For decades, the technologies central to the operation of large-scale industrial settings - such as the control and monitoring systems used in factories or power plants – have largely avoided targeted cyber attacks due to their relative inaccessibility to the public. Unlike more general IT systems, which have long borne the brunt of so-called “cyber extortion” attacks (which often involve the encryption and subsequent ransoming of data and assets), this operational technology (OT) has typically only fallen victim to insider or state-sponsored attacks, largely in part to the lack of monetary incentives for hackers to target these systems.

However, with payouts from the ransoming of IT systems recently declining, there is a growing concern amongst the industry sector that cyber criminals may be turning their attention towards attacking their service-critical OT systems instead. A team of academics – led by Dr Ric Derbyshire, Senior Security Researcher at Orange Cyberdefense and Honorary Researcher in Lancaster’s School of Computing and Communications - have therefore been exploring potential ways cyber attackers could exploit operational technologies for financial gain.

The team have proposed the concept of “Dead Man’s PLC” as a possible tool that cyber criminals could use in order to make attacks against OTs profitable. Rather than encrypting data in a specific location (which in an industrial setting concerning engineering processes rather than private data, could more easily be recovered), Dead Man’s PLC instead holds the entire OT network hostage during the attack. Dead Man’s PLC then monitors the systems and, if it detects the victim of the attack attempting to make changes to any of the systems on the network, or if they otherwise fail to pay the ransom, it detonates a “dead man’s switch”. This dead man's switch essentially acts as a self-destruct command to the network, disrupting it from performing its required processes and enabling malicious code that would be devastating for the victim, therefore encouraging them to pay the ransom. The full paper, detailing the test scenarios the team conducted, was published in Digital Threats: Research and Practice, with the findings also being presented at the recent RSA Conference in San Francisco.

On the findings of their research, Dr Derbyshire commented: “With Dead Man’s PLC, we considered several criteria that would make the attack not only practically feasible against operational technology, but also optimised to incentivise payment of the demanded ransom. While this may sound terrifying, our main piece of advice is to not worry about this becoming a commodity cyber-attack soon. At present, the greatest threat to operational technology is ransomware targeting the IT systems on which it depends, causing cascading consequences down to the physical process.”

It may seem strange that a team of academics would develop a method of attacking critical systems themselves, but this exercise is a crucial part of helping organisations understand realistic threats they may face in the future, and how they can act to mitigate them.

On this, Dr Derbyshire added: “We’ll continue to research creative cyber-attacks that impact operational technology, but for obvious reasons, we don’t intend to further refine a method that criminals may use. Our latest work looks to improve the security of operational technology through hacking; more specifically, penetration testing – a process whereby ethical individuals emulate the tactics, techniques, and procedures of real cyber adversaries to find vulnerabilities. At present, conducting penetration testing on operational technology has many challenges, and through a fellowship with RITICS, we are enumerating those challenges to identify the most promising ways to improve it.”