Loss of critical control: the effect of malware on industrial control systems
From loss of critical infrastructure to loss of life, the extent of the potential damage is vast. And it’s only getting worse.
Abstract
Digital attacks on industrial control systems (ICSs) have resulted in hazardous outcomes since the year 2000, but it was not until 2010 with the discovery of Stuxnet that it incited sustained and widespread media concern. Despite this, infrastructure as a service (IaaS) is being adopted when ICS security is in its infancy and attacks on such systems have become increasingly more common in the last ten years [1][5][32]. Proposed solutions by researchers is hampered by the industry-specific uniqueness of ICSs and insufficient data on attacks [2]. This literature review aims to provide a timeline of notable ICS attacks that utilize malware, with a focus on socio-political impacts; the spotlight on the technology and corporate losses does not communicate the importance to laypersons. Moreover, a focus on those topics neglects to address people as the biggest vulnerability in any cybersecurity environment.
Introduction
Industrial control systems (ICSs) are a combination of wireless and control components used for various infrastructure and industrial purposes. They are designed to carry out automated functions and use a limited number of read and write commands that are executed in a loop [2].
Increased attacks on ICSs are likely due to the recent popularity of infrastructure as a service (IaaS) as the reduced cost and convenient scalability is attractive to infrastructure and industrial companies. Software as a service (SaaS) carries many risks and IaaS carries the same, but an attack on ICSs has the potential to be more catastrophic due to the very nature of their use and integration.
Although digital attacks on ICSs have been observed as far back as the year 2000, their security is still in its infancy. It is difficult, for example, to build machine learning anomaly detection when there is insufficient data on attacks. The industry-specific uniqueness of ICSs compounds this issue[2]. FireEye have observed on several occasions evidence of long-term intrusions into ICSs that did not result in disruptions or disabling operations [9] which points towards attackers developing ICS attacks in secret.
More recently, a Claroty report on ICS security affecting 53 vendors details that of the vulnerabilities discovered in the first half of 2020, more than 70% can be exploited remotely. The potential outcome of the vulnerabilities was found to be 49% remote code execution, 41% reading of application data, 39% denial of service attacks, 37% bypassing protection mechanisms [32]. All of these are made especially effortless through a combination of cloud services, human error, and an ever-growing lack of air-gapped networks. The enthusiasm to embrace IaaS despite common and known events of hacks, leaks and breaches in SaaS shows an alarming lack of foresight. It can take up to 191 days for organizations to fully recover from these attacks [33].
A typical ICS consists of the following components, referenced throughout this report. The human-machine interface (HMI) allows operators to see the values of and manipulate the machine controller. Both supervisory control and data acquisition (SCADA) and distributed control systems (DCS) supply the tools necessary to generate, monitor and control processes through the use of data collection and command issuing.
Programmable logic controllers (PLCs) are responsible for the binary input and output of the simple read and write command loops which control automation functions. A remote terminal unit (RTU) connects the physical world objects with the DCS or SCADA system. On the highest level of operation exist engineering workstations (EWSs), which are computers that allow the management and control of PLCs and RTUs. EWSs contain the same functionality of HMIs, but include more control.
Many of these components serve similar functions; RTUs, DCSs and PLCs are various options for the same solution with differences mostly relating to the area of coverage and the presence of HMIs. Moreover, the distinction between DCS and SCADA has become more blurred in recent years [2][39][40][41].
Overview
This literature review aims to provide a timeline of digital ICS and ICS-related attacks, primarily through the use of malware, to illustrate how the problems we now face have been pushed aside for two decades. The importance of ICS security has been shown to be of low priority in many surveys still [33]. The outcomes stressed in this review are focused on human safety, as financial losses are often front and center; this does not do the severity of these attacks justice. The malware technicalities are not explored in depth since they usually start through exploiting the most common vulnerability — people.
The literature chosen ranges from papers to security blogs to articles by journalists to capture a breadth of technical details and lived experience by those affected. Where possible, multiple sources from different categories have been selected in an attempt to develop a more holistic understanding of the events. Emphasis was placed on locating the earliest confirmed cases of digital attacks relevant to ICSs. Those that were suspected or unclear have been excluded.
