Prevent Ransomware Attacks on Critical Infrastructure

Cybersecurity Awareness Month 2022 Series

Cyberattacks against critical infrastructure can cause massive societal disruption and take an enormous financial toll. Those high stakes make industrial IT and OT (operational technologies) appealing targets for ransomware in particular. Applying strong cyber defenses to six critical OT domains can help prevent ransomware and other threats to power grids, pipelines and similar essential operations.

Ransomware attacks on industrial targets continue to rise, accounting for more than half of all malware on industrial endpoints. They have also become highly sophisticated, able to exploit long unpatched vulnerabilities and—less commonly—zero-day vulnerabilities. Often the labor is divided: one cybercriminal (or group) discovers vulnerabilities, another sells lists of vulnerabilities, others sell tools to exploit different kinds of vulnerabilities, while some other actor handles payment processing. Some ransomware attacks now even escalate to double and triple extortions.

These developments coincide with the evolution of industrial networks from largely self-contained ‘walled gardens’ built on proprietary, vendor-specific communications protocols to IP-based systems that increasingly make use of the corporate IP network, which is shared by other applications. Remote monitoring, configuration and analytics are commonplace, with automation systems and field operations beginning to take advantage of cloud and edge computing. These new connections combined with generally more interconnected IT and OT systems continue to expand the industrial attack surface.

How to prevent ransomware attacks across the six domains

There are six key operational domains where ICS security can help prevent ransomware and other cyber threats: the OT and IT perimeter, OT assets, the OT network, IIoT, offline operations, and security operations centers/computer security incident response teams (SOCs/CSIRTs). In each case, there are specific vulnerabilities to note—and concrete steps that can be taken to address them.

1. OT and IT perimeter — Because OT and IT are more connected than ever before, vulnerabilities in one pose risks for the other. This is exacerbated in many industrial settings by the fact that different parts of the organization are responsible for different aspects of the OT and IT systems: corporate IT, site-specific IT divisions, production engineering teams, and more. That distributed responsibility means no single unit sees the entire network. To remedy this, critical infrastructure operators need to establish boundaries of defense between the corporate network and industrial sites, and/or between office and field areas.

2. OT assets — The combined IT and OT environment is a ‘system of systems’ with components that have very different lifecycles—from PCs that last five years on average to industrial equipment in service for 20 years or more. That mix of new and legacy technologies means some assets can be protected by up-to-date methods and others may not support security software or be patchable at all. As a result, what’s required is a unified security approach with case-by-case policies based on the varying risks faced by specific tasks, systems, and operations.

3. OT network — The new connectivity types and technologies entering the industrial environment—cellular and RF, cloud and edge computing—require modern security approaches like Secure Access Service Edge (SASE). Specifically, that means a focus not just on repelling attacks but also identifying and containing those that infiltrate the network, with end-to-end network visibility and knowledge of the industrial processes they’re connected to. One particular area of vulnerability identified by Trend Micro research has to do with protocol gateways, which facilitate information exchanges between devices and systems. These are commonly used to interconnect OT and IT systems and, if compromised, can grind industrial processes to a halt. Network security approaches therefore also need to be adapted to consider these and other industrial protocols used in field networks.

4. Industrial Internet of Things — IIoT deployments increasingly depend on private 5G networks, which has four possible penetration routes and three points at which signals can be intercepted in the core network. The core network, in turn, can be used as a springboard to attack a manufacturing site overall. All technologies associated with IIoT, including 5G connectivity, industrial clouds, and IoT sensors, need to be folded into the security approach.

5. Offline operations — While not every facet of industrial operations is networked, offline technologies that interface with the network such as removable media and maintenance terminals can also be points of vulnerability. These, too, must be considered in any complete scheme to prevent ransomware and secure the industrial environment.

6. SOCs/CSIRTs — SOCs and CSIRTs are part of the corporate IT team that monitors the network, including the enterprise-to-site boundary. What they need is an effective unified platform to provide end-to-end visibility across the entire OT/IT environment for threat identification, response, and containment.

Deploying the right measures

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on how to prevent ransomware attacks in ICS settings, outlining a four-stage process: preparation, detection and analysis, containment and eradication, and recovery. These can be boiled down further to a pair of overarching principles: reduce infection risks and minimize impacts after incidents. Covering that scope requires a unified security platform with full visibility across the industrial environment.

The CISA approach to anti-ransomware ICS

Read More HERE