Hackers will begin using complex attacks to bring down infrastructure such as power stations, possibly for days at a time, a major security conference has heard.
Speakers told the RSA Conference 2017 in San Francisco that cyber-attackers would begin interfering with such systems and bringing down servers and work stations at scale. They also predicted that hackers would move their attentions from hospitals to banks.
Michael Assante of the SANS Institute for information security training said such attacks on power stations in Ukraine in 2015, which left 200,000 people without power, and a later one in 2016, were measured in hours.
Mr Assante said hackers had learned to deliver their malicious software and code directly into such systems.
They were then able to turn against the control system and begin overwriting storage, destroying work stations and servers and delivering bad firmware to devices to render them inoperable or ‘brick’ them.
Mr Assante said many organisations did not have response plans, which was a concern. They now needed to take into consideration how much automation of systems was too much and whether there were fewer employees available to manually restore power systems, for example.
“Now, you are in a position where you’ve to ask yourself what’s the right balance between man or machine,” he said.
Ransomware
Ed Skoudis, an instructor at the SANS Institute, said one of the biggest issues over the past number of years had been the explosion of ransomware, particularly crypto-ransomware, which was much more powerful.
There are more than 21 different active families of crypto-ransomware available today, and it was “an ideal way for the bad guys to attack”, he said.
The hackers did not need a command and control structure and did not even have to exfiltrate the data from the company’s environment, because it would just remain there in an encrypted form.
Mr Skoudis also noted that ransomware attacks on healthcare records in the US constituted a data breach, even if the data was not removed from the organisation. The fact that it had been locked down with ransomware constituted a data breach and that needed to be reported, he said.
In one of Wednesday’s morning keynote sessions, Mr Skoudis said organisations hit with ransomware also had to consider who was responsible for deciding whether or not they paid up when affected.
“If you get hit with ransomware, you are now in a business negotiation with the bad guys,” he said.
They were “very practical business people”. But it was in a company’s interest to “look like a small individual who has trouble scraping together one or two bitcoins to pay the ransom”.
Internet of Things
He told the audience that the current state of the Internet of Things was just “a passing time”. A year or two ago, many people looked at the IoT as “a set of devices you could attack”. But all the technologies involved in the IoT were very complex and they were converging, he said.
He asked delegates to consider what they would pay hackers to turn their lights or heat back on, or to release their car from the grip of ransomware if it was targeted and they couldn’t drive to work.
Some 40,000 people are attending the conference, which continues at the Moscone Center in San Francisco until Friday.