Adopting a Counter Ransomware Initiative to address transnational threat landscape

The U.S. recently facilitated a ‘Counter Ransomware Initiative’ among over 30 countries and the European Union, with the goal of accelerating cooperation to counter ransomware that is emerging as a significant risk to critical infrastructure, essential services, public safety, consumer protection and privacy, and economic prosperity. Representatives zeroed in on actions such as improving network resilience, addressing the abuse of financial mechanisms, disrupting the ransomware ecosystem, addressing safe havens for ransomware criminals, and continued diplomatic engagement in a meeting that was conducted virtually.

Countries repeatedly noted the value of cooperation among international partners to enhance the exchange of information and pointed to opportunities to automate certain information exchange, Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging technology, said in a briefing following the Counter Ransomware Initiative event. “Because ransomware criminals often repeat their activities, repeat their tactics and techniques, more robust and real-time communication across governments can not only enhance national capabilities to address a ransomware attack while it’s happening but can also potentially prevent an attack.”

“So the big takeaway: It takes a network to fight a network. It takes a network of countries connecting the individual elements within the country across diplomacy, law enforcement, financial regulators, and resilient (inaudible), connecting that, and then connecting globally to fight the network of ransomware actors’ infrastructure and illicit use of virtual currency,” she added.

The virtual event recognized the need for urgent action, common priorities, and complementary efforts to reduce the risk of ransomware threats and attacks. Industrial Cyber spoke to the various stakeholders in the industrial cybersecurity sector to explore the U.S. government’s Counter-Ransomware Initiative that clearly recognizes the importance of international cooperation to address the transnational threat emerging from increasing ransomware threats and attacks.

The Counter Ransomware Initiative establishes the ICS Cybersecurity Initiative, a collaborative effort between the federal government and the critical infrastructure community, leveraging Cybersecurity and Infrastructure Security Agency (CISA), Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response (CESER), and the Electricity Subsector Coordinating Council (ESCC), cybersecurity expert Paul Veeneman told Industrial Cyber. One previous effort in 2019 was the Unified Initiative that established CISA’s support of ICS and critical infrastructure. But the commitment of these additional federal agencies, alongside CISA, definitely sends a strong message of support and urgency, he added.

The administration’s actions are a significant effort to improve the cyber security and resiliency of the nation’s critical infrastructure, according to Veeneman. “However, we need to recognize the undertaking involved to make these initiatives tangible. Critical infrastructure is made up of 16 sectors, some of the most vital services are energy, water, transportation, and agriculture,” he added.

He also raised that “while the measures have been put in place, and the technologies are available to provide necessary cyber security and resiliency, it is the challenge of getting all participants that make up critical infrastructure, moving in the same direction, toward similar goals and objectives, understanding that there are going to be differing perspectives, depending on the position in the supply chain, industry economics, profitability, or any number of other variables.”

The attacks continue because organizations are paying the ransomware, Dino Busalachi, CTO and co-founder at Velta Technology, told Industrial Cyber. “Disruption of Industrial Control Systems (ICS), regardless of the attack vector compromised (IT or OT) have significant cost impacts. The ransomware amount is minuscule compared to one day of unplanned & unscheduled downtime of critical infrastructure or manufacturing ICS. Shutting ICS down as a precaution to be safe due to an attack, incentivizes the victims to pay ransom in order to turn their cash registers = ICS back on,” he added.

The attackers have learned a large percentage of ICS are connected to the corporate enterprise network, according to Busalachi, while discussing some of the challenges facing the Counter Ransomware Initiative. “It’s not just that these physical outcome producing (kinetics) assets ICS are connected, but no one is watching the digital footprint. Real-time asset inventory status does not exist because the organization is not leveraging available technology’s purpose-built for OT (ICS) platforms,” he added.

However, Busalachi said that “It is hard to imagine a more foolish and dangerous way of making decisions related to the safety & security of OT (ICS) environments, than by putting those decisions solely in the hands of groups (e.g., IT & procurement), who pay no price for being wrong.”

“Critical infrastructure organizations are often considered easy targets due to their legacy systems not being designed for security, Michael Yehoshua, VP of marketing at SCADAfence told Industrial Cyber. “Until recently, the majority of the critical infrastructure sector believed the security of their manufacturing plants and enterprise IT systems were less of a priority. This meant that the typical organization would keep any security attack or event out of the public eyes which resulted in their security teams ignoring the real risks at hand.”

Yehoshua pointed out that with outdated technology and critical infrastructure mainly ignoring the security of their industrial devices, many international cybercriminal groups and nation-states are succeeding to attack the critical infrastructure sector, as they are using new techniques and tactics to exploit sensitive US facilities and critical infrastructures. “Realizing the relative ease of penetrating operational technology infrastructures, adversaries are launching daily ransomware attacks. Until these critical infrastructure organizations start hardening both their IT and OT networks, we can expect cyberattacks targeting them to continue,” he added.

