Cyber Playbook: Ransomware and the OT Environment

April 29, 2022

Contributed By: Chris Thomas, Senior Security Consultant

Ransomware and the OT Environment: Am I Safe?

Ransomware is everywhere. It’s all over the news. It’s discussed within the cybersecurity industry at large. Unfortunately, this constant coverage is making us numb to the need to assess what our overall risks may be. This is especially worrying regarding our critical infrastructure. Do we truly believe that our industrial control systems are at risk of infection? The Colonial Pipeline Incident from early 2021 showed us how vulnerable our critical infrastructure truly is. Though the ransomware never made it into the ICS network, the system was taken offline as a preventative measure causing major disruptions to fuel supplies on the East Coast.

While this may seem like an outlier, the real results tell a different story, according to a recent white paper published by Claroty. They put out a Global State of Industrial Cybersecurity survey in 2021, and an astonishing 80% of respondents indicated that they had been victims of a ransomware attack in 2021 with 47% reporting that this had an impact on their ICS environment. Even more surprising was the fact that 60% had paid the ransom, with more than 52% paying out over $500,000 USD or more.

Why should I care?

We all know that the health and safety of workers, contractors, and visitors is of the utmost importance, and ICS environments are dangerous places to work at in the best of times. Following Health & Environmental Safety, operational availability is the next most important piece of the ICS world.

If an OT system was to be compromised by a ransomware attack, it could cause loss of life, serious injury, or major damage to the environment by way of restricting the ability to see and monitor critical systems, leading to catastrophe.

While many in the industry point to the Colonial Pipeline breach as a milder event due to measures taken to mitigate the potential damage done, many overlook how serious risks a ransomware attack could pose to an industrial facility. The JBS Meat Packing breach is a great example of how an industrial process with very dangerous equipment could endanger the health & safety of the workers on-site if the ICS equipment is compromised.

What are the trends?

The Cybersecurity & Infrastructure Security Agency (CISA) recently released a joint alert along with cybersecurity authorities from the United States, Australia, and the United Kingdom that shows a concerning global trend in 2021 surrounding the use of ransomware in targeted attacks to critical infrastructure. The alert also indicated a rise in ransomware attacks with growing technological sophistication from threat actors.

The report provides further details on the following behaviours and trends in 2021 like:

  • Gaining access to networks via phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting vulnerabilities.
  • Using cybercriminal services-for-hire.
  • Sharing victim information.
  • Shifting away from “big-game” hunting in the United States.
  • Diversifying approaches to extorting money.

Ransomware groups have increased their impact by:

  • Targeting the cloud.
  • Targeting managed service providers.
  • Attacking industrial processes.
  • Attacking the software supply chain.
  • Targeting organizations on holidays and weekends.

What can I do?

Immediate actions you can take now to protect against ransomware:

  • Update your operating system and software.
  • Implement user training and phishing exercises to raise awareness about the risk of suspicious links and attachments.
  • If you use Remote Desktop Protocol (RDP), secure and monitor it.
  • Perform validation testing
  • Use multi-factor authentication (MFA).
  • Perform a Ransomware Preparedness assessment using tools such as the Cyber Security Evaluation Tool (CSET) which is available from CISA.

The aforementioned alert also covers best practices for responding to ransomware attacks, including reporting any incident to the relevant authorities and submitting an incident to CISA for tracking and review.

For more information see the full Alert here:

https://www.cisa.gov/uscert/ncas/current-activity/2022/02/09/2021-trends-show-increased-globalized-threat-ransomware

For more information on ransomware see the CISA website https://www.cisa.gov/stopransomware where you can also access the Ransomware Readiness Self-Assessment.

The newly combined Herjavec Group and Fishtech Group team is made up of best-in-class, global talent and some of the most highly respected professionals in cybersecurity. With decades of experience and lessons learned, we want to share our insights with you. From the Cyber Playbook is a blog series where our diverse, specialized thought leaders will discuss all things cybersecurity. Every month one of our experts will provide advice and insights based on their extensive experience in the infosec industry. Feel free to connect with us about topics and questions you would like to see covered.

Take the First Step
In Transforming Your Cybersecurity Program

Enterprise security teams are adapting to meet evolving business needs. With 5 global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Herjavec Group is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.

Book a Free Consultation

Stay Informed

Follow us on Twitter
Connect with us on LinkedIn