How to Prevent Ransomware in 2021

What is Ransomware?

Why is Ransomware used and what are the potential impacts?

  • Ransomware takes advantage of “availability” risks and is highly profitable in industrial organizations. The business of cyber theft of personal information used to be quite profitable, but prices for that information have fallen dramatically as supply has increased. So cyber criminals have found new business models. They have shifted from the “C” in the Confidentiality -Integrity-Availability triad to the “A”. And industrial organizations require availability to operate, so the payment is usually quick and large.
  • In most cases, insurance covers a significant portion of the cost of the ransom and recovery. As a result, with current policies in place, the payment process is greased by the presence of insurance. This, however, is changing as insurers start to change policies going forward as seen in AXA’s recent announcement to stop coverage for ransomware payments.
  • Even IT attacks can shut down OT operations. Why is this so? First, OT systems are usually highly susceptible to ransomware if it gets to those systems. So, the first step in any incident response plan is to stop the spread by disconnecting OT systems. While IT systems are costly to restore, OT systems may be 3–4X as costly and may take much longer. Hence the “ abundance of caution” we always read about. Second, we in many cases operations does not solely rely on “OT” systems, but “IT” systems such as billing or supply chain software are now necessary to operate effectively. Thus, shutting down key IT systems can essentially require an OT shut down as well.
  • Why is OT so susceptible?
  • Most ransomware takes advantage of older vulnerabilities that have been left unpatched. In OT we know there are a huge number of both exploits and unpatched systems
  • Ransomware often exploits network-based insecurities to gain access (eg, through RDP) but spreads from endpoint to endpoint. Compensating controls, system hardening, vulnerability management and other techniques such as network isolation all play a critical role in reducing the impact and spread of a virus attack.
  • Ransomware is often very effective because many organizations are insufficiently equipped to recognize (avoid) potential incidents (phishing?) Large numbers of legacy, unpatched assets often poorly monitored and supervised by a handful of non-cyber security personnel is a recipe for disaster.

What happened to Colonial specifically?

How to protect against a Ransomware attack on industrial organizations?

How to Protect Against Ransomware in your OT Environment

Know how an IT attack can impact OT, build clear incident response gameplay, and prioritize risks to ensure as little impact on operations as possible in case of emergency.

  • Well-defined maps of potential threats and impacts. One of the biggest questions is the risk levels and priorities of assets and systems. What systems are tied to what systems, not just technically but operationally? The great news is many industrial organizations already have disaster recovery plans. We need to extend those to cyber events so we understand what we can disconnect, what we can keep operating, etc. This is key as attacks can spread from IT to OT so easily.
  • Risk prioritization: These exercises then can determine the true crown jewels — which systems are the lynchpins to operations, all the way down to the individual servers etc. This then allows the organization to prioritize risk management on those systems and add extra layers of security to protect those key assets.
  • OT Challenge: OT specific policies and procedures — Most IT tools and behaviors MUST be modified to provide similar effects without disrupting OT. This type of balance requires significant knowledge of both security practices but also Operational awareness
  • Robust backup and recovery: Expanded backup coverage and frequent snapshots (more hosts): The more hosts that are frequently backed up SECURELY, and assuming an adequate pipeline to get systems back those backups (e.g., enough network bandwidth), the faster you can recover from a ransomware attack. However, you must ensure the vulnerability is mitigated or the host is isolated when the backup is restored, or they may become re-infected.
  • OT Challenge: Legacy systems, lack of bandwidth and need to track multiple backup solutions/products in most OT environments makes management difficult
  • Have offline backups of critical assets: Offline backups as a resilience or disaster recovery strategy is critical to ensure your most important OT assets are protected or can be readily restored if your infrastructure is down. This includes PLC logic code, configuration, documentation, and system images/files. It may sound expensive, but it is often accomplished with securely encrypted USBs that are periodically rotated such that file integrity is maintained.
  • OT Challenge: Complexity of OT environments, number and variations of source code type, location, etc — requires a wholistic backup and recovery program
  • Regularly have “cyber fire drills” to test backups and their recovery: Again, I cannot stress this enough, a frequent training regime should be absolutely applied for OT and cyber-related events. Forensics, failed hardware, shutdowns, etc. should have at least an initial note for cyber, just to ensure it was not cyber-related, and if so, a chain of custody and due diligence can be assured. Secondly, it is important that your resources know what to do when there is an issue, so this is another way to double-check processes while improving the likelihood of a quick recovery.

