Much value in a brownfield Industrial Internet of Things (IIoT) implementation resides at its edge tier, where new types of devices and technologies are deployed to interoperate the legacy industrial control systems with servers and systems in the cloud, and leverage the benefits of the Internet of Things technologies. One of these novel devices is the IIoT edge gateway, which is used to connect critical physical systems with the cyber world, and to provide consistent storage, processing, and analytical and controlling capabilities. However, these devices also come with new and advanced threats such as targeted ransomware. In this paper, we investigate this threat in detail. We studied the threat actors' motivations, the anatomy of ransomware for edge gateways, and the likelihood of such ransomware attack to happen in the future. We found that threat actors find IIoT edge gateways attractive ransomware targets due to their vital roles and functionalities in working with critical infrastructure and that the likelihood of such attack to occur is high. We built the first version of a ransomware security testbed for IIoT, and for test purposes, we developed a first version of ransomware target at IIoT edge gateway in a brownfield system. From our measurements we conclude that kernel-related activity parameters are significant indicators of the abnormal behavior caused by crypto-ransomware attacks in IIoT edge gateways, much more so even than for similar attacks in information technology server workstation. Thereby, some potential countermeasures for addressing targeted ransomware in IIoT systems are recommended as proactive strategies for dealing with attackers' new techniques and tactics.
- Brownfield Industrial Internet of Things (IIoT)
- edge gateway
- logic locking
- targeted ransomware