Notable attacks
The early warnings
The earliest identifiable case of a digital ICS attack occurred in the year 2000 in Maroochydore, Queensland. Attacks on SCADA equipment belonging to the Maroochy Shire Council caused disruptions to normal sewerage pump operations that resulted in 800,000 litres of raw sewage spilling out into local parks and rivers — killing marine life. It also soiled the grounds of a Hyatt Regency hotel.
A man named Vitek Bodan was responsible. He was a former employee of Hunter Watertech, who installed the radio-controlled SCADA sewerage equipment for the Maroochy Shire Council. Their SCADA system consisted of sewerage pumping stations with monitoring computers utilizing various frequencies. A compact computer was situated at each pumping station capable of receiving instructions from a central control centre.
The attack was not advanced. Mr. Bodan sent corrupt signals from a compact computer which had an address of 14, as identified by a Hunter Watertech employee enlisted with the investigation. The pumping station identification number was subsequently changed from 14 to 3 by the investigator in an attempt to correct the system’s behavior; any signal sent from the corrupt pumping station 14 would be ignored.
This was a temporary fix, however. The identification number of the corrupt signals had been remotely changed to number 1 in response. Pumping stations were malfunctioning, and alarms at four pumping stations had been disabled by yet another identification number — 4. Mr. Bodan was identified as the culprit due to the equipment found in his car and the control system software installed on his laptop. His motive appeared to be in response to Maroochy Shire Council turning his job application down [4] [1]. This attack negatively impacted the local environment and could have caused serious medical harm.
Although the attack was not caused by malware, it is included in this report to emphasize that security for ICS and critical infrastructure has failed to be taken seriously for decades. Malware attacks that impacted ICSs began with the creation of worms capable of penetrating enterprise networks in 2001, and ICS disruption was a by-product of their indiscriminate rapid spreading [34]. Worms still represent some of the most significant ICS attacks, a major development is their ability to use the spreading mechanism to stealthily find their intended targets.
In 2003, a malware attack left a large quantity of the internet hamstrung, if not entirely crippled. 911 services were unavailable, ATMs belonging to the Bank of America crashed, and flights had to be cancelled as a result. It took 15 minutes for it to infect a large portion of the servers responsible for the internet and it cost around $1 billion in damage. A loss of connection with 300,000 cable modems in Portugal occurred and 27 million people in South Korea lost phone and internet services as a result of the attack [26]. It disabled the David-Besse nuclear power plant safety parameter display system for almost 5 hours [33]. The malware was a worm, and it was tiny; it gave itself the appearance of a single UDP packet. It was named Slammer [26].
Slammer illustrated how SCADA systems without an internet connection are not inherently more safe; the attack successfully blocked SCADA traffic to power utility substations due to the company network backbone using a single protocol for its internet and SCADA services, bottlenecking the traffic in both when it became overwhelmed by the worm [34]. The malware exploited a known Microsoft SQL Server 2000 database vulnerability which had been patched, and the attack was possible due to administrators failing to apply the update — including those within Microsoft units [27]. The inconvenience of software updates was, and continues to be, a source of IT security negligence.
A year later, millions of dollars in damage was caused by a worm named Sasser. It was successful in delaying 20 British Airways flights [23], forcing the cancellation of several Delta Airline flights, seizing rail services in Australia [25], and it provided the Sampo bank of Finland no choice but to close 130 branches for damage control [24]. The worm was created by a teenager, Sven Jaschan, who was arrested at the age of 18 for the act.
In 2006, a hospital in England had two of four linear accelerators, used to treat cancer patients, rendered inoperable due to a virus — a result of not having anti-virus installed on the machines. It is unclear if this was the fault of staff or the manufacturers of the machinery, which were out of order for two days as a consequence. This delayed the treatment of 81 cancer patients [22]. The potential for such interference to be deadly is of note here. It is not clear what mechanisms the virus exploited, as no in-depth documentation of the event is available.
