In the span of a year, ransomware has shifted from being a concern primarily discussed among security professionals to a much broader problem, capturing the attention of both policymakers and the public. With ransomware attacks up 62% in the last year, it’s easy to see why conversations around critical infrastructure and global business are now dominated by how to manage the threat of these attacks, which lately seem to be more about causing disruption than collecting the ransom itself.
The latest ransomware attacks are particularly concerning because they hit on the intersection of IT security and physical safety: when Operational Technology (OT) is impacted, the real life implications can be devastating. To avoid the worst – lateral movement from IT to OT systems – most organizations opt to halt production as a precautionary measure, even when only the IT side of the business has suffered a breach. In the short term, this can result in disruption of operations and in the longer term, significant monetary loss.
Far from sensationalizing this type of criminal activity, our response should be to return to the basics of cybersecurity. This requires a converged IT-OT security strategy that can prevent attackers from moving laterally across the environment, thus limiting damage and protecting valuable assets. Building a solid foundation of hardened systems might seem less exciting than deploying new, shiny tools, but it can go a long way to minimize risk and create a barrier against the threat of ransomware.
Here are a few things to consider:
Visibility: Increased connectivity of control systems requires that we expand the notion of visibility. A complete and up-to-date inventory of all the devices in your environment is the most basic starting point for securing them.
Manage administrator access: Limiting the number of administrators on the network decreases the likelihood that an attacker will gain access to a full system or dataset via phishing. We saw this happen with the Petya/NotPetya attacks a few years ago and again in recent events. Consider restricting who has local admin rights to limit potential attack vectors.
Secure configuration: Once you know what’s in your environment, you can work to make sure everything is configured securely at the onset. A misconfiguration in your environment is like leaving the front door unlocked for an attacker. Finding and addressing misconfigurations can dramatically reduce the risk of compromise.
Managing vulnerabilities: Vulnerabilities are flaws in a system that an attacker can take advantage of to gain access or make changes. Addressing vulnerabilities in control systems may require strategies other than applying a patch, such as network segmentation.
Incident response: Planning a response before you’re in the middle of a crisis is important.
This includes determining who should be involved, what their roles should be, and how information will be communicated. It also means ensuring that you have the technical tools to understand what happened. Log data from the systems involved and change detection data can decrease incident response time.
Lastly, ongoing attacks have triggered a variety of government-level efforts to mitigate threats to critical infrastructure and create a more uniform process for how we respond to incidents. We’ve seen these initiatives take shape through the Biden Administration’s Executive Order on Cybersecurity, which reiterates the need for consistent implementation of basic controls. We’ve also seen individual industrial sectors take steps to enact legislative change, including the Department of Energy (DOE) 100 Day plan and complementary RFI to secure our national power grid, as well as the more recent Transportation Security Agency (TSA) directive to better protect pipeline owners and operators. This is an important step as we think about the long-term effects of repeated ransomware events and protecting our critical operations.
