Prevent ransomware attacks on critical infrastructure
Cybersecurity Awareness Month 2022 series
Cyber attacks on critical infrastructure can cause massive societal disruption and take a huge financial toll. These high stakes make industrial IT and OT (operational technologies) in particular attractive targets for ransomware. Applying strong cyber defenses to six critical OT domains can help prevent ransomware and other threats to power grids, pipelines, and similar critical operations.
Ransomware attacks on industrial targets continue to grow, accounting for more than half of all malware on industrial endpoints. They are also sophisticated and capable of exploiting long-unpatched vulnerabilities and, less commonly, zero-day vulnerabilities. Often the work is shared: one cybercriminal (or group) discovers vulnerabilities, another sells vulnerability lists, others sell tools to exploit different types of vulnerabilities, while another actor handles payment processing. Some ransomware attacks are now even escalating to double and triple racketeering.
These developments coincide with the evolution of industrial networks from largely self-contained “walled gardens” built on proprietary, vendor-specific communication protocols to IP-based systems that increasingly leverage the corporate IP network shared by other applications. Remote monitoring, configuration, and analysis are commonplace, and automation systems and field workers are beginning to leverage cloud and edge computing. These new connections, combined with generally more connected IT and OT systems, further expand the industrial attack surface.
How to prevent ransomware attacks in the six domains
There are six key operational areas where ICS security can help prevent ransomware and other cyber threats: OT and IT Perimeter, OT Resources, OT Network, IIoT, Offline Operations, and Security Operations Centers/Computer Security Incident Response Teams (SOCs/CSIRTs). ). In each case, there are specific vulnerabilities to consider—and concrete steps that can be taken to fix them.
1. OT and IT Perimeter — With OT and IT more interconnected than ever, vulnerabilities in one pose risks for the other. This is exacerbated in many industrial environments by the fact that different parts of the organization are responsible for different aspects of the OT and IT systems are: corporate IT, site-specific IT departments, production engineering teams and more. This distributed responsibility means that no single entity sees the entire network. To remedy this, critical infrastructure operators must establish defensive boundaries between the corporate network and industrial sites and/or between office and field service areas.
2. OT Fortune — The combined IT and OT environment is a “system of systems” with components that have very different lifecycles – from PCs that last an average of five years to industrial plants that are in operation for 20 years or more. This mix of new and legacy technologies means that some assets can be protected by current methods and others may not support security software or be patchable at all. Therefore, a unified approach to security is required, with case-by-case policies based on the different risks faced by specific tasks, systems, and operations.
3. OT Network — The new connectivity types and technologies entering the industrial environment – cellular and RF, cloud and edge computing – require modern security approaches such as Secure Access Service Edge (SASE). Concretely, this means that you focus not only on stopping attacks, but also on identifying and containing those that infiltrate the network, with end-to-end network visibility and knowledge of the industrial processes to which they are connected. One particular area of vulnerabilities identified by Trend Micro research has to do with protocol gateways, which facilitate the exchange of information between devices and systems. These are commonly used to connect OT and IT systems and, if compromised, can bring industrial processes to a standstill. As such, network security approaches must also be adapted to accommodate these and other industrial protocols used in field networks.
4. Industrial Internet of Things — IIoT deployments are increasingly dependent on private 5G networks, which have four possible routes of penetration and three points where signals can be intercepted in the core network. The core network, in turn, can be used as a springboard to attack a production facility as a whole. All technologies associated with IIoT, including 5G connectivity, industrial clouds and IoT sensors, need to be integrated into the security approach.
5. Offline Operation — Although not all facets of industrial operations are networked, offline technologies that are connected to the network, such as B. Removable media and maintenance terminals, can also be weak points. These must also be taken into account in any overall concept in order to prevent ransomware and secure the industrial environment.
6. SOCs/CSIRTs — SOCs and CSIRTs are part of the corporate IT team that oversees the network, including the corporate-to-site boundary. What they need is an effective, unified platform that provides end-to-end visibility across the entire OT/IT environment to identify, respond, and contain threats.
Take the right action
The US Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on how to prevent ransomware attacks in ICS environments, outlining a four-step process: prepare, detect and analyze, contain and remediate, and recover. These can be further reduced to two overarching principles: reducing infection risks and minimizing post-incident impacts. Covering this area requires a unified security platform with full visibility across the industrial environment.
The CISA approach to anti-ransomware ICS