Ransomware is evolving to challenge the OT edge – where it converges with IT, often without adequate security. Learn five best practices.

According to the 2020 Verizon breach report, ransomware accounted for 27% of malware incidents in the past 12 months.
According to the 2020 Verizon breach report, ransomware accounted for 27% of malware incidents in the past 12 months.

By Rick Peters, CISO for operational technology, North America, Fortinet

According to the 2020 Verizon breach report, ransomware accounted for 27% of malware incidents in the past 12 months. That may seem like a small percentage at face value, but the amount of havoc these incidents can cause is massive. The impact of ransomware has worsened in the past few years as attackers broaden tactics from an indiscriminate “spray and pray” methodology to also incorporate a fair balance of precise targeted attacks.

This requires a greater upfront investment in time and resources, but it’s yielded proportional dividends for cyber criminals. Last year, bad actors using ransomware focused heavily on healthcare and government agencies. Now, industrial control systems (ICS) and operational technology (OT) are increasingly a primary target. As the network perimeter continues to expand and edge-enabled environments proliferate, this problem will grow.

Expansion of the edge

In the last several years, one trend traversing industries and sectors is the expansion of the edge. Multiple edge environments have replaced the traditional network perimeter—including local-area network (LAN), wide-area network (WAN), multi-cloud, data center, remote worker, Internet of Things (IoT), mobile devices and more—each with its unique risks and vulnerabilities. Many organizations have sacrificed centralized visibility and unified controls in favor of performance and agility, giving cybercriminals a significant advantage.

The rise of ransomware

In parallel with the edge’s expansion is the evolution and increased dependence on ransomware as a means to gain target access. Last year, for instance, ransomware developers devised a new strategy in response to companies declining to pay a ransom and instead restoring compromised systems privately. Now, cybercriminals threaten to post stolen data on public servers as a kind of blackmail to achieve campaign objectives. Some have even extracted sensitive information, then used it to threaten extortion and defamation.

Ransomware and the OT edge

Greed motivates a majority of cyber attackers seeking the biggest bang for their buck. Ransomware’s ease of deployment will ensure continued proliferation. The fallout will become more significant as hyperconvergence takes hold within networks. As networks, devices, applications and workflows intersect to deliver smarter services, even the most critical processes can be affected by a breakdown anywhere in the network. As business infrastructure  increasingly converges with critical infrastructure systems, more data and cyber physical assets will be at risk.

Until proportional attention is directed at protecting OT infrastructure, cybercriminals will escalate the ransomware threat to the extent that they’re able to exploit edge and corporate connected resources. Emerging edge networks attached to vulnerable hardware and software will enable cybercriminals to deploy machine learning to exploit complex systems. A logical next step is deploying AI-enhanced malware to launch sophisticated attacks— such as targeting multiple attack vectors—and approach the compute power of larger networks. A step beyond would be coordinated and simultaneous attack vectors, such as is needed to manage a swarm-based attack.

Taking action

Historically there’s been under-investment in security for ICS or SCADA systems. This must be corrected quickly. Security best practices must be implemented, including:

  • Integrate tools that offer broad visibility into both the OT and IT networks.
  • Use automation to achieve timely analysis of suspicious internal and external behavior. Employ tools that log activity, analytics that search the logs for abnormal behaviors, and security systems that can respond to detected threat. Automation and orchestration are essential for identifying threats and taking action in seconds or less.
  • Segment your networks. Integrate gateways with strict policies between the IT and OT environments, and do the same between different levels of your OT network. The aim is to make sure that each system and subsystem is doing its job and only its job. Segmentation prevents an attack from propagating vertically or horizontally within the enterprise to realize a proactive containment strategy via zones of control.
  • Implement a zero-trust access strategy. Establish access controls that authenticate users, restrict them to only those systems they need to do their jobs and then monitor them while connected to the network. This must apply universally, but is particularly important for contractors and vendors.

Defending the edge

Ransomware deployment expanded to impact the OT edge of a converged enterprise. Multiple cybersecurity solutions based on best practices enable are available to protect your IT and OT environments from various attack types and stages of an infiltration. A best-practice recommendation is to look for an integrated suite of tools – whether software, hardware or both – particularly those that are designed for the unique challenges of OT environments.

A proactive approach to cybersecurity delivers the confidence and level of services that ensure safe and sustained operations. A comprehensive strategy achieves readiness by focusing on greater visibility, control, and intelligence driven situational awareness. Security solutions that routinely share actionable threat intelligence can achieve rapid response and achieve sustained operations without compromise of performance. That’s the sweet spot that organizations need today to defend their edge.

rick peters fortinet
Rick Peters

About the Author
Mr. Peters is the CISO for Operational Technology, North America for Fortinet Inc. delivering cybersecurity defense solutions and insights for the OT/ICS/SCADA critical infrastructure environments. He is charged with overseeing growth of Fortinet’s penetration into the largest global OT marketspace.  That charge entails identifying and partnering to gain traction on existing OT business campaigns as well as targeting emerging customer opportunities. 

Immediately prior, he served as the Director Operational Technology Global Enablement for Fortinet.  In this capacity, Mr. Peters enabled OT business growth by partnering with Fortinet OT Security, Sales and Marketing counterparts.  The success realized in EMEA and APAC over two years keyed recognition and a strategic transition to focus on North America as the largest target marketspace in 2020.      

Prior to joining Fortinet, he served the U.S. Intelligence Community for more than 37 years imparting cybersecurity and global partnering experience across foreign, domestic, and commercial industry sectors at the National Security Agency (NSA). He led development of cyber capability against Endpoint, Infrastructure, and Industrial Control System technologies at the agency. 

Before that role, he partnered as an executive leader supporting the Information Assurance Directorate at the NSA.  Mr. Peters also served in a broad range of leadership and Engineering roles including Chief of Staff for the NSA Cyber Task Force and a 5-year forward liaison charged with directing integration of cyber and cryptologic solutions for U.S. Air Force Europe, Ramstein AFB, Germany.

Mr. Peters is a repeatedly published OT Security thought leader and a frequent speaker at global industry events.  He holds a BS in Electronics Engineering and an MS in Engineering Management from the Johns Hopkins University.