The ransomware risk management calculus is changing for OT, ICS and critical infrastructure
Paralysis is the worst possible state for businesses to find themselves in when faced with the threat, says Claroty’s CPO.
Grant Geyer came aboard the industrial cybersecurity company Claroty in April 2020 as chief product officer amid the global pandemic and an explosion of ransomware attacks. In the first half of 2020 with COVID-19 restrictions in place, U.S.-based organizations alone saw a 109% rise in ransomware attacks, while general malware detections dropped 24% across the globe.
Recent high-profile ransomware incidents, like the May 2021 Colonial Pipeline attack, indicate that not only is ransomware a financial problem, but one that affects the technology needed to keep society moving as well. “We’ve reached a tipping point where events happening in the cyber world can impact events in the physical one,” Geyer said.
Critical infrastructure, operational technology (OT) and industrial control systems (ICS) are becoming popular with attackers looking for soft targets. In addition to being poorly prepared for the risks of being connected to the internet, the real-world consequences of a successful attack on industry and infrastructure give victims a serious incentive to pay.
Needless to say, Geyer has a lot to say about the threat ransomware poses to OT, ICS and critical infrastructure. Organizations hoping for an easy way out of the ransomware threat shouldn’t get comfortable: There’s a long, complicated road ahead of the IT and OT worlds if Geyer is correct in his assessment, and he’s not the only one who thinks that way.
The rise of the ransomware industry
Think of cybercriminals attacking companies with ransomware, and it’s probably a single person in a dark room, furiously writing malicious code that comes to mind. Not so, Geyer said: Ransomware is popular and profitable enough that an entire industry has sprung up around its development and distribution.
“Less sophisticated agents are taking action, multiplied based on ease of use, implementation, help desk support and other factors making it as easy as pushing a few buttons,” Geyer said.
SEE: Security incident response policy (TechRepublic Premium)
Geyer isn’t joking about the existence of help desk support for both ransomware users and victims. One small Kentucky company that fell prey to a ransomware attack in 2020 was provided with a 1-800 number and told that the attacker was “here to help.” The company ultimately paid $150,000 to have its files released.
As evidenced by recent ransomware attacks like the Colonial Pipeline, and non-ransomware attacks like the one on the Oldsmar, Florida water treatment plan, attackers are becoming more aggressive. Western governments, Geyer said, have allowed them to act with relative impunity. “They’re stepping over the line without getting their hands slapped, so the line continues to move,” Geyer said.
Ric Longenecker, CISO at Open Systems, warns that it’s unlikely the ransomware-as-a-service industry will remain aimed at big targets. “These smaller targets may not guarantee a massive payout, but there’s less of a chance of consequences or reprisals because it is really difficult for authorities to diplomatically respond like-for-like to an attack that doesn’t touch critical industries or infrastructure.”
In short, there’s a whole industry based on extorting companies, and it’s not picky about the target, as long as it pays out. And there’s a good likelihood it will, given the current state of things.
Why OT and ICS attacks are on the rise
Digital transformation is happening in nearly every imaginable industry, and the OT, ICS and critical infrastructure side of things is just the latest to embrace cloud-hosting for network and device management. That’s good for data logging, cost-saving and operational continuity, but bad for security.
“A laptop in an IT environment is obsolete after three to four years,” Geyer said. “In OT, tech has a life of 15-20, even 30 years. Those networks simply aren’t built for the connectivity and security needs of today.”
Geyer notes that there was a 74% increase in vulnerabilities disclosed in the energy sector between the second half of 2018 and the second half of 2020. “This highlights the fact that the OT environment is rife with holes and inroads,” Geyer said.
Until digital transformation hit the OT world, air gapping was the standard method of protecting industrial and infrastructure networks. Without a connection to the internet, there’s no risk of attackers gaining access. John Dermody, former cybersecurity counsel at the NSC, DHS and DoD, agrees with Geyer’s take on the problems facing the OT world.
“As more technology is integrated and added to industrial systems, new avenues for exploitation are created. Unlike IT system operators that have a large community to identify vulnerabilities, and history of security being integrated into products, OT operators may have limited insight into the vulnerabilities lurking on their system, just waiting to be exploited when they see the light of day (or the internet),” Dermody said.
To make matters worse, updating OT and ICS networks isn’t as easy as updating IT, which isn’t as critical for operations. “Segmenting [or updating OT networks and hardware] would require a maintenance window which would pause operations and production. It would require so much change that it may not be practical,” Geyer said.
Old hardware and hesitancy to shut down operations to address a theoretical future attack means that many industrial companies, municipalities and critical infrastructure are simply more willing to pay the ransom. “When Baltimore faced a ransomware attack in 2019 it decided not to pay ~$10,000 in Bitcoin and ended up losing $18 million in revenue. With that equation in mind, paying makes more sense,” Geyer said.