This is not an exhaustive list. The capability of such simple programs to cause devastating wide-reaching damage has been apparent from at least 1988 with the Morris worm incident, and the insecure nature of SCADA networks has been demonstrated numerous times predating the availability of IaaS. Still, laaS is being embraced. Still, media and public attention on these events has been lacking.
Then in 2010, something remarkable happened: the first documented piece of malware that was designed to directly manipulate ICSs made itself known.
It was not the work of a bored teenager or an unhappy adult; its sophistication carried all the signs of being a nation-state campaign of physical sabotage. Suddenly, the dangers of software vulnerabilities became especially harrowing. The malware heralded the beginning of cyberterrorism. The malware is known as Stuxnet.
Stuxnet and beyond
Stuxnet was regarded as one of the most sophisticated pieces of malware at the time of its discovery in 2010. It was successful in damaging nuclear centrifuges in Iran, credited with damaging up to 1/5th of them. It achieved this by manipulating the controls governing their spin rate. It was a worm in that it self-replicated and spread, but it was programmed to identify when the computer it had infected was not of interest — if that condition was met, it destroyed itself [1]. It was the first piece of computer software to be used as a cyber weapon. In 2013, a report published by Symantec outlined findings that the worm may have begun development as early as 2005, and a version was identified that was present in 2007 [28]. The malware and subsequent attack are suspected to be the joint work of the US and Israeli governments.
Stuxnet was a watershed moment in the cybersecurity world. From here, attacks of a similar nature propagated. Perhaps a result of the malware unearthing dreadful possibilities. Fortunately, security researchers are inspired by the same.
Four years passed, and in December of 2014 a second incident of malware causing physical harm to equipment occurred. “Massive damage” was sustained by an unspecified steel mill after malicious software inhibited the ability to shut down a blast furnace in a controlled manner, according to a report by The Federal Office for Information Security, Germany. The attack began with spear-phishing and social engineering. The attacker demonstrated an advanced understanding of ICSs and the steel production process [1] [20]. The nature of the damage and malware used was not specified.
A year later, critical infrastructure was hit with its digital watershed moment — a grim first. And it happened twice.
It was December 23rd 2015, and 200,000 Ukrainians were left without electricity for up to six hours. The attack shut off 30 distribution substations located in the Kiev and western Ivano-Frankivsk region [1][21]. The malware forced manual power restoration since the SCADA equipment was inoperable, elongating the delay. The attack was not especially sophisticated, which makes it especially alarming — breakers were being tripped manually through remote control software. A variation of the BlackEnergy malware was identified as what facilitated the power outage. It too was introduced to the company network through spear-phishing emails.
Then on December 17th 2016, another power outage occurred in Ukraine as the consequence of a cyberattack, six days short of a year after the first. Approximately 225,000 customers were affected [1] though power was restored much faster this time around — within three hours. Only one transmission substation was impacted, located in Kiev [21].
The most disturbing difference is the 2016 attack demonstrated an escalation in technique — it is believed to have been facilitated by direct SCADA manipulation malware. The malware became known as CRASHOVERRIDE, the first of its kind: crafted to disrupt electrical grids [1].
CRASHOVERRIDE was the fourth piece of malware directed specifically at ICSs. Preceded only by Stuxnet, BlackEnergy-2 and Havex; the latter two being a malware used against ICS vendor HMIs identified around 2011, and a remote access trojan (RAT) identified in 2013, respectively. Havex and BlackEnergy are suspected to be the work of a group known as GRIZZLEY STEPPES, or occasionally Dragonfly/energetic bear. Evidence suggests they are a threat actor group with ties to Russian intelligence and military agencies [1]. Both attacks on Ukrainian power grids have been attributed to Russia [21].
In the same year, hackers succeeded in altering the chemical levels of water through a water treatment facility. The identity and location of the water company remains anonymous as over 2.5 million customer’s personal and financial information had been breached. The facility was nicknamed Kemuri Water Company and the threat actors were identified as previously being associated with hacktivism campaigns.
It was reported that the hacker’s alteration of water chemistry was purely coincidental which in and of itself is alarming. While malware was not used and the goal of the attack is not suspected to be ICS related this event should not be ignored, as the consequences are capable of being lethal at scale. The attack was carried out with ease due to the plant’s lack of up to date equipment and poor security practices [19].
