新型工业控制系统勒索蠕虫威胁与防御

工业控制系统（ICS）的大规模攻击对于电力生产、输配电、石油化工、水处理和传输等涉及国计民生的关键基础设施是一个巨大的威胁，目前提出的针对ICS的勒索蠕虫受限于工控网络隔离的特性，难以大规模传播。基于观察到的ICS实际开发场景，针对ICS高度隔离化的问题，提出一种基于新的攻击路径的勒索蠕虫威胁模型。此威胁模型首先将工程师站作为初次感染目标，然后以工程师站作为跳板，对处于内部网络的工业控制设备进行攻击，最后实现蠕虫式感染和勒索。基于此威胁模型，实现了ICSGhost——一种勒索蠕虫原型。在封闭的实验环境中，ICSGhost能够以预设的攻击路径对ICS进行蠕虫式感染；同时，针对该勒索蠕虫威胁，讨论了防御方案。实验结果表明此种威胁切实存在，并且由于其传播路径基于ICS实际的开发场景，较难检测和防范。

Threat and defense of new ransomware worm in industrial control system

Industrial Control System (ICS) is widely used in critical infrastructure projects related to the national economy and people's livelihood such as power generation, transmission and distribution, petrochemical industry, water treatment and transmission. Large-scale attack on ICS is a huge threat to critical infrastructure. At present, the proposed ransomware worm for ICS is limited by the isolation characteristics of industrial control network, and it is difficult to spread on a large scale. Based on the observed actual development scene of ICS, in order to solve the problem of high isolation for ICS, a novel ransomware worm threat model with a new attack path was proposed. Firstly, the engineer station was taken as the primary infection target. Then, the engineer station was used as the springboard to attack the industrial control devices in the internal network. Finally, the worm infection and ransom were realized. Based on the proposed threat model, ICSGhost, which was a ransomware worm prototype, was implemented. In the closed experimental environment, ICSGhost can realize worm infection for ICS with a predetermined attack path. At the same time, for the ransomware worm threat, the defense plan was discussed. The experimental results show that such threat exists, and because its propagation path is based on the actual development scene of ICS, it is difficult to detect and guard against.