Proportionally, the amount of malware targeting ICS and SCADA is extremely low compared to traditional operating systems and Android. However, when threat adversaries create tools specifically designed to hit critical infrastructure can be quite dangerous, particularly when it is ransomware:
A ransomware strain discovered last month and dubbed Ekans contains the usual routines for disabling data backups and mass-encrypting files on infected systems. But researchers at security firm Dragos found something else that has the potential to be more disruptive: code that actively seeks out and forcibly stops applications used in industrial control systems, which is usually abbreviated as ICS. Before starting file-encryption operations, the ransomware kills processes listed by process name in a hard-coded list within the encoded strings of the malware.
In all, Ekans kills 64 processes, including those spawned by human-machine interfaces from Honeywell, the Proficy Historian from General Electric, and licensing servers from GE Fanuc. The same 64 processes, it turns out, are targeted in a version of the MegaCortex ransomware. That version first came to light in August.