A year later, In the early hours of June 27th 2017, malware not unlike Slammer spread around the world with unprecedented speed. Its crosshair was locked on Ukraine, and it nearly entirely crippled them.
It began with the CEO of Dragos — an ICS cybersecurity firm — tweeting a report indicating that an electric power supplier to Kiev had been hacked. Maersk announces its IT systems are down not long after, with countless other companies subsequently being incapacitated. Their screens displayed nothing but a ransom note demanding payment to unencrypt the now inaccessible files. Around five hours pass and Kaspersky tweets a statement detailing that the ransomware is not that of any previously identified.
At the time of the Kaspersky report it had infected approximately 2,000 organizations [16]. The ransomware was credited with being the fastest propagating piece of software to date. It took 45 seconds to bring down the network of a large Ukrainian bank. In a major Ukrainian transit hub, it took 16 seconds. The attack cost more than $10 billion in damage [12]. The malware had the appearance of the ransomware Petya, but files were not unencrypted once the ransom was paid — that appearance was a distraction. The malware was a worm designed to cause immeasurable disruption. The malware was named NotPetya.
The list of victims is long and varied; It hit four hospitals in Kiev, six power companies, two airports and more than twenty two Ukrainian banks. It managed to escape Ukranian networks, hamstringing hospitals in Pennsylvania and a chocolate factory in Tasmania, Australia. It incapacitated multinational companies including a pharmaceutical giant, a European subsidiary of FedEx and the Danish shipping company AP Moller-Maersk. Maersk was responsible for 76 ports all over the world and nearly 800 seafaring vessels. This attack rendered them inoperable — close to a fifth of the entire world’s shipping capacity had been immobilized [12].
Even Chernobyl nuclear power plant operations were impacted; they were forced to switch to manual radiation monitoring since its windows-based sensors had been shut down. ATMs and point-of-sale terminals were infected rendering citizens unable to pay for essential goods or transport if they did not have cash on hand. Even if they did, many vendors were equally as paralysed [12][13].
Some evidence suggests that the source of the infection was a Ukrainian software company pushing an update for their accounting software Me Doc. It was suspected to be the accidental conduit from which the worm propagated, though they deny this claim [17]. The attack has been attributed to Russia by the Five Eyes and Canada [15]. Possibly due to the fact that it also compromised Ukrenego, the energy company rendered inoperable by the 2016 power grid attack [12]. According to a spokesperson, the NotPetya attack did not affect the power supply [13]. The way in which NotPetya impacted the Chernobyl nuclear plant illustrates that such an attack may be equally as dangerous as a direct attack on ICS safety controls.
Then in the summer of 2017, not even a year later, an attack of that exact nature was discovered. It used the first known piece of malware that specifically targeted industrial safety systems designed to protect human lives [1] [9] [10].
In a worst-case scenario, the code could have resulted in an explosion or a release of toxic hydrogen sulphide gas. The 1984 Bhopal gas tragedy, amongst the world’s worst industrial disasters, involved a leak of poisonous gases and it killed thousands [10]. The malware was first discovered at an anonymous Saudi Arabian petrochemical plant. It earned the name TRITON, after the Triconex safety controller model it targeted.
TRITON’s most alarming characteristic was its focus on manipulating industrial safety systems and it was built to communicate using the proprietary TriStation protocol, of which there is no public documentation. It targeted the safety instrumental system with precision, with no manipulation of the DCS beyond using it to gain access [9]. The threat actor knew precisely what they were there to target and no time was wasted in doing so.
Evidence suggests the hackers had been inside the company’s corporate IT networks since 2014. It is suspected that they worked their way into an EWS through the network, potentially through a vulnerability or via employee login credentials. This allowed them to identify the make and models and firmware versions of the hardware controllers [10].
The attacker persisted even after failed attempts due to one of their script’s conditional checks [9]. In June 2017 a flaw in the code triggered a response from a safety system which brought the plant to a halt, first attributed to a mechanical glitch. In August, several more systems were tripped which caused a shutdown. This instigated an investigation to be called upon [10].