Endpoint Management

  • Asset inventory:Effective endpoint management begins with a robust asset inventory. As the age-old saying goes, if you don’t know what you have, you can’t manage the risks. A rich view of a 360-degree picture of each endpoint enables proper endpoint management.
  • OT challenge: Incorporating an automated asset inventory that includes all asset types from OS based to networking but also embedded with deep asset profiles including set criticality, users and accounts, presence of compensating controls, etc.
  • OT systems management:OT asset inventory is only the beginning of a robust endpoint management program. A robust OT Systems Management program includes configuration hardening, user and account management, software management, etc. In many cases, OT systems are insecurely designed and unpatched, making it ripe for ransomware.
  • Patch management: Most threats enter through commodity systems such as Windows machines. You cannot patch everything in OT, but an end-to-end patch management program(i.e. automation and intelligent application of patches) is of great importance due to several environmental factors such as compliance, legislation, and risk management (e.g., patches on hosts with RDP or firewalls connected to the Internet should be prioritized over a PLC protected by several layers). Where unfeasible, application whitelisting, and policy enforcement makes an attacker’s life very difficult to improve your chances to defend or deny a ransomware attack on your OT organization.
  • OT challenge: need to have a prioritized patching process and move to compensating controls when/where necessary.
  • Removable media:USBs, removable media, and transient devices are other forms of low hanging fruit, especially if your network is “air-gapped” or heavily controlled. Users WILL bypass your controls by way of removable media. As a best practice, system policies are easily deployed, whitelisting software used, registered secure drives, and other technologies such as 802.X ensure authorized systems are allowed on network segments.
  • OT challenge: Enumerating, applying, monitoring and enforcing removable media policies as well as extending to transient cyber assets

Monitor network, system and application logs for anomalies

  • OT challenge: providing ‘OT context’ to traditional SIEM and alerting tools
  • Monitored external attack surfaces: Many attacks are successfully accomplished due to a misconfiguration or an inadvertent hole caused by a gap in change management. It is a best practice to monitor for exposed services (e.g., Shodan).

Access Control and network segmentation

  • Implement network separation or segmentation. One key way to slow the spread of ransomware is to place network barriers between IT and OT (or even within segments of IT and/or OT) networks. This approach is a foundational element but one, because of its technical challenges, often underutilized.
  • OT Challenge: segmentation is not easy on IT or OT but in OT particular challenges arise due to legacy equipment, need for physical cabling, the downtime required to move systems onto new firewalls, etc. OT segmentation requires a team with deep knowledge of networking and the OT systems themselves.
  • Isolate systems based on software, user role, and function: To protect systems compromised through remote access, local Windows networking flaws (e.g., print spool or SMB/NETBIOS), or Office/Acrobat, isolate them based on function and ensure unnecessary software is NOT included in standardized golden images or the same AD server is not serving policy for IT and OT. This also applies to user-based accounts; if an HMI is an HMI, treat its operator as an operator, not as an administrator.
  • OT Challenge: Finding, profiling and securing these types of controls — ability to correct and enforce baselines
  • Technical Diversity between zones or systems: Consistency across systems has scaling advantages, but when a single vulnerability affects multiple products this strategy grounds your entire operations if exploited. Barriers such as a VPN with 2FA, a remote access terminal server, and multiple firewall vendors exponentially increases the efforts it would take for an external attack to be successful.
Example of a zone and conduit network and acceptable vs unacceptable connections

Conclusion and success stories

  • Building robust, 360-degree asset views
  • Incorporating multiple functions into a single platform
  • Tying together IT and OT skill sets at an enterprise level to review, monitor, plan and execute systemic security controls
  • Automated data collection and remediation tasks
  • Partnering with proven OT safe software and services vendors/consultants

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Verve Industrial Protection

Verve Industrial Protection

Verve's mission is to protect the world's critical infrastructure. Learn more at verveindustrial.com