Bitcoin mining is becoming a serious threat to OT network security. ‘Bitcoin’ is one of the hottest buzzwords right now since the virtual currency skyrocketed in value and finally began correcting in the past few years; stirring up a frenzy of speculation and scepticism, and it has also become a serious threat to OT network security. Bitcoin mining, the release of new blocks of bitcoin by solving difficult mathematical problems, allows anyone with access to the internet and ample computing power to potentially make money. The greater the computing power, the more lucrative bitcoin mining becomes. This combination has made computing power a sought-after resource by cybercriminals.
Bitcoin Mining Requires Massive Energy Consumption
Bitcoin mining is so lucrative that it is estimated the energy it uses has reached levels similar to the that of entire nations the size of Ireland or Austria. “As per mid-March 2018, about 26 quintillion hashing operations are performed every second and non-stop by the Bitcoin network,” according to a new report by Alex de Vries of the Experience Center of PwC in the Netherlands. ” The primary fuel for each of these calculations is electricity.”
“The electricity that is expended in the process of mining Bitcoin has become a topic of heavy debate over the past few years. It is a process that makes Bitcoin extremely energy-hungry by design, as the currency requires a huge amount of hash calculations for its ultimate goal of processing financial transactions without intermediaries (peer-to-peer). The primary fuel for each of these calculations is electricity. The Bitcoin network can be estimated to consume at least 2.55 gigawatts of electricity currently, and potentially 7.67 gigawatts in the future, making it comparable with countries such as Ireland (3.1 gigawatts) and Austria (8.2 gigawatts). Economic models tell us that Bitcoin’s electricity consumption will gravitate toward the latter number. A look at Bitcoin miner production estimates suggests that this number could already be reached in 2018.”
– Bitcoin’s Growing Energy Problem, Alex de Vries
OT Networks Hacked to Supply Computing Power for Bitcoin Mining
What does all this have to do with OT networks? The massive available processing capacity and relative ease of hacking, has made OT networks a victim of choice for criminal bitcoin mining operations. IT networks also have large amounts of available CPU needed for bitcoin mining calculations, but the cybersecurity on those networks tends to be much stronger so the likelihood of being discovered makes IT networks less than ideal. OT networks, on the other hand, are less protected, allowing the bitcoin criminals free range to go about their business uninterrupted. One such large SCADA network site in a remote location outside of North America had experienced an unusual surge in power consumption that lasted several months. OT managers initially suspected some kind of equipment fault, but my team of cyber researchers looked for a different kind of culprit.
The SCADA network used PC-based PLCs and HMIs and several of them were making strange noises and heating up. That is a huge red flag and it didn’t take long to figure out these machines had been compromised by hackers and were being used to run unauthorized processes that were straining the computers, gobbling up electricity and causing the physical symptoms. But this was not a typical cyberattack aimed at sabotaging operations or stealing sensitive data. This attack was about stealing computing power, hardware and electricity, for bitcoin mining.
How Criminals Hacked an OT Network for Bitcoin Mining
In the past, OT networks relied heavily on ‘air gapping’, a security practice based on completely isolating the OT network from the internet-connected IT network. This created a kind of ‘cyber moat’ that provided reasonably effective protection against hackers. But recent developments have rendered air gapping unfeasible and more and more non-proprietary internet-connected devices have been incorporated into OT networks. The operational gains of this IT/OT convergence have been phenomenal. The downside is the internet-connected devices are effectively high-speed bridges connecting the OT network to the internet.
Today, OT networks are extremely vulnerable to cyber-attack. This means an innocent human error in the IT network, such as clicking on a malicious link or attachment, can provide an entry point for malware that will then move laterally to cross into the OT network. Once hackers find a way in they can probe to discover vulnerable machines with lots of available core processing power. The sad truth is bitcoin mining malware is readily available for sale on the dark web, so it is relatively easy to set up the mining operations.
In this case, the lack of adequate security tools and monitoring allowed the crypto-criminals to penetrate the IT network (most likely by phishing email or some other human engineering), move into the OT network, and setup their clandestine bitcoin mining site right under the noses of the OT network manager. It was only the high electricity consumption that caught their attention.
The immense available computing power, connectivity of converged IT/OT networks, and lack of adequate security and monitoring measures make OT networks the ideal target for criminal bitcoin mining.
Protecting against OT Network Bitcoin Mining
If you are responsible for operating and securing an OT network, security and monitoring tools are your best lines of defense. Security tools need to cover the entire arch of IT and OT assets to provide holistic protection. Comprehensive monitoring and granular deep packet inspection can quickly discover communication anomalies at the earliest stages of a threat.