Accepted author manuscript
Licence: CC BY: Creative Commons Attribution 4.0 International License
Research output: Contribution to Journal/Magazine › Journal article › peer-review
Research output: Contribution to Journal/Magazine › Journal article › peer-review
}
TY - JOUR
T1 - Dead Man's PLC
T2 - Towards Viable Cyber Extortion for Operational Technology
AU - Derbyshire, Richard
AU - Green, Benjamin
AU - van der Walt, Charl
AU - Hutchison, David
PY - 2024/10/1
Y1 - 2024/10/1
N2 - For decades, operational technology (OT) has enjoyed the luxury of being suitably inaccessible, and thus has experienced directly targeted cyber attacks from only the most advanced and well-resourced adversaries. However, security via obscurity cannot last forever, and indeed a shift is happening whereby less advanced adversaries are showing an appetite for targeting OT. With this shift in adversary demographics, there will likely also be a shift in attack goals, from clandestine process degradation and espionage to overt cyber extortion (Cy-X). Even if encryption-based Cy-X techniques were launched against OT assets, typical recovery practices designed for engineering processes would provide adequate resilience. In response, this paper introduces Dead Man's PLC (DM-PLC), a pragmatic step towards viable OT Cy-X that acknowledges and weaponises the resilience processes typically encountered in any OT environment. Using only existing functionality, DM-PLC considers an entire environment as the entity under ransom, whereby all assets constantly send one another heartbeats to ensure the attack remains untampered with, treating any deviations as a detonation trigger akin to a Dead Man's switch. A proof of concept of DM-PLC is implemented and evaluated on a peer reviewed and industry validated OT testbed to demonstrate its malicious potential.
AB - For decades, operational technology (OT) has enjoyed the luxury of being suitably inaccessible, and thus has experienced directly targeted cyber attacks from only the most advanced and well-resourced adversaries. However, security via obscurity cannot last forever, and indeed a shift is happening whereby less advanced adversaries are showing an appetite for targeting OT. With this shift in adversary demographics, there will likely also be a shift in attack goals, from clandestine process degradation and espionage to overt cyber extortion (Cy-X). Even if encryption-based Cy-X techniques were launched against OT assets, typical recovery practices designed for engineering processes would provide adequate resilience. In response, this paper introduces Dead Man's PLC (DM-PLC), a pragmatic step towards viable OT Cy-X that acknowledges and weaponises the resilience processes typically encountered in any OT environment. Using only existing functionality, DM-PLC considers an entire environment as the entity under ransom, whereby all assets constantly send one another heartbeats to ensure the attack remains untampered with, treating any deviations as a detonation trigger akin to a Dead Man's switch. A proof of concept of DM-PLC is implemented and evaluated on a peer reviewed and industry validated OT testbed to demonstrate its malicious potential.
U2 - 10.1145/3670695
DO - 10.1145/3670695
M3 - Journal article
VL - 5
SP - 1
EP - 24
JO - Digital Threats: Research and Practice
JF - Digital Threats: Research and Practice
IS - 3
M1 - 23
ER -