January 25, 2022 Finding and Mitigating Ransomware in OT and ICS

Ransomware can bring production to a halt and completely debilitate manufacturers. Here are three tips for detecting and mitigating threats.

By: James Carder, CSO, LogRhythm

Ransomware and related cyberattacks can severely impact organizations of all sizes and across multiple industries and sectors. The DarkSide attack on Colonial Pipeline and other examples such as attempted attacks on Florida and San Francisco water treatment plants highlight the growing need to protect control systems used to manage industrial operations.

Despite the importance of securing industrial manufacturing, many security professionals working in operational technology (OT) have limited resources and a lack of visibility within their cybersecurity program. Manufacturers are often working with legacy systems and technologies built to serve the nuts and bolts of the business that don’t make it easy to patch or implement modern security controls.  This leaves environments still using these technologies vulnerable to a myriad of threats, including malware, remote access and exploitation.

As many in the industry look to play technology catch-up, which involves integrating technologies from their non-industrial control system (ICS) environment into their ICS environment, careful attention must be paid to implementation. The ICS environment is often a sitting duck once cybercriminals gain access and can leverage software such as TeamViewer to remotely access assets from the internet, essentially granting them complete control.

A ransomware attack can bring production to a halt and completely debilitate an organization. Manufacturers have an extremely low tolerance for downtime within the production process. When Norsk Hydro, one of the world’s largest aluminum companies, was hit with a ransomware attack in 2019 that affected all 35,000 employees across 40 countries, the financial impact ended up surpassing $70 million.

Legacy industry-specific systems combined with new IoT and OT-related technologies that are improperly implemented are susceptible. Still, the good news is that manufacturers can take steps to combat this threat effectively. Here are three key tips for detecting and mitigating ransomware.

Achieve Complete Visibility and Detection

Innovations in smart manufacturing, defined as the use of IoT-enabled equipment to achieve greater visibility over the production process, have driven digital transformation in OT. The acceleration of connectivity in the Industrial Internet of Things (IIoT) coupled with the continued use of legacy technology in some cases makes securing ICSs more challenging. An outage of an ICS environment has global impacts. In the aftermath of the Colonial Pipeline ransomware attack, gas prices surged as shortages occurred along the eastern corridor of the U.S., and the attack on JBS shut down some of the largest meat processing plants in the world.

To defend against cyberthreats in the evolving OT landscape, organizations must capture, correlate, visualize and analyze system and security data to drive actionable insight in real time. The right solution will enable organizations to detect, respond and contain threats earlier in the Cyberattack Lifecycle — a process that describes how the phases of an attack build toward a threat actor’s goal.

A properly configured security monitoring solution that has full visibility into the environment with robust automated response capability will help manufactures identify malicious activity and thwart bad actors before ransomware can take hold.

Preventative measures such as securing endpoints, utilizing multi-factor authentication and practicing strong IT hygiene with routine patches and system monitoring are also important steps in stopping an attack before it can cause damage. Monitoring should include asset management and system development lifecycles so that organizations can better understand what is exposed. As organizations shift to distributed, perimeter-less work environments and the threat landscape widens, an identity and access management (IAM) framework and Zero Trust strategy can help security leaders automatically manage who has access to critical data. The executive order issued by President Biden in May mandates steps for federal agencies to take to meet authorization standards and achieve Zero Trust. Using a combination of IAM, endpoint technologies and controls, and leveraging private access, microsegmentation and least privilege, critical infrastructure organizations can achieve Zero Trust by restricting access to critical assets and ensuring the right people have access to the right resources. Following these steps will reduce the access points for attackers to penetrate and limit cyber risk to the organization.

Formulate a Plan Rooted in the Latest Research

Manufacturers should ensure the technology solutions they adopt provide visibility into the strategies of the most skilled adversaries for accurate threat detection by leveraging resources such as the MITRE ATT&CK™ Matrix. This curated repository of cybercriminal behaviors is designed to help organizations bolster and standardize their ransomware response approach. ATT&CK currently contains over 220 techniques obtained from publicly reported incidents and offensive research. It also serves as a real technical framework for categorizing current detection efforts and pinpointing holes where organizations may be blind to particular attack behaviors.

A threat-modeling system will also help security teams stay abreast of changes within the business and better understand how shifts will impact the threat model. Organizations can identify the top threats facing their organization, the likelihood and ease of specific attacks and the impact on its network security. The threat model would also identify the organization’s most critical business assets and the vulnerabilities that could be exploited in its environment. By using a threat model, security teams can ensure they have the appropriate preventative measures and security controls in place should a cybersecurity incident occur.

How to Minimize Damage If Ransomware Does Occur

The damage caused by a ransomware attack can be minimized if the malicious code is discovered early and the appropriate tools are available to mitigate an attack. Manufacturers should ensure they have automation tools integrated into their tech stack and compliance-centric server forensics such as endpoint detection response (EDR) that can continuously monitor and quickly contain a ransomware attack. Additionally, it is also critical to have a defined response plan in place that can guarantee a swift reaction in a situation where time is of the essence to curtail the severity of the incident.

When an organization falls victim to ransomware, the pressure to get back to normal business operations is enormous. The ability to do so promptly may be pivotal to the company’s ability to continue operating at all. This is especially true in OT environments.

Determining if sensitive information has been stolen after an attack is only one part of the story. Establishing how the bad actors were able to access the network and remediate the attack appropriately is critical. Additionally, it’s important to assess whether the attackers deployed a means of persistence intended to survive the ransomware cleanup and provide them with future network access.

The major ransomware events over the last few months are a marked escalation to an already significant threat for the manufacturing industry. The critical nature of manufacturing plants and global scale and impact of outages combined with the vulnerabilities and weakened security posture that currently exist make them prime targets for cybercriminals.

Companies must patch aggressively, limit privileged access and create backups. It’s also important to develop a business continuity and disaster recovery plan to maintain the integrity of your data and recover quickly without disrupting business operations. Network segmentation is another tactic proven useful when data security is at risk. By segmenting the network and critical data into compartments it’s less likely for an attacker to gain access to the entire system and allows security leaders time to halt any further attack.  Organizations should ensure their segmentation efforts carefully consider device type, threat levels, usage patterns and other profile characteristics to be most effective.

Aside from planning their response to a successful attack, organizations should keep their prevention and detection technologies under review, ensuring that they have the proper protective controls in place and visibility into what is happening across their environment. An appropriately configured security monitoring and response solution that has complete visibility into the environment could provide the opportunity to thwart bad actors before the ransomware takes hold.

James Carder brings more than 23 years of experience working in corporate IT security and consulting for the Fortune 500 and U.S. Government. At LogRhythm, he develops and maintains the company’s security governance model and risk strategies, protects the confidentiality, integrity, and availability of information assets, oversees both threat and vulnerability management as well as the security operations center (SOC). He also directs the mission and strategic vision for the LogRhythm Labs threat research, compliance research, and strategic integrations teams.

Subscribe to Industry Today