How to Prevent OT Ransomware Attacks: A Comprehensive Guide
OT ransomware attacks are on the rise. Learn proven strategies to protect your industrial systems, minimize downtime, and recover quickly.
Learn MoreSubscribe to stay in the loop with the latest OT cyber security best practices.
Cyber security insurance is an increasingly important weapon in the risk management arsenal of today’s enterprises. Unknown just a decade ago, these popular policies now offer organizations a crucial hedge against risks that defy routine assessment, planning and mitigation tactics.
Even the most diligent of risk registers typically lack accounting for devastating events like the recent exploitation of Microsoft Exchange on-premises products, or the sweeping compromise of 18,000 SolarWinds customers. The explosive growth of ransomware, along with sophisticated, well-funded attacks leveraging critical zero-day exploits has made insurance a must-have element of any mature cyber risk management strategy.
The oft-forgotten element in such cyber security coverage, however, is OT (operational technology). Even as threats to critical controls systems grow exponentially, cyber insurance underwriters have been slow to update rating tables to incorporate growing cyber-physical risks. Organizations, likewise, often fail to adequately account for OT/ICS risks and basic controls in their overall assessment strategies.
As the world becomes an increasingly more dangerous place, particularly for organizations with a mix of IT and OT/ICS environments to protect, cyber insurance premiums are spiking and the qualifications for comprehensive policies are getting more rigorous at a time when enterprises need quality coverage more than ever.
For the past decade, the cyber security insurance market matured slowly. Costs remained low thanks to a growing pool of buyers and limited historical claims data. Over the past three years, however, premiums rose significantly in lock step with the number of claims being filed and the magnitude of the losses. According to the Council of Insurance Agents & Brokers, cyber security insurance rates are increasing 25%+ per quarter in each of the last quarters, and the coverage has decreased from $10M to about $5M in 2021.
Claims, particularly those due to ransomware and related business interruption costs, are driving the spike in premiums. Insurers now limit coverage specifically for ransomware to control their losses which total more than $20 billion in ransomware claims to date. Overall, Marsh McLellan estimates cybercrime costs will top $10.5 trillion by 2025.
In a recent report from the Institute for Security and Technology, Coalition, a cyber insurance firm, said ransomware attacks now account for most cyber security insurance claims. In the first half of 2020, Coalition saw a 260% increase in ransomware attacks among its policyholders, with the average ransom demand rising 47% to an average of $338,669. Elsewhere in the report, ransomware incident response specialist Coveware reported average downtime due to ransomware now tops 21 days.
This growth in ransomware is a real threat to OT systems. The 2017 Wannacry/NotPetya event that impacted Merck, Mondelez, Maersk and others was an expensive warning shot across the bow that cost companies like Merck almost $1 billion and racked up insured losses of some $3.6 billion on both affirmative and non-affirmative (silent) covers globally.
In 2021, manufacturing became the number on targeted industry, increasing from second in 2020 and eighth in 2019. Attackers have discovered the profit potential derived from locking up manufacturing systems. Examples of recent attacks demonstrate in stark relief the industry’s plant-days lost to the scourge of ransomware.
Domain | 2021 | 2020 | 2019 |
---|---|---|---|
Manufacturing | 1 | 2 | 8 |
Finance & Insurance | 2 | 1 | 1 |
Professional Services | 3 | 5 | 5 |
Energy | 4 | 3 | 9 |
Retail | 5 | 4 | 2 |
Healthcare | 6 | 7 | 10 |
Transportation | 7 | 9 | 3 |
Government | 8 | 6 | 6 |
Education | 8 | 10 | 7 |
Ransomware attacks are even more costly in industrial control systems where the price of not paying means lost production as well as additional expenses for building or acquiring new systems if the ransom is not paid — or as is often the case, the recovery post-payment is not 100% effective. The increasing ransomware costs during 2020 correlate with the increased number of cyberattacks on manufacturing and industrial systems.
But the financial impact doesn’t just affect the company. In the case of Colonial Pipeline, not only did they lose $4M to a ransomware payment, but the economic impact also cost $2-3B. Another question that arises is: What if Colonial Pipeline was a vendor of yours… Would you be covered?
Average cyber attack ransom in USD
The insurance risks from OT cyberattacks don’t stop with ransomware. Cyber-physical systems carry the unique added risks of damage to the physical plant and threats to personnel safety.
“The potential for physical perils represents a major turning point for the broader cyber (re)insurance ecosystem,” a recent Lloyd’s insurance report on OT threats warns. “This risk has previously been considered unlikely to generate insured losses with cyber perils traditionally emerging in the form of non-physical losses. However, as bridges are being built between IT and OT and there is increased automation and greater sophistication of threat actors seeking new avenues to create disruption, incidents are increasingly likely.”
