Defend Against Ransomware with a 360-Degree OT Vulnerability Management Program

Ransomware is an insidious form of cyber threat, hitting large and small organizations alike, with a very robust business model given the immediate need of many organizations to recover operational data. The most popular examples include: WannaCry, NotPetya, Ruyk, Snake ransomware (also known as ekans malware), and Trisys or Triton malware.

The risk to Operational Technology (OT) environments is significant because hackers look for the best return ratio and the benefit of paying a ransom to a target if their operational or manufacturing systems are locked up is much greater.

While the vast majority of ransomware to date has focused on IT systems, the impact where it has spread into OT systems is dramatic as evidenced by NorskHydro, Merck, Maersk and others.

In Verve’s ransomware webinar, you’ll walk away with a comprehensive review of the risks of ransomware to OT systems and what organizations can do to defend, detect, respond and recover from attacks.

As an initial installment on that topic, this blog focuses on one area of defense and that is a robust 360-degree vulnerability management program. There is no “silver bullet” to defending against ransomware, but an ongoing, real-time 360-degree vulnerability management program is a necessary element of any robust defense.

What is 360-degree OT/ICS vulnerability management?

A robust vulnerability management program is a comprehensive set of tasks to assess the vulnerabilities or risks present in an OT/ICS environment, then remediate those risks through a set of actions intended to reduce the overall risk and address key vulnerabilities.

The key functional elements of a vulnerability management program include:

• Asset inventory management
• Vulnerability assessment (capturing a view of potential exposures on each asset)
• 360-degree risk scoring of asset risks
• Prioritizing risks based on exposure and potential impact of the threat to the process or information
• Patch and configuration deployment
• Mitigation and compensating control deployment
• Reporting and monitoring of progress

These elements can be pictured in the below diagram:

The vulnerability assessment begins the journey. It includes a robust asset inventory as its starting point. From there, the organization must plan and prioritize actions across patching, configuration hardening, user and account management, etc. What follows is an ongoing defensive approach to ensure that new vulnerabilities are identified and defended against. Finally, reporting allows for visibility of progress before the next step of assessing.

We think of a proper vulnerability assessment as looking at the risks in 360-degrees. The notion is that just looking at published vulnerabilities, as one might do in IT, is not enough to get a true picture of the risk exposure of an asset in OT. Most of these systems were not designed for security from day one and are not managed as the IT systems are (see our OT Systems Management whitepaper here). A 360-degree assessment brings together a more comprehensive view of risk so that the operators can assess true risk, rather than just the CVE or CVSS score of a particular published vulnerability.

This 360-degree assessment can be visualized below:

Ongoing/Real-Time Risk Assessment

One of the biggest gaps in OT vulnerability management is the time it takes between one assessment and the next, or between assessment and the system hardening or remediation. The reasons for these time gaps are due to the manual or step-wise way many assessments are completed – often with manual processes using a sampling of data and requiring manual remediation.

Effective vulnerability management programs create real-time visibility to vulnerabilities and current remediation status. This enables real-time measurement of progress to security maturity. In addition, effective programs integrate the assessment and hardening steps into singular toolkits to accelerate the time between assessment and defense.

3 reasons why 360-degree vulnerability management is critical to OT/ICS security:

Ransomware defense requires robust OT/ICS vulnerability management

Over the past three years, cybercriminals discovered that ransomware pays handsomely. The growth of public ransomware attacks is up dramatically in 2020. The reality is that most organizations that pay ransom do not report the attack, so the number of attacks is surely understated.

Too many OT organizations rely on detection as their only defense. Systems are not patched regularly. Users and accounts are not managed. Segmentation, if it exists in design, often doesn’t exist in practice as firewall rules are not locked down. In many cases, anti-virus signatures are not regularly updated due to the challenges of updating critical process control systems. The list goes on. This list is a recipe for success for the ransomware attacker.

Remote access due to COVID-19 destroyed any notion of the “air-gap”

One of the biggest excuses to argue against the need for ongoing vulnerability management in OT/ICS is that these networks are “air-gapped” from the internet and, therefore, not at risk of attack. Although this notion has always been highly suspect, with the accelerated move to remote work, it is truly now dead.  With the very rare exception, perhaps of nuclear power plants, no operational networks are truly air-gapped anymore. And the level of remote access is exploding. We have seen remote access rights double at some of our clients since the start of the pandemic lockdown in March.

