Dead Man's PLC: Towards Viable Cyber Extortion for Operational Technology

TL;DR

This paper introduces Dead Man's PLC, a novel cyber extortion method targeting operational technology by exploiting resilience processes, demonstrated through a proof of concept on an industry-validated testbed.

Contribution

It presents a practical OT cyber extortion technique that leverages existing functionalities and resilience mechanisms, marking a new approach in OT security threats.

Findings

DM-PLC effectively triggers ransom conditions in test environments.

The method exploits environment monitoring to detect tampering.

Proof of concept confirms feasibility and malicious potential.

Abstract

For decades, operational technology (OT) has enjoyed the luxury of being suitably inaccessible so as to experience directly targeted cyber attacks from only the most advanced and well-resourced adversaries. However, security via obscurity cannot last forever, and indeed a shift is happening whereby less advanced adversaries are showing an appetite for targeting OT. With this shift in adversary demographics, there will likely also be a shift in attack goals, from clandestine process degradation and espionage to overt cyber extortion (Cy-X). The consensus from OT cyber security practitioners suggests that, even if encryption-based Cy-X techniques were launched against OT assets, typical recovery practices designed for engineering processes would provide adequate resilience. In response, this paper introduces Dead Man's PLC (DM-PLC), a pragmatic step towards viable OT Cy-X that acknowledges and weaponises the resilience processes typically encountered. Using only existing functionality, DM-PLC considers an entire environment as the entity under ransom, whereby all assets constantly poll one another to ensure the attack remains untampered, treating any deviations as a detonation trigger akin to a Dead Man's switch. A proof of concept of DM-PLC is implemented and evaluated on an academically peer reviewed and industry validated OT testbed to demonstrate its malicious efficacy.