Lloyd’s lists a set of potential additional risks for different classes of insurance:
Lloyd’s Class of Business | Potential Scalability to Core Classes |
Accident & Health | Potential impacts to A&H, Medical Expenses, and PA for any locations that suffer property damage and fires or explosions. Product Recall could be a significantly exposed class, particularly if a defective component is the point of failure. |
Aviation | Limited, in the context of the scenarios explored. |
Casualty Treaty | Significant potential impacts, particularly around contributing classes such as Employer’s Liability and Product Liability. |
FinPro Casualty | Significant potential exposure to Cyber, D&O, and Professional Indemnity. |
Other Casualty | Some possible exposure for other classes such as General Liability. |
Energy | Depending on the target industries, Energy Property and Liability could be significantly impacted by such a scenario. |
Marine | Limited, in the context of the scenarios explored. |
Other Specialty | Engineering could be significantly exposed. Other bespoke products that could conceivably be triggered include Extended Warranty, Legal Expenses, and Terrorism. |
Property (D&F) | Significant potential exposure to large risks, with conceivable impacts to binder business with proximity to those impacted sites. |
Property Treaty | Significant potential exposure to large risks, with conceivable impacts to binder business with proximity to those impacted sites. |
The growing recognition of the combined risks from ransomware and cyber-physical impacts is driving increased rates for operators of industrial control systems. And as discussed in our recent 2021 ICS vulnerability report, the risks and threats are only increasing.
Cyber insurance providers and their policy holders must work together to ensure continued cost-effective coverage for cyber-physical systems and the attendant risks. Key action items include:
Policy holders generally miscalculate potential impacts from cyber threats to their cyber-physical systems. Insurers may have provided “silent risk” coverage without understanding their real exposure. Both sides need to better understand risks from an OT attack. This requires an assessment of the security maturity of the environment as well as the potential threat vectors and impacts from different scenarios. Such an assessment requires a deep view of assets, networks, policies and, procedures —then mapping those vulnerabilities to impacts both financial and physical.
Baseline requirements are becoming standard for IT security. In the past, some cyber security insurers viewed a lack of security baseline requirements as a selling point. However, the rapid rise in claims is causing a shake-out of those providers. More mature insurance providers typically require clients to adhere to strong baseline security practices, which can significantly reduce the disruption caused by a ransomware attack.
However, in OT, these cyber baselines are much less clear. While guidance such as or more specific OT frameworks like IEC62443 do exist, insurers and insureds will need to adjust the baselines to address the unique devices, process, and risks posed by OT systems.
Most OT networks are not “managed” today. They run legacy operating systems, patches are often not deployed, and backups may or may not be effective. Formal OTSM is necessary to maintain baseline requirements for an efficient cyber security insurance market. Broad adoption of OTSM requires a fundamental shift in the mindset of IT-OT leadership, however. New tools, skills, and procedures will all be necessary.
A comprehensive security platform aggregates the reporting on baseline requirements in a way that provides visibility into ongoing risks. It’s insufficient to simply monitor network anomalies or have plant-level information stuck in local databases. Centralizing OT data into a platform that provides management visibility into risk profiles is a game changer. This management console enables insureds to make the right trade-offs for insurance coverage. Similarly, it provides insurers a way of pricing risk effectively. Certain insurers may even offer discounts for more mature security environments that can be confirmed via such platforms.
“As part of a risk mitigation strategy, syndicates need to monitor the correlation potential for risks stemming from attacks bridging the IT/OT gap,” The Lloyd’s report states. “In practice, syndicates can improve awareness by building a technology inventory for their insureds. This might include identifying leading PLC components and investigating the use of common industrial OT and IoT assets.
“It is very important for syndicates to focus on procedures as well as components,” the report adds. “This should encompass the extent of air-gapping between IT and OT systems, the nature of risk management protocols such as automated patch updates, and the presence of known industrial component vulnerabilities.”
As we think about protecting our OT environments, there are many layers of protection we can put in place to stop threats (training, detection, disaster recovery, etc.). But as prepared as we can be, cyber security insurance covers financial losses should we fail to stop cyber-related events.
Insurance spending by industrial organizations is expected to increase significantly. In the industrial segments, it’s about a million-dollar industry and expected to grow annually by 16% in the next decade (according to Guidehouse).
But with increasing coverage comes many challenges/limitations with policies:
While the cost of insurance is rising and the challenges for obtaining complete OT insurance coverage are increasing, it would benefit industrial organizations to find ways to improve security controls in the protection of their OT environments. Many cyber security standards now include insurance as part of their required safeguards. So what requirements do we need to achieve to ensure coverage?
Examples of OT supplementary insurance application elements:
The good news — none of this is “new” as a lot of these requirements look very similar to what cyber security practitioners already see in standards such as NIST CSF or Top CIS Controls. Given the new insurance requirements, Verve recommends a proactive OT systems management approach to address these needs by bringing your OT cyber security program and data into a common platform to demonstrate the answers to these common questions/requirements. Verve has been applying these practices for over 15 years to manage OT security in a similar fashion to IT security.
Watch the full webinar recording here.
OT ransomware attacks are on the rise. Learn proven strategies to protect your industrial systems, minimize downtime, and recover quickly.
Learn MoreWhat is OT/ICS vulnerability management, why is it critical in cyber security, and what role does it play in ransomware defense and protection?
Learn MoreHow to leverage lessons learned from the Colonial Pipeline ransomware attack to prepare for cyber-related threats in oil & gas.
Learn More