Much like every other industry, critical infrastructure has recently undergone rapid digital transformation, Marty Edwards, vice president of OT Security at Tenable told Industrial Cyber. “That means the technology that powers food and agriculture, manufacturing, refineries, mining, and utilities are now connected to the internet. This also means the same bad actors that are going after our computers, phones, and tablets now have a way of reaching these mission and safety-critical environments. Organizations need to focus on ‘doing the basics well’ because a vast majority of successful attacks are a result of known but unpatched vulnerabilities,” he added.

Disrupting the ransomware ecosystem, primarily by cutting off cryptocurrency as the payment mechanism, will hopefully have a direct impact, Veeneman said. “Ransomware is a business model, and right now business is good. But that model, like any other, is only as good as the revenue. Cut off the revenue stream, impact profitability, and you have the opportunity to reduce the marketplace,” he added.

“It would be more effective to improve cyber security and choke off the supply of possible targets for bad actors. But the consistent and significant increases in ransomware incidents year over year highlight the need to address not only the supply chain but also the value chain of the ransomware business model,” according to Veeneman.

The Counter Ransomware Initiative proposed improving network resilience to prevent incidents when possible and respond when incidents do occur. In addition, it sought to address the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable, and disrupt the ransomware ecosystem using law enforcement collaboration to investigate and prosecute ransomware actors, address safe havens for ransomware criminals, and continue diplomatic engagement.

Network resilience is not step one, it falls somewhere in the middle of defensive measures, according to Velta’s Busalachi. “Visibility is number 1! Unfortunately, network segmentation is the first misstep made by IT groups and their organization. This is getting in the way of actually making measurable progress and delaying security. IT thinks they can logically separate the IT & OT and call it a day, without full understanding or knowledge of the OT architecture, networks, or operation of ICS,” he added.

On the flip side, OT does not think cybersecurity is their problem or responsibility. This thinking needs to change and the vernacular also needs to change from cybersecurity to ‘Digital Safety,’ according to Busalachi. “Safety is everyone’s responsibility and priority one in any plant. Thus, the reason for shutting ICS down is when there is an attack. No one can unequivocally determine the safe state of ICS without visibility of the digital signatures within their OT environment, because they are blind,” he added.

The Counter Ransomware Initiative and disrupting the ecosystem of ransomware attackers are clear examples that governments and the private sector are finally highlighting the different risks of industrial cybersecurity and ransomware attacks, according to SCADAfence’s Yehoshua.

“While this is a great achievement for advancing improved cybersecurity in the industrial sectors, the real defense has to come from the actual industrial organizations,” Yehoshua said. “CISOs and security teams in industrial organizations need to be more proactive and implement new security approaches that integrate robust compliance and security frameworks in place to mitigate and prevent ransomware attacks before they start,” he added.

“We need to do everything we can to make it more difficult for cybercriminals as these payouts only fuel their actions. We believe greater sanctions and an increase in government and industry cooperation can play a vital role in keeping critical infrastructure safe,” according to Edwards. “That means while the government responds with sanctions, prosecution, and other deterrence measures, it’s also down to the private sector to secure its systems properly. This means identifying all connected assets, maintaining systems, using multi-factor authentication, limiting user privileges, and understanding where you are most exposed,” he added.

The Counter Ransomware Initiative was the first time that delegations brought together experts that usually operate in parallel channels, like law enforcement, cyber resilience, diplomacy, financial regulators. On the cybersecurity front, the NIST Cybersecurity Framework is working with the industry to improve current and emerging standards, practices, and technical approaches to address ransomware.

Veeneman said that NIST is going to be in the best position to orchestrate the improvement of current standards, practices, and guidance to mitigate and repel ransomware attacks.

“NIST has a vast collection of standards documentation, including the NIST Cybersecurity Framework (CSF), as well as the NIST SP 800-53,” according to Veeneman. “We are certainly not at a loss for opportunity when it comes to standards and process guidance and documentation. The challenge has always been the implementation of cyber security programs, weaving cyber resiliency and risk management into the fabric of organizational operations and business practices. When looking to disrupt ransomware on a global scale, coalition and cooperation of nations throughout the world is certainly the best place to start,” he added.

Busalachi questions if the NIST is working with the industry, then who are they talking to? “If the client is following NIST lead, the very first thing they would be doing is gaining visibility into the OT environment (asset inventory both hardware & software, device relationships, industrial application protocols, networks, CVE’s, etc…) ISA-95 Purdue Model level 3 to 0. Mapping out their environment, before jumping into network segmentation is like putting the cart in front of the horse,” he added.

Yehoshua pointed that too many industrial organizations believe security and compliance should be a ‘set and forget’ mentality. “This is the wrong approach to take when implementing different security policies in place. Adopting risk reduction best practices and recommended industry compliance regulations allows industrial organizations to improve their security against ransomware attacks,” he added.

The NIST Cybersecurity Framework is not a one-size-fits-all solution for managing cyber security risk as every organization has different network architectures, different threats, levels of severity, and needs, according to SCADAfence’s Yehoshua. “NIST CSF profiles and tiers can be the answer for