Implementation of an ICS Ransomware Testbed: Scenarios, Variants, and Evaluation Methods

Ransomware attacks on Industrial Control Systems (ICS) have emerged as a formidable threat to the United States’ critical infrastructure, eliciting grave concerns regarding national security. In March 2023, the FBI Internet Crime Complaint Center (IC3) unveiled its 2022 Internet Crime Report, highlighting a concerning 870 complaints related to ransomware impacting U.S. critical infrastructure. Of the country's 16 critical infrastructure sectors, 14 encountered at least one ransomware attack. Notably, while the Healthcare and Public Health sector suffered the most, reporting 210 attacks, sectors pivotal to ICS networks and governmental organizations were also targeted: the Defense Industrial Base reported 1 attack, Water and Wastewater Systems 3, Chemical 19, Energy 15, Government Facilities 115, and Critical Manufacturing 157. For instance, a ransomware attack on a major chemical company could jeopardize not only its production but also pose environmental risks should systems controlling hazardous materials be compromised. In 2022, three ransomware variants predominantly targeted U.S. critical infrastructure: HIVE, with 87 attacks; ALPHV/BlackCat, with 114; and LOCKBIT, with 149. Several cyber-attacks, such as the MOVEit data breach in May 2023 and the Colonial Pipeline ransomware attack in May 2021, have been so impactful that they commanded national attention. The DarkSide hacking group's assault on the Colonial Pipeline, initiated on May 6th, 2021, stands as one of the most substantial and publicly acknowledged cyber-attacks against U.S. critical infrastructure. The group exploited an exposed Virtual Private Network (VPN) password, paving the way for initial intrusion and subsequent data theft. A mere day later, DarkSide unleashed a ransomware attack that compromised vital accounting and billing systems, prompting an immediate shutdown of the pipeline to mitigate further ransomware proliferation across its network. This crisis spurred a robust response from the U.S. president and regulators, culminating in a national emergency declaration related to the pipeline shutdown on May 9th, 2021. This incident mirrors the 2017 NotPetya ransomware attack that significantly impacted the shipping giant Maersk, highlighting an urgent need for fortified cybersecurity across various industries. Future incidents, akin to the Colonial Pipeline attack, could potentially be mitigated—or entirely averted—should government agencies and private entities scrutinize system vulnerabilities, exploring various ransomware types and entry points. Proactive measures, such as conducting experiments on VPN accounts or auditing passwords to pinpoint duplicate usage across diverse systems and software, might illuminate feasible entry points and vulnerability zones within an organization's systems.