The Rising Threat of OT Ransomware: A Wake-Up Call
Between May 6 and May 12, 2021, Colonial Pipeline, owner of 5,500 miles of pipeline carrying natural gas, gasoline, and diesel from Texas to New Jersey, shut down its operations in response to what it said was a ransomware attack targeting its IT network.
After the Colonial incident, several other major ransomware attacks on operating entities have been reported, including Martha’s Vineyard Ferry Service, FUJIFILM, and the JBS meat company, who supplies 40% of all the US meat supply. In the first 4 months of 2024, major companies like Omni Hotels and Thyssenkrupp have experienced ransomware attacks, and United Health Care publicly confirmed a $22M ransom payout in April to try and protect patient data after a breach.
These attacks are growing in severity and becoming more targeted as attackers seek massive compensation to concede the stranglehold they gain on private data.
Subscribe to our newsletter to stay in the loop with the latest OT cyber security best practices.
Ransomware Attacks Down, But Manufacturing Sector Still Under Siege
A Q1 2024 report by ReliaQuest showed that even though ransomware attacks were down 18% compared to Q4 2023, 1,041 organizations were posted to ransomware data-leak sites, and they expect attacks to rise throughout the year, as they’ve reported in past cycles. The report also confirms that manufacturing was the most common target sector for ransomware attacks. “Manufacturing suffers from extended outages due to the correlation between the impact on IT and OT,” the report states.
Let’s take a look at how and why OT ransomware is so dangerous and how to prevent attacks and reduce their impact if one does occur.
What is Ransomware?
Ransomware is a form of malicious software in which a bad actor finds a way (phishing, social engineering, etc) to invade the target network. Their ‘software’ then runs around the network, traversing network shares and local drives, encrypting everything it finds with a key that only the hacker knows. If you want to unlock your files, you have to pay a ‘ransom’. The costs to get the key and decrypt files can range from hundreds to thousands or even millions of dollars depending on the specifics of the attacker and victim.
Why Ransomware Targets OT
Ransomware has roots in the scam and extortion criminal world, but by nature, it can also be used to target larger asset owners and organizations or to mask other activities that might be more devious.
Ransomware takes advantage of “availability” risks and is highly profitable in industrial organizations. The business of cyber theft of personal information used to be quite profitable, but prices for that information have fallen dramatically as supply has increased. But cybercriminals have found new models for attacks. They have shifted from the “C” in the Confidentiality-Integrity-Availability triad, to the “A”. Industrial organizations require availability to operate, so the payment is usually quick and large.
With current policies in place, the payment process is greased by the presence of insurance. However, this has been changing recently as insurers start to modify policies going forward, as seen in AXA’s 2021 announcement that they would stop coverage for ransomware payments in France.
- Even IT attacks can shut down OT operations. OT systems are usually highly susceptible to ransomware. So, the first step in any incident response plan is to stop the spread by disconnecting OT systems. OT systems may be 3-4X as costly to restore as IT systems, and may take much longer. Second, in many cases, operations do not solely rely on OT systems, but IT systems such as billing or supply chain software that are now necessary to operate effectively. Thus, shutting down key IT systems can essentially require an OT shutdown as well.
Watch the Webinar On-Demand:
Why is OT so Susceptible to Ransomware?
- Most ransomware takes advantage of older vulnerabilities that have been left unpatched. In OT, we know there are a huge number of vulnerable and unpatched systems.
- Ransomware often exploits network–based insecurities to gain access (e.g., through Remote Desktop Protocol, or RDP) but spreads from endpoint to endpoint. Compensating controls, system hardening, vulnerability management and other techniques such as network isolation, all play a critical role in reducing the impact and spread of a virus attack.
- OT Ransomware is often very effective because many organizations are insufficiently equipped to recognize (avoid) potential incidents. Large numbers of legacy, unpatched assets are often poorly monitored and supervised by a handful of non-cybersecurity personnel which can lead to potential issues.
The diagram below illustrates the typical path of ransomware entry into a facility:
5 Ways to Limit the Impact of Ransomware in OT
Given the current state of risk and the potential for a renewed acceleration in ransomware incidents in industrial environments, how should organizations respond?