TRITON was suspected to be the work of Iran, but a FireEye report details evidence that suggests the attack may have been the work of The Central Scientific Research Institute of Chemistry and Mechanics, Moscow- a Russian government-owned organization. There is evidence of recent activity by this same threat actor [11] [36].
In 2020, news of malware that was located in mid-December 2019 broke. It was coined EKANS, sometimes Snake [30]. It kills 64 system processes, many of which are specific to ICSs. It subsequently encrypts the infected machines, holding them hostage [7]. EKANS is programmed to look for a particular network and will only execute when the condition is met.
The May variant attempts to resolve the IP address of a subdomain that belongs to a global chronic kidney condition healthcare provider. Once inside, it seeks a specific IP address on the network, and looks for the machine’s current role within the domain so it may exploit it [29]. In May 2020, that precise attack was successful- the target was Fresenius, the largest private hospital operator in Europe [31].
The operational technology firm Claroty supports the theory that the intended victims of EKANS are ICS processes. They report that the damage is likely to be a by-product of HMI configuration and/or other types of IT files critical to ICS processes [8]. Amongst the dozens of processes EKANS terminates are those designed to keep records of operational information, maintain industrial settings, and audit paid software licenses. It is unclear what disrupting license checks would result in, but it could lead to serious consequences such as loss of machine control.
ICS targets aside, EKANS exhibits typical ransomware behaviour — file encryption and displaying an on-screen ransom note demanding large sums of money. Its purpose appears to be purely financial. Samples found in June indicate that the malware has now added firewall manipulation functionality.
EKANS has been attributed to Iranian state-sponsored hackers by the Israeli security firm Otorio, though a report from Dragos contradicts that analysis [7]. Dragos have called it primitive [30], and its May version housed over 1,200 strings that required correcting [29]. Whilst it bears no signs of a nation-state, it heralds the beginnings of ICS disruption becoming so accessible smash-and-grab cybercrime can utilize it.
ICS Attack Trends
In 2016, IBM X-Force published a report regarding attacks on ICSs and found that from 2015 to 2016 there had been a 110% increase [5]. A rise in reported vulnerabilities had grown from around 48 in 2010 to 806 in 2017 [1].
In the second half of 2017, buffer overflow and improper authentication were identified as the most common types of vulnerabilities, according to a report on industrial automation systems by Kaspersky. That same report explains that 265 of the 322 vulnerabilities identified can be exploited remotely and without authentication. Their assessment states that to do so requires no specialized knowledge and hardly any skill.
In September 2017, an increase in ICS cybercriminal activity rose by 20% and no reduction was observed for the rest of the year. 22.7% of the infections were via the internet. 26.5% of the malware was classified as a trojan with those of the spyware variety being common. Worms made up 4.4% [35]. Notably, six of the twelve attacks outlined in this report can be classified as worms and Stuxnet was initiated by a RAT.
From 2019–2020, a 122.1% rise in vulnerabilities were experienced by water and wastewater sectors. Critical manufacturing followed with an 87.3% rise, with energy sectors experiencing an increase of 58.9%, according to a Claroty report. The ICS product types most affected were EWSs at 57.7%, PLCs at 26%, and SCADA equipment at 11.5% [32].
The high number of infections in PLCs is concerning; they function to control machine actuators and/or monitor sensors which make alarms possible. Some notable examples are Stuxnet, which exploited vulnerabilities in computers to gain access to PLCs. INDUSTROYER gained access to an EWS, which allowed it to access a RTU to manipulate it. TRITON famously infected a PLC [36].
Techniques in more recent attacks suggest that nation-states are occupying this landscape at a seemingly accelerating rate — the increase of ICS cyber incidents from 2014 is noticeable.
Discussion
For much of the 21st century, hackers had become synonymous with hoodie-wearing teenagers sitting at a computer in the basement of their parents’ home. This trope is not entirely unfounded — many hackers were arrested young. Likely a result of technology being accessible to people at increasingly younger ages as it grows exponentially more powerful; they cannot understand the magnitude of what they are messing with.
