Dead Man's Switch: A Potential Alternative to Ransomware in Operational Technology Environments
In 1915, tram travel was a popular means of getting around American cities and in this year the Birney car was born. This newly designed streetcar brought with it a new idea, single person operation. Up to this point, streetcars had both a Motorman to drive the tram and a Conductor to control the doors for passengers. The Birney allowed the Motorman to control the doors, and this meant the car only needed one person. During the war influenced labour shortage, this was a good thing for communities. However, this new idea brought with it a significant problem, a single point of failure. What happens if the Motorman falls asleep, has a medical problem, or dies while the tram is in operation? Thus the introduction of the dead man's control was also introduced in the form of a handle that had to be constantly held in order for the tram to work. The release of the handle would cause the brakes to be applied, bringing the car to a safe, but abrupt, stop.
Since their inception, Dead Man's Switches have evolved into various forms. The Birney tram example serves as a classic illustration of a 'fail-safe' mechanism, where the automatic action ensures immediate safety. On the other hand, there exists a darker variant known as 'fail-deadly'. Akin to scenarios depicted in spy movies where the bad guy holds the detonator and says, “If you kill me, I'll release the trigger and the hostages explode - Muhahaha” - or something like that.
Dead Man’s Switches can also be used on computer systems and they may be the next avenue for professional hacking gangs and nation state actors. The paper, Dead Man's PLC: Towards Viable Cyber Extortion for Operational Technology, by Derbyshire, Green, Van Der Walt, & Hutchison, outlines how Operational Technology (OT) networks may be very vulnerable to attacks of this nature.
You're likely well-acquainted with Information Technology (IT) networks and their array of components. Things like laptops, desktops, printers, mobile phones and firewalls. However, Operational Technology (OT) operates in a different space, specifically tailored for industrial networks. These systems oversee and regulate physical processes, encompassing devices such as Programmable Logic Controllers (PLCs), Industrial Control Systems (ICS), and sensors. The differences in these types of environments are important, and one of the biggest ones can be seen by applying the Cyber Security CIA Triad Framework to both.
The CIA Triad
Confidentiality - Protecting sensitive information from unauthorised access.
Integrity - Ensuring that data remains accurate, reliable and untampered with in a system.
Availability - Ensuring that the data and systems are accessible and usable by authorised users when they need it.
For IT environments, Confidentiality is often of the biggest concern and most important. This is reflected in the legislature with governments often imposing large fines on organisations for data breaches. Additionally, for an IT environment, one of the most destructive attacks to experience is Ransomware. Ransomware attacks include malicious actors getting into an organisation, often exfiltrating sensitive data and then encrypting as much of the data in the environment as possible. They then reach out to the organisation and offer salvation through a payment otherwise they will sell the data and never unlock the target's systems. Ransomware attacks take a sledgehammer to all 3 pillars of the CIA triad. Confidentiality is lost because attackers have their hands on the data and they threaten to leak it, Integrity is lost because you cannot be sure that, if you get the data back, the data is unchanged, and finally, availability of the data is affected while everything is locked or the data is stolen.
Derbyshire, Green, Van Der Walt, & Hutchison, make some interesting observations about this attack method, in the context of an OT environment. Firstly, OT environments are esoteric. If I want to target you and your Windows XP computer, I can easily find a Windows XP virtual machine online and practice breaking into it before I try to hack you. However, if you run an oil refinery, I’m not likely to find a virtual machine for your specialised oil refining PLC floating around online. So the current hacking groups have a hard time navigating these OT environments. This concept is known as ‘Security through Obscurity’. Though overtime ‘Security through Obscurity’ will weaken and suddenly the obscure will become illuminated and clear. Secondly, Ransomware does not affect OT environments in the same way as it does IT environments. The data within an OT environment is most likely not sensitive or personal info. An OT environment flips the CIA triad priority upside down. In OT, Availability of the systems is paramount, followed by Integrity and Confidentiality. Given this, OT environments are built in order to keep running. Engineering practices are in place to quickly replace faulty components and configurations can be set back to a baseline. Derbyshire, Green, Van Der Walt, & Hutchison, suggest that this is what makes Ransomware an ineffective attack on OT environments. In the event of ransomware, PLC’s can be quickly reset, and the organisation can be back up and running relatively quickly. They therefore theorise that a new attack may be on the horizon.
