Hsinchu, Taiwan – Nov 3, 2021 – It is very surprisingly that FBI, CISA (Cybersecurity and Infrastructure Security Agency), EPA (Environmental Protection Agency) and NSA (National Security Agency) of the United States of America issued a joint alert on October 14, 2021 - “Alert (AA21-287A) Ongoing Cyber Threats to U.S. Water and Wastewater Systems”. This joint alert mentioned that three previously unreported ransomware attacks that impacted ICS (industrial control systems) at water facilities. Precisely speaking, the SCADA (supervisory control and data acquisition) Systems were attacked by ransomware in these three water facilities.

The SCADA example picture. Retrieved Nov 3, 2021, from https://en.wikipedia.org/wiki/SCADA

For decades, we have referred to computers and data networks as IT (information technology); the operation and program control of ICS (industrial control system) is usually referred to as OT (operational technology). IT and OT have different focuses. The focus of OT is the stable and smooth operation in long time. OT was usually operated in an isolated network and thus is very safe.

However, IT and OT are usually integrated nowadays for convenience and efficiency. This exposes the OT network to the large amount of malicious content from IT network. Furthermore, there are some malware which is designed for targeting to industrial systems like nuclear power plant or other public facilities. The OT network is as dangerous as the IT network now.

The joint alert mentioned that Ghost and ZuCaNo variant ransomware are two of the three assassins which cyber-attacked the water facilities. The third assassin is an unknown ransomware. Actually the Ghost and ZuCaNo ransomware are quite old and have many variants. Ghost is also known as Farfli and ZuCaNo is derived from the Xorist virus.

Lionic has been watching out these Ghost/Farfli and ZuCaNo/Xorist families long time ago. So far, Lionic has collected roughly three thousands of Ghost/Farfli variant ransomware and roughly one thousand of ZuCaNo/Xorist variant ransomware. Their amounts are still keeping growing. Due to these large amounts, Lionic anti-virus technology based products should enable the cloud based scan to obtain the full protection against the Ghost/ZuCaNo families of ransomware.

Partial list of Cloud Anti-Virus rules for Ghost/Farfli variant ransomware:

Partial list of Cloud Anti-Virus rules for ZuCaNo/Xorist variant ransomware:

Once the OT network connected to IT network, the OT network should watch out the malware and cyber-intrusions both. Some OT network security devices have anti-intrusion ability only and no anti-virus ability. It is not enough for all the possible cyber-threats now.

This water facilities ransomware event serves as a powerful reminder of how important it is to install one Pico-UTM 100 for one important machine in OT network. Pico-UTM 100 has full protection including Anti-Virus, Anti-Intrusion, Anti-WebThreat and Firewall features. Also, the operating systems of equipment in OT network are very old Windows, Linux or other operating systems usually. There are many known vulnerabilities in these old operating systems. And these old operating systems are very hard to upgrade usually. Pico-UTM 100 also has anti-virus and anti-intrusion rules for protecting the old MS-Windows and other OS just like “Virtual Bug Fixes” or “Virtual Patch”.

It is highly possible that those water facilities can minimize the impact of the ransomware catastrophe if they deploy large amount of Pico-UTM 100 in their OT network. We recommend the managers of OT networks can think about deploying one Pico-UTM 100 for one important machine to block the ransomware and old vulnerabilities attacks in advance.

References:

1. Alert (AA21-287A) Ongoing Cyber Threats to U.S. Water and Wastewater Systems, https://us-cert.cisa.gov/ncas/alerts/aa21-287a
2. Ransomware Hit SCADA Systems at 3 Water Facilities in U.S., https://www.securityweek.com/ransomware-hit-scada-systems-3-water-facilities-us
3. SCADA, https://en.wikipedia.org/wiki/SCADA
4. Stuxnet, https://en.wikipedia.org/wiki/Stuxnet