Much of the press has focused on the need for secure solutions for remote access, but this ignores the most fundamental threat and that is to the endpoints in the networks that are now accessible. Even the most secure access offers new angles of attack.  The OT/ICS devices were not designed for defense initially. The objective was to streamline and simplify the actions of a tech who is trying to improve the process, not take advantage.  Therefore, vulnerability management was an after-thought at best.  Now, with the explosion in remote access, OT/ICS vulnerability management becomes absolutely critical to protect the insides of these networks from lateral movement, malware, and ransomware.

IT-OT convergence drives increasing top-down pressure on OT/ICS security

Over the past several years, OT security has become a greater concern of the C-suite and is becoming a greater focus for the CIO and CISO. Not surprisingly, IT leaders want to adopt the same policies, procedures, and vulnerability management on the equipment in operating environments. Most recognize there is a big difference between a PLC or VFD and a laptop or cloud server. However, they want to apply the same principles that have been effective in IT for years.

Operating Technology leaders need to adapt and deliver on these expectations. And as more connections integrate IT and OT, the ability for ransomware to start on the IT side through active phishing campaigns and then bridge over to OT is growing as a risk.

How does 360-degree vulnerability management stop ransomware?

Ransomware prevention requires a comprehensive effort. Security requires a robust program of multiple components to ensure protection. But often the question arises: where do we start? We would argue, the best place to begin is with ongoing 360-degree vulnerability management for several reasons:

1. Identifies and remediates known vulnerabilities and missing patches. Yes, this seems basic, and in IT, it is. But in OT with sensitive, real-time systems that control critical processes, conducting vulnerability assessments using IT scanning tools is potentially dangerous to the controls equipment. An OT-specific approach conducts this assessment safely providing real-time visibility to known risks. Importantly, the 360-degree approach sees the patches approved by OEM vendors as well as all of the patches that either were not approved or were not reviewed because the vendor doesn’t load that software when they install the system – things such as Adobe, Java, Office, etc. which we find on many devices in OT environments. But ransomware doesn’t necessarily need unpatched or vulnerable systems. That is why 360-degree vulnerability management needs to include a more robust picture of risk such as those below.
2. Identifies and manages users and accounts and their rights. In Verve’s vulnerability assessments over the past decade, we regularly find a high number of dormant accounts, many with administrative rights, accounts that should be limited in their privileges but are administrative since that’s what the operators use to log in, accounts with stale or shared or default passwords, etc. Sure, this isn’t surprising. However, the 360-degree assessment gets down to the detailed level of every account on every device and their privilege rights to allow for proper remediation and clean up and ongoing management of user access, a critical component to stopping ransomware.
3. Identifies and remediates insecure configuration settings. In many industrial environments, the design of the network or endpoint configurations is done well (and sometimes not). But in almost every case, the execution over time drifts from the design. Firewall rules are not locked down tightly. Hardened configuration settings, which you might find in IT, are not executed in OT perhaps because they are joined to a domain. In any case, the 360-degree assessment identifies those insecure configurations and can harden those, reducing the access of potential hackers.
4. Identifies out of date protection and recovery elements. Organizations often believe they have some level of protection because they have deployed the OEM’s chosen anti-virus product in their OT system. Unfortunately, signature updates don’t always happen on a rapid basis in OT. A 360-degree assessment identifies outdated signatures and outdated or failed backups of critical systems – a key element of systematic recovery from ransomware.
5. Enables rapid prioritization of the best way to protect each asset. Again, there is no silver bullet. Not all devices can be patched to the latest level. Not all AV signatures can be updated immediately. The 360-degree view provides a roadmap to best protect any individual asset given its criticality and the feasibility of remediation.
6. Enables rapid response. With the 360-degree view combined with the actionability of a platform like Verve to quickly respond to remediate these risks, the response team can know what to do quickly and have a roadmap for how to quickly respond and recover in case of attack.

The above is just an initial list of the benefits of such an approach. For more information, visit us at www.verveindustrial.com

There is no silver bullet for defending against ransomware, but a 360-degree ongoing vulnerability management program is a critical component of any robust defense. It is an absolutely critical OT security function due to the rising threat of ransomware, increasing remote access, and drive from corporate organizations for IT-OT convergence.

Verve has built the Verve Security Center to address the challenges of OT vulnerability management. We look forward to the opportunity to share how the platform can simplify and streamline your OT/ICS vulnerability management process.