The Dead Man’s PLC, is an attack theory that takes advantage of Availability importance. Once inside an OT network, they use existing OT functionality to set up covert network monitoring and device polling, as well as denying any configuration update attempts by the victim organisation. They use the network monitoring to identify any restorative activities that the target may be attempting. Once set up, the attackers will let the victim know that any attempt to restore their systems or not pay the ransom in time, will result in all of the PLC’s outputs being set to “ON”. At first this might sound strange. If availability is of the most importance, surely the victim would want the outputs to be ”ON”. This is not the case.
In 2017, the Triton malware was discovered. It is often cited as the first cyber attack to be used intentionally to cause physical harm. The attack occurred at a Saudi Arabian Petrochemical plant. The hackers had infiltrated the software and systems that monitored the conditions inside of the plant. These systems were designed to be a last line of defence and to detect dangerous changes inside of the plant. They were designed to help return the systems back to safe levels or to shut down if things were unsafe. They controlled things such as shut off valves and pressure release systems. The attackers were stopped before any harm had been done, but it's clear that if they had succeeded, their intent was to turn off the safety systems and likely cause some other system within the plant to malfunction. This cyber attack could have led to physical world harm. People could have died. In the Dead Man’s PLC concept, turning all PLC’s on could lead to valves opening, conveyor belts moving, welders igniting, robotic arms flailing, machine presses crushing, volatile chemical mixers heating and pressurising, and all without their usual synchronisation. Unrepairable mechanical damage is almost certain and physical injury/death for employees in the area is a likely outcome.
The Dead Man’s PLC report, provides some technical specifications on how this attack can be achieved, along with data from their industry approved OT network that they used as a Proof of Concept demonstration. The technical details are interesting, but I’m not an OT security expert, so I can't critically analyse the attacks' likely effectiveness in a real life OT environment. I do, however, find the concept of this attack interesting.
There are no rules in cyber war, yet. But it goes without saying that I hope attacks that cause physical harm don’t become the norm. It seems to me that the capability has always been there. In 2007, the Aurora experiment showed that hacking the protective relay on a power grid diesel generator with 30 lines of code, could cause it to violently shake itself apart. Imagine, someone hacking your wifi connected dryer, causing it to overheat, and over-spin until it explodes.
Given that this capability is seemingly available, why haven’t we seen it exploited? I believe the answer lies in the complex web of technological, ethical, and legal considerations surrounding cyber warfare. While the potential for physical harm through cyber attacks has been demonstrated in isolated incidents such as the Triton malware attack, the full extent of such capabilities remains largely untapped. The fear of retaliation, international norms against the use of cyber weapons for physical destruction, and the unpredictable consequences of such actions may serve as deterrents. However, as technology continues to evolve and geopolitical tensions escalate, the line between cyber and physical warfare may blur.
The Dead Man’s PLC report does provide some mitigation strategies to this attack. They include network monitoring tools that create a baseline of normal network behaviour and can detect when attackers are in the environment based on subtle changes. Additionally, there are stronger controls that can be put in place to make updating configurations on PLC’s harder for intruders. Though these mitigations are specific to this situation, I think that a more broad discussion needs to be had within the international security community on how these kinds of attacks can be mitigated completely. Maybe that is wishful thinking. Maybe it’s already happening.
This report may give us a glimpse into what is to come. Perhaps attackers will attempt to replicate this strategy AND actively avoid affecting systems that could cause physical harm. Or maybe they just won’t care. Either way, this gives us a rare opportunity to front foot this situation and put systems in place before these attacks start taking off. Instead of waiting for the next exploit to be developed and then scrambling for a fix.
Thanks,
Corey