It is as if the characteristics of the attackers determine how seriously an act of cybercrime is taken, which seems counter-intuitive; if a teenager can cause so much harm with basic skills and rudimentary tools, it should take no stretch of the imagination to realize the threat an advanced adversary is capable of. Since that has been demonstrated in recent history, the public now knows that cybercrime is an issue of national security. The images it conjures have changed.
The rise in nation-state hacking may be a result of increased political tension; governments may be funding intelligence efforts more aggressively, as the anonymity and remote nature of cyberterrorism make it an attractive alternative to the dangers of fieldwork and physical sabotage. It also provides convenient means for survival, such is the case with North Korea, who have few allies left — they have been implicated in stealing billions of dollars through digital means, potentially for the sake of funding weapon programs [37].
One could argue that the reason for such a lack of foresight was that the full scope of IT security corruption amongst governments was esoteric knowledge until the popularization of WikiLeaks, and the fame of whistle-blowers such as Chelsea Manning and Edward Snowden. This behaviour is not new, however — the conduit of its activity has merely changed. Perhaps the neglect of security was also helped along by required upgrades causing unfavourable delays in ICS services. Arguably IaaS would exacerbate this as cloud integration typically results in a single environment being used for all services and equipment, in line with the convenience it sells.
On an individual scale, the attacks listed were largely possible due to mundane employee error. The consequence of a successful spear-phishing attack being a loss of power to 200,000 people makes the dangers of poor staff security training in our current threat landscape abundantly clear. It is important to note that such training may fall flat if the program focuses on corporate financial losses and employee punishment — discussing it in the context of the damage it can do to people rather than things is paramount. Especially if said staff are treated and paid poorly, as they will treat company assets with the same amount of care they receive for the job.
The most important information asset to any company is its human components which are infinitely easier to exploit than the software we rely on to keep us safe. In ICS security, there is inadequate protection in both.
Disclaimer: This is not a peer reviewed or professional report; it was written for my IT security unit at university. I am in no way an expert in the field, but this recieved a high distinction from those who are much more experienced than I, so I figured it was worth posting in hope it would help educate people about a field I am extremely passionate about. If there are any errors, please let me know! I’ve fact checked, revised and edited it numerous times. Alas, I am but one human. Thank you for reading!
References
[1] K. E. Hemsley, E. Fisher and Dr. Ronald, “History of Industrial Control System Cyber Incidents,” 2018.
[2] D. Bhamare, M. Zolanvari, A. Erbad, R. Jain, K. Khan and N. Meskin, “Cybersecurity for industrial control systems: A survey,” Computers & Security, vol. 89, 2020.
[3] Kaspersky lab, “Equation Group: Questions and Answers,” February 2015. [Online]. Available: https://web.archive.org/web/20160310162220/https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf. [Accessed 30th August 2020].
[4] M. D. Abrams and J. Weiss, “MALICIOUS CONTROL SYSTEM CYBER SECURITY ATTACK CASE STUDY: MAROOCHY WATER SERVICES, AUSTRALIA,” August 2008. [Online]. Available: https://www.mitre.org/publications/technical-papers/malicious-control-system-cyber-security-attack-case-study-maroochy-water-services-australia. [Accessed 17 September 2020].
[5] D. McMillen, “Attacks Targeting Industrial Control Systems (ICS) Up 110 Percent,” Security Intelligence, 27 December 2016. [Online]. Available: https://securityintelligence.com/attacks-targeting-industrial-control-systems-ics-up-110-percent/. [Accessed 17 September 2020].
[6] A. Greenberg, “A Guide to LockerGoga, the Ransomware Crippling Industrial Firms,” Wired, 25 March 2019. [Online]. Available: https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/. [Accessed 03 September 2020].
[7] A. Greenberg, “Mysterious New Ransomware Targets Industrial Control Systems,” Wired, 02 March 2020. [Online]. Available: https://www.wired.com/story/ekans-ransomware-industrial-control-systems/. [Accessed 03 September 2020].
[8] “Digging Deeper into Snake Ransomware and ICS Impact,” CLAROTY, 04 February 2020. [Online]. Available: https://blog.claroty.com/digging-deeper-into-snake-ransomware-and-ics-impact. [Accessed 03 September 2020].
