows operators of industrial infrastructure such as oil and gas platforms, mine sites, manufacturing plants and utilities to have remote visibility and control over their production processes.  The disadvantage of this new technology is that it provides avenues for cybercriminals to exploit.  Therefore, advanced cyber security techniques are required to ensure the operating environment remains safe and secure from malicious actors who are always innovating to achieve their aims.

This article discusses a new technique that normally would not be associated with cyber-crime called ‘Cryptomining’.


The advent of blockchain technology allowed for the creation of the first decentralised virtual currency, Bitcoin. This was the first of many virtual currencies that could be ‘mined’ by a computer through the process of verifying cryptographic chains.

The use of technology has grown exponentially over the last few years. It allows a miner to compete with other crypto miners to solve complicated mathematical problems with cryptographic hash functions that are associated with a block containing the transaction data.  The reward for cracking the code is the authorisation of the transaction and a small amount of cryptocurrency.

Cybercriminals are capitalising on the rise of crypto mining, and the integration of industrial technology with the internet.

These malicious actors are starting to recognise the value in utilising the processing power of these operating systems as a method for mining cryptocurrency.

ICS targeted by crypto miners

The technology has resulted in ‘Cryptojacking attacks’ where the intent is to consume compute cycles within the target control system to perform the crypto mining activity.  The goal for this type of attack isn’t to steal or take control of the infrastructure but to consume a small amount of computer power on the system to generate cryptocurrency. This can result in performance degradation of the system.  The payload of this type of attack has been found to be delivered in malware that is becoming increasingly widespread.

Potential impact

Some would argue that actors targeting processing power, rather than company bank accounts or confidential data, are a lesser threat to an organisation.

However, the impact on a company’s systems can be both financially and physically disastrous.

All computing devices, from an employee’s laptop to an interface controlling air flow into a mine, are capable of a certain amount of processing based on their hardware specifications. In operational technology, these capabilities are only enough for the device to function correctly and allow for it to deal with minor failures. If the device does not have the adequate processing power, it will cease to function as expected, instructions given to the system will be ignored, and a manual reboot or complete replacement will be necessary. Cryptomining does exactly this. Cryptomining technology accesses processing power of a device and utilises that power to perform its mining function.

Hopefully, the targeted device is a regularly used machine and the slow down or failure of its function will be recognised by an operator, and processing will be stopped to fix it. This ‘best case scenario’ results in costs associated with stopping all systems associated with, and replacing or fixing, the compromised device. However, the infected machine could be part of a safety or redundancy system that is only used in an emergency. Only when it is needed will the system fail, resulting in potentially catastrophic physical damage or loss of life.

A secondary consequence is the bandwidth usage of cryptocurrency mining operations. Cryptomining software will regularly be in contact with its Command and Control (C2) server, creating high levels of data traffic that adds greater stress to operational technology communications infrastructure.


Traditional cyber security practices, such as the use of anti-virus software and firewalls, are a good start for the protection of an industrial network’s perimeter. However, the innovation of recent cyber attacks expresses the importance of a solution that is resilient and adaptable.

Cryptomining software and data traffic can often go undetected by common malware signature databases and firewall rulesets.

ICS specific detection solutions provide visibility of what and how devices in a network are communicating. These solutions often raise alerts based on the anomalous behaviour of devices. Sudden higher traffic levels from a device will lead to an immediate investigation. If a safety redundancy device is consistently operating, network visibility allows for actionable intelligence to immediately address the issue.

Passive network monitoring solutions provide insights and visibility against malicious crypto mining activities, with minimal impact on network bandwidth.