Prepare for penalties in the face of inaction
“We need to shift how boards of directors think about the financial consequences of not protecting their cyber environments,” Geyer said, adding that while movement is happening to affect that change, it’s going to take government action to finally make it happen. “We need to create an environment that treats cyber risk alongside other types of compliance risks and business considerations.”
Geyer said that the Biden administration is largely doing a good job in addressing the growing ransomware threat to industry and infrastructure, citing the May executive order establishing pilot programs for Energy Star-like certifications for businesses that meet certain security standards.
Dermody agrees that the landscape is changing: The TSA’s pipeline security directive that arose in the wake of the Colonial Pipeline hack are just one example, he said. “The government’s appetite for imposing mandatory cybersecurity requirements has increased, and it is unlikely that government regulatory efforts will be limited to just that critical infrastructure subsector. The government is not going to tolerate a scenario where there are potential cascading effects.”
“Whether through new regulatory requirements or through new legislation on the Hill, it is likely that more teeth are coming to government cybersecurity requirements,” Dermody said.
Companies, like the Kentucky one mentioned above, often use third parties and/or insurance companies to handle payment of ransomware, which Splunk security adviser Ryan Kovar said could lead to companies sidestepping regulations. Dermody and Kovar both agree that paying ransoms fails to solve the problem; “Decrypting, even when 100% successful, still takes days or weeks — even months,” Kovar said.
Dermody believes that insurance companies will need to have a say in new requirements as well. “Insurance providers are actively looking for ways to mitigate risk, including through raising the cost of policies and incentivizing prevention.”
How to prepare for the future of ransomware risk management
Infrastructure and industrial companies have to face facts: Whether it’s government regulation or the aftermath of a ransomware attack, protecting OT and ICS networks is a priority now.
Preventing phishing attacks, training users to recognize threats, filtering emails, setting proper firewall rules, segmenting networks (when possible), and other cybersecurity best practices are only one part of protecting complicated OT networks.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Don’t assume that best practices include endpoint detection and response (EDR) or endpoint protection platform (EPP) software. “We’re seeing an uptick in attacks on critical infrastructure because attacks are working. Until we recognize that EDR and EPP are going to miss attacks, we will continue to be subjected to more malware and ransomware,” said Illumio’s VP of product management, Matt Glenn. Glenn also believes that good IT infrastructure is part of good OT infrastructure, and that shoring up one involves shoring up the other.
Quoting Louis Pasteur, Geyer makes the rest of the process pretty cut-and dry: “Fortune favors the prepared mind.”
The “three lines of defense” model of cybersecurity popular in IT environments is perfectly suited to adaptation in OT and ICS, Geyer said. For those unfamiliar with the model, it puts owners and managers of risk (IT, cybersec teams, etc.) at the first line. Second comes risk and compliance groups that oversee and monitor first-line teams. Last comes internal audits, and it’s here where minds get prepared.
Get leaders together around a table, Geyer recommends, and run low-cost tabletop exercises where everyone with a stake in a security incident gets to model their response. “Real-time exercises like these show how decision makers think, how the process works, and how the organization as a whole will respond,” he said.
Exercises like these are also a key way of creating visibility on networks. Sachin Shah, CTO of OT and Armis, uses protecting a house against burglary to explain this important step in network enumeration: “[I would] walk around the house and check to see if all my windows and doors are closed, locked or possibly broken. Once I have done that, at least I know what my risk is. I might need to install better locks or some more floodlights, but I know where I stand.”
It’s also important, Geyer said, for organizations to know where their technical safeguards should be focused. “Ransomware goes after Windows systems, so know where they are in your environment and how they are vulnerable, then take steps to remediate the risk with updates and security patches.
Organizations that take these steps with a mindset toward growth, learning and improvement will ultimately have “a well-informed understanding of their vulnerabilities, including a realistic understanding that people are going to make mistakes,” said Dermody. “It’s important to understand, and discuss in advance, how you would respond in such a crisis. When servers are locking up around you is not when you should be deciding for the first time whether you are okay with paying a ransom,” he said.
OT, ICS and critical infrastructure networks can be huge, and it’s easy for people to be paralyzed into inaction, Geyer said. Paralysis is the worst possible state for businesses to find themselves in when faced with ransomware.
Whether it happens now or in the next several years, the ransomware risk management calculus is changing. While it may be more cost effective to pay a ransom in 2021, the onus will soon be on business leaders and boards to prevent a ransomware attack from ever happening. Organizations that want to prepare for the future would do well to deal with the headaches of prevention before recovery becomes an even larger burden.