How SCADA/ICS Changes the Equation
Recent reports of SCADA/ICS proof-of-concept ransomware have spurred fresh discussion on the topic. Few threats exceed the level of concern that ransomware generates in the minds of corporations. There are some fundamental economics behind ransomware, though, that can help predict its evolution, particularly in view of the potential for attacks on public infrastructure.
"Current indications are that ransomware price demands are increasing, which likely means the market (such as it is) has not yet reached an equilibrium."
Consider ransomware as a "product." Normally we think of products as offering some positive value, for example allowing us to produce more output or reduce our costs, or entertain us, etc. Ransomware is a product with negative value, where the victim can avoid costs by paying for the product. Since the product is destructive rather than constructive and relies on threatening the value built by others, it is parasitic and criminal - but still subject to economic principals.
One economic observation is that the price should not exceed the value of the lost - or potentially lost - resource. That value is somewhat subjective, but there are often limits to the victim's ability to pay, and obviously there are limits to the attacker's ability to assess the value of the lost resource. So the attacker is incentivized to choose a ransom price that is both within the victim's ability to pay, and does not exceed what the victim considers the potential loss value. In addition, since most of these attacks are targeting hundreds, thousands, or more potential victims, the attacker typically must make an educated guess as to a value that will net the most overall gain.
However, things can get somewhat more complicated. Some attackers taking advantage of the ransomware phenomenon make "poor quality" products that destroy resources without offering the ability to recover them. Some attackers do not or cannot consistently provide the ability to recover the resources lost, even upon payment - for example, by failing to provide usable decryption keys or utilities. These poor quality or "fake" ransomware attacks undermine the credibility of the attacker and, to some extent by association, the credibility of "quality" ransomware purveyors. This undermining of victim/consumer confidence places another variable into the pay-or-don't-pay calculation: The victim has to consider the likelihood that their loss will not be restored upon paying the ransom. The higher the likelihood (perceived, at least) that the resource will not be restored, the lower the expected return for paying the ransom, driving down the "value" of the ransom. This in turn weighs on the price attackers can demand. While cheaper to produce and operate, poor quality ransomware would appear to have a lot of factors that suppress it. As a result, it should generally only be able to maintain a small minority share of the market, at least once the market is saturated.
These economics appear to still be playing out. Current indications are that ransomware price demands are increasing, which likely means the market (such as it is) has not yet reached an equilibrium. When that occurs, some of the mitigating economic pressure on producers of poor quality ransomware will be removed. This appears to be bolstered by the fact that the number of ransomware attacks also continues to increase.
With the advent of real IoT ransomware and proof-of-concept infrastructure-targeting ransomware — phenomena long predicted by myself and others - things get even scarier. Potential threats to infrastructure are not new. Nation states have long had the ability to negatively impact their adversaries' infrastructure. However, the risks of escalation and even mutually assured destruction (MAD) tend to lead to a natural detente. Governments must weigh the benefits of such operations against the myriad risks of political blowback, collateral damage, or discovery and subsequent reprisal.
When criminal actors engage in attacks on infrastructure, however, the possibility of detente is not a factor and the conflict becomes asymmetric, just as it always has been with ransomware. When ransomware moves into the kinetic realm, either by impacting physical infrastructure or tangential systems that can adversely affect physical infrastructure, the conflict has been elevated to the next level.
It's hard to fathom the potential loss of value from ransoming resources such as clean water, electricity, transportation, and other infrastructure relied on by thousands or even millions of people. It also demonstrates that there is significantly more potential loss for the attacker to monetize, and it means that increased attempts to threaten public infrastructure are virtually inevitable. Similarly, it is hard to predict how bold attackers will be in their attempts to hold infrastructure hostage - but it would be the epitome of imprudence to simply wait to find out.
In March of 2009, eBay and ING announced the formation of the Cloud Security Alliance in order to promote best practices to assure secure cloud computing. Then in September of 2015, AirWatch formed the Mobile Security Alliance together with 10 other companies, aiming to mitigate the growing threat within the mobile threat landscape.
Just as the resource loss caused by ransomware can become more severe and impactful in IaaV scenarios, so efforts must be made to increase the potential and actual costs to would-be attackers. Severe penalties increase the riskiness of such ventures, and better security and isolation are needed for our infrastructure. It may be that legislation is needed to spur preparatory action in the private sector, which historically has been reactive, undereducated and unprepared in this area. While robust backups are an effective mitigation for data-encrypting ransomware, no such silver bullet exists in the space of ICS (industrial control systems) such as SCADA (supervisory control and data acquisition). Action must be taken by the organizations responsible for those systems since the threats posed are a potential "tragedy of the commons," a venerated economic principle that describes how unchecked self-interest can be detrimental to the common good.
For the time being, the only saving grace is that the attack surface area of SCADA/ICS systems is somewhat fractured. While corporate and consumer attacks can be carried out on a massive scale through email phishing, our public infrastructure is not quite the monoculture that the desktop space has become. But that is cold comfort as the sheer scope of the problem of securing vulnerable public infrastructure comes increasingly into focus.
The problems caused so far by ransomware only hint dimly at the paradigm's future destructive potential. We need to apply foresight - paying heed to early warnings that are signs of possible, if not likely, things to come. While there is no silver bullet to prevent ransomware, there are steps we can take to secure our information and infrastructure, such as significantly reducing exposure of critical infrastructure to the public Internet, improving access control, and deploying effective, next-generation endpoint protection. Those steps must be taken soon, however, as applying simple economics shows that it's only a matter of time before the problem gets worse.