[9] B. Johnson, D. Caban, M. Krotofil, D. Scali, N. Brubaker and C. Glyer, “Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure,” FireEye, 14 December 2017. [Online]. Available: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html. [Accessed 17 September 202].
[10] M. Giles, “Triton is the world’s most murderous malware, and it’s spreading,” MIT Technology Review, 05 March 2019. [Online]. Available:https://www.technologyreview.com/2019/03/05/103328/cybersecurity-critical-infrastructure-triton-malware/. [Accessed 17 September 2020].
[11] FireEye intelligence, “TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers,” 23 October 2018. [Online]. Available: https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html. [Accessed 17 September 2020].
[12] A. Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, 22 August 2018. [Online]. Available: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/. [Accessed 18 September 2020].
[13] R. Brandom, “A new ransomware attack is infecting airlines, banks, and utilities across Europe,” The Verge, 27 June 2017. [Online]. Available: https://www.theverge.com/2017/6/27/15879480/petrwrap-virus-ukraine-ransomware-attack-europe-wannacry. [Accessed 18 September 2020].
[14] S. Frenkel, “Global Ransomware Attack: What We Know and Don’t Know,” The New York Times, 27 June 2017. [Online]. Available: https://www.nytimes.com/2017/06/27/technology/global-ransomware-hack-what-we-know-and-dont-know.html. [Accessed 18 September 2020].
[15] E. Kovacs, “U.S., Canada, Australia Attribute NotPetya Attack to Russia,” Security Week, 16 February 2018. [Online]. Available: https://www.securityweek.com/us-canada-australia-attribute-notpetya-attack-russia. [Accessed 18 September 2020].
[16] D. Bisson, “NotPetya: Timeline of a Ransomworma,” Tripwire, 28 June 2017. [Online]. Available: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/notpetya-timeline-of-a-ransomworm/. [Accessed 18 September 2020].
[17] Malwarebytes Labs, “Petya-esque ransomware is spreading across the world,” 27 June 2017. [Online]. Available: https://blog.malwarebytes.com/cybercrime/2017/06/petya-esque-ransomware-is-spreading-across-the-world/. [Accessed 18 September 2020].
[18] Vericlave & Blue Ridge Networks, “White paper: the Kemuri water company hack,” October 2018. [Online]. Available:https://www.vericlave.com/wp-content/uploads/2018/10/Vericlave_WhitePaper_KemuriWater_1018_F.pdf. [Accessed 18 September 2020].
[19] M.-A. Russon, “Hackers hijacking water treatment plant controls shows how easily civilians could be poisoned,” International Business Times, 23 March 2016. [Online]. Available: https://www.ibtimes.co.uk/hackers-hijacked-chemical-controls-water-treatment-plant-utility-company-was-using-1988-server-1551266. [Accessed 18 September 2020].
[20] K. Zetter, “A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever,” Wired, 01 August 2015. [Online]. Available: https://www.wired.com/2015/01/german-steel-mill-hack-destruction/. [Accessed 28th September 2020].
[21] D. Park, J. Summers and M. Walstrom, “Cyberattack on Critical Infrastructure: Russia and the Ukrainian Power Grid Attacks,” The Henry M. Jackson School of International Studies, 11 October 2017. [Online]. Available: https://jsis.washington.edu/news/cyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks/. [Accessed 29 09 2020].
[22] BBC News, “Cancer treatment delayed by virus,” 16 February 2006. [Online]. Available: http://news.bbc.co.uk/2/hi/uk_news/england/dorset/4721288.stm. [Accessed 29 September 2020].
[23] Associated Press, “Sasser Worm Creator Avoids Lockup,” Wired, 05 September 2007. [Online]. Available: https://www.wired.com/2005/07/sasser-worm-creator-avoids-lockup/. [Accessed 29 September 2020].
[24] “Finnish bank closes to ward off Sasser virus,” The Sydney Morning Herald, 04 May 2004. [Online]. Available: https://www.smh.com.au/world/finnish-bank-closes-to-ward-off-sasser-virus-20040504-gdiuv3.html. [Accessed 29 September 2020].
[25] NordVPN, “The top 10 most destructive viruses of all time,” 30 June 2020. [Online]. Available: https://nordvpn.com/blog/worst-computer-viruses/. [Accessed 29 September 2020].
[26] P. Boutin, “Slammed!,” Wired, 01 July 2003. [Online]. Available: https://www.wired.com/2003/07/slammer/. [Accessed 29 September 2020].
[27] The Associated Press, “Microsoft Attacked by Worm, Too,” Wired, 28 January 2003. [Online]. Available: https://www.wired.com/2003/01/microsoft-attacked-by-worm-too/. [Accessed 29 September 2020].
[28] Symantec, “Stuxnet 0.5: The Missing Link,” 26 February 2013. [Online]. Available: https://docs.broadcom.com/docs/stuxnet-missing-link-13-en. [Accessed 30 September 2020].
[29] B. Hunter and F. Gutierrez, “EKANS Ransomware Targeting OT ICS Systems,” FortiGuard Labs, 01 July 2020. [Online]. Available: https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems. [Accessed 30 September 2020].
[30] “EKANS Ransomware and ICS Operations,” Dragos, 03 February 2020. [Online]. Available: https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/. [Accessed 30 September 2020].
[31] C. Osborne, “Major European private hospital operator struck by ransomware,” ZDNet Zero Day, 07 May 2020. [Online]. Available: https://www.zdnet.com/article/europes-largest-private-hospital-chain-struck-by-ransomware-attack/. [Accessed 30 September 2020].
[32] Claroty, “Remotely Exploitable Ics Vulnerabilities On Rise, As Reliance On Remote Access To Industrial Networks Increases During Covid-19,” 19 August 2020. [Online]. Available: https://claroty.com/resource/remotely-exploitable-ics-vulnerabilities-on-rise-as-reliance-on-remote-access-to-industrial-networks-increases-during-covid-19/. [Accessed 01 October 2020].
[33] T. Alladi, V. Chamola and S. Zeadally, “Industrial Control Systems: Cyberattack trends and countermeasures,” Computer Communications, pp. 1–8, 01 April 2020.
[34] E. Byres and J. Lowe, “The myths and facts behind cyber security risks for industrial control systems,” Proceedings of the VDE Kongress, vol. 116, p. 213–218, 2004.
[35] Kaspersky ICS CERT, “Threat Landscape for Industrial Automation Systems in H2 2017,” 26 March 2018. [Online]. Available:https://ics-cert.kaspersky.com/reports/2018/03/26/threat-landscape-for-industrial-automation-systems-in-h2-2017/. [Accessed 01 October 2020].
[36] FireEye, “TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping,” 10 April 2019. [Online]. Available: https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html. [Accessed 01 October 2020].
[37] BBC, “North Korea ‘stole $2bn for weapons via cyber-attacks’,” 07 August 2019. [Online]. Available: https://www.bbc.com/news/world-asia-49259302. [Accessed 01 October 2020].
[38] P. H. O’Neill, “North Korean hackers steal billions in cryptocurrency. How do they turn it into real cash?,” MIT Technology Review, 10 September 2020. [Online]. Available: https://www.technologyreview.com/2020/09/10/1008282/north-korea-hackers-money-laundering-cryptocurrency-bitcoin/. [Accessed 01 October 2020].
[39] E. D. Knapp and J. T. Langill, “Chapter 2 — About Industrial Networks,” Industrial Network Security (Second Edition), pp. 9–40, 2015.
[40] DCS-news.com, “PLC, DCS, SCADA, HMI — What are the differences?,” 17th December 2018. [Online]. Available: http://dcs-news.com/plc-dcs-scada-hmi-differences/. [Accessed 03 October 2020].
[41] D. Greenfield, “RTU or PLC: Which is Right for You?,” AutomationWorld, 10 July 2012. [Online]. Available: https://www.automationworld.com/products/control/blog/13307242/rtu-or-plc-which-is-right-for-you. [Accessed 03 October 2020].