1. Understand your operational and safety risks from a ransomware attack
To gather this picture, an organization needs to have three key pieces of information:
- First, an understanding of the operational criticality of different assets in the environment. For instance, you may have certain plants, mills, or facilities that are absolutely critical to the financial performance of the business. Others may be less financially critical independently but are key suppliers to those critical sites. A business understanding of site/facility criticality is the foundation.
- Second, a comprehensive view of the ransomware risk to the assets in those facilities. Verve typically does this through a “Technology Enabled Vulnerability Assessment”. This process provides a detailed picture of the software and hardware vulnerabilities, network protections, asset protections, patch status, and more within the OT environment. This 360-degree risk view provides clarity of the potential threats to the sites/facilities/plants.
- And third, the current status of recovery and response capabilities. The extent of any ransomware event can be reduced by a well-prepared organization. Robust and updated backups, a rapid incident response plan, and alerts on canary files to catch ransomware in its early stages, can all provide limiting factors. By assessing these response and recovery capabilities, the organization can determine the potential extent of an attack’s impact and mitigate effects.
2. Create a site-level remediation and protection roadmap
Too often we have seen organizations jump into a certain initiative to try to reduce the risks from ransomware (and other potential OT attacks). For instance, a frequent starting point is a comprehensive network segmentation effort to reduce connectivity between IT and OT, as well as segregation within the OT environment. While this step is part of a robust roadmap, it may not be the most impactful first step in the overall program, and it is insufficient as an isolated initiative.
Understanding risks, but also a proper sequence of initiatives, is key to making rapid, sustainable progress. Conducting an asset inventory before network segmentation builds a stronger foundation for protection from attacks, and accelerates the segmentation efforts. Leveraging existing tools, like threat detection software and network monitoring, works best within a strategic plan. Verve works with clients to create a “portfolio of initiatives” that build on one another. Balancing short-term protection within the development of a long-term security foundation is crucial for effective OT ransomware defense.
3. Accelerate the OT security roadmap using the site and asset prioritization from #1 above
One of the advantages of the assessment mentioned earlier is that the technology is already in place to be able to immediately remediate identified risks – from patching, to configuration hardening, to managing risky software, users, and accounts. Our assessment accelerates time to protection.
Beyond accelerating those endpoint detections, there will be a range of additional protections and response capabilities necessary. One of the biggest challenges is determining the appropriate execution plan to protect the most critical sites and assets, while not getting bogged down on these complex sites and never getting breadth of protection to the “medium” criticality sites.
Verve recommends what we call a “bi-focal” approach to the execution. On one lens, we would pursue a robust program deployment across the most critical sites. However, in parallel, we would encourage a broad and shallow approach to apply limited protections to all sites at an enterprise level while the deeper efforts are occurring on the critical sites.
What this means in practicality is that the “gold” or most critical sites may need comprehensive network segmentation, new infrastructure, advanced anomaly and threat detection, backups, patching, user and access management. However, at the “silver” or “bronze” sites which individually may be less critical, but together make up a significant risk, you might apply prioritized vulnerability management and backups while waiting on a more comprehensive network segmentation effort.
4. Maintain the success you have achieved
In many cases, the implementation of a security program is a resource-intensive task, but it is critical that the organization plans for the maintenance of any improvements achieved during the program. In Verve’s experience, this includes two key elements:
- A centralized OT Security Management platform that aggregates visibility, prioritization, and ability to manage assets that can significantly reduce the cost and resource requirements of securing distributed OT assets.
- A resource plan that goes beyond the initial remediation program deployment to include ongoing support and maintenance of the controls put in place.
One of our colleagues says “security has a tendency to rot”. His message is that there are many reasons why security programs can fail:
- Network rules put in place initially get changed during maintenance windows
- Updated patches don’t get applied
- AV signature updates get delayed
- New assets are added but never inventoried
- Backups fail and are not remediated
5. Organizational commitment
This step is most critical in the maintenance period of the program. Without the buy-in from operational leaders, security programs cannot get off the ground. However, we see many challenges happen once the program is launched and the hard work of maintaining commitment begins. Team members get back to their day jobs, other priorities arise, budgets get reallocated, and many other obstacles can take precedent.
It is key that organizational commitment is more than a one-time effort. In our experience, the best way to accomplish this is through the alignment of balanced scorecards that include OT security as a focal element.
With these strategies, organizations can significantly reduce the risk of OT ransomware attacks. These measures form a robust defense, protecting critical infrastructure against the growing threats of ransomware.