Incident of the Month: Process Disruptions by Malware

With EKANS, a malware appeared at the beginning of the year that also aims to shut down specific industrial processes. The malware only affects Microsoft Windows systems. But with the abundance of Windows-based systems active in OT as well as the convergence of IT and OT, EKANS has the potential to disrupt industrial processes by taking over OT-specific software on those systems.

A Common Case: Infection of an OT Database Server

Malfunction infected system Rhebo Industrial Protector
The malfunction of an infected system affects the communication patterns in OT. In Rhebo Industrial Protector faulty communication patterns are highlighted in red.

For example, if an OT database server is infected, the functionality of the control software active in the OT will be disrupted. Examples of affected systems are Proficy iFix, ThingWorx, Sentinel, GE Fanuc Licensing, VMWare, Nimsoft, Honeywell HMIWeb, Bluestripe, SolarWinds, FLEXNet, MS SQL Server. Of course, the activities of EKANS will leave traces in the OT communication pattern. This allows localizing the trigger and preventing disruptions.

EKANS vs ICS Monitoring

EKANS activities can be identified by ICS monitoring and anomaly detection. The mechanism here is identical to erroneous or manipulative interventions in the process communication. Using deep packet inspection technology (DPI), such changes are detected in real-time at the lower level of the data packets. Thus, even modified functions or commands can be analyzed to identify anomalies.

Anomaly Detection Profinet Rhebo Industrial Protector
Rhebo Industrial Protector provides detailed information about the associated anomalies in Profinet communication for forensic analysis.

Identifying Attempted Disruptions in OT Communication

At a manufacturing company, for example, the anomaly detection repeatedly detected commands for process disrupts in the communication pattern. These were atypical for the communication between the components within the OT. In particular their frequency and timing were suspicious. Using the forensic data, the operators could immediately reproduce both the source and the communication path. As it turned out, a maintenance worker - who had administrative rights on the source system for his tasks - had initiated the erroneous communication and thus risked a chain reaction. The situation could be rectified immediately so that no production downtime occurred. With malware such as EKANS, this threat detection process would be triggered in a similar way.

Protection of ICS and IoT from Malware and Error States

With the ICS monitoring solution and anomaly detection by Rhebo both industrial control systems (ICS) and connected IoT devices are safeguarded against cyberattacks, malware and technical error states. Even disrupts by increasing zero day malware, which is unknown to firewall and antivirus blocklists, can be discovered by the continuous monitoring of the entire network communication. Anomaly detection and automated threat prevention ensure integrated cybersecurity of industrial automation networks and distributed IoT devices.