For decades, operational technology (OT) has enjoyed the luxury of being suitably inaccessible so as to experience directly targeted cyber attacks from only the most advanced and well-resourced adversaries. However, security via obscurity cannot last forever, and indeed a shift is happening whereby less advanced adversaries are showing an appetite for targeting OT. With this shift in adversary demographics, there will likely also be a shift in attack goals, from clandestine process degradation and espionage to overt cyber extortion (Cy-X). The consensus from OT cyber security practitioners suggests that, even if encryption-based Cy-X techniques were launched against OT assets, typical recovery practices designed for engineering processes would provide adequate resilience. In response, this paper introduces Dead Man's PLC (DM-PLC), a pragmatic step towards viable OT Cy-X that acknowledges and weaponises the resilience processes typically encountered. Using only existing functionality, DM-PLC considers an entire environment as the entity under ransom, whereby all assets constantly poll one another to ensure the attack remains untampered, treating any deviations as a detonation trigger akin to a Dead Man's switch. A proof of concept of DM-PLC is implemented and evaluated on an academically peer reviewed and industry validated OT testbed to demonstrate its malicious efficacy.

翻译：数十年来，运营技术（OT）凭借其适度的不可及性，得以仅遭受来自最先进、资源最充足的对手的直接定向网络攻击。然而，通过隐匿实现的安全无法持久——当前正出现转变：技术较低的对手开始显露出攻击OT的意图。随着对手人口结构的变化，攻击目标也可能从隐蔽的过程破坏与间谍活动转向公开的网络勒索（Cy-X）。OT网络安全从业者普遍认为，即便基于加密的Cy-X技术被用于攻击OT资产，为工程流程设计的常规恢复实践仍能提供充分的韧性。为此，本文提出亡者PLC（DM-PLC），作为实现可行OT Cy-X的务实步骤——该方案承认并武器化通常遇到的恢复流程。DM-PLC仅利用现有功能，将整个环境视为被勒索实体：所有资产持续相互轮询以确保攻击未被篡改，并将任何偏离行为视为类似"亡者开关"的引爆触发器。我们基于经同行评审及工业验证的OT测试平台实现了DM-PLC的概念验证，并对其进行评估，以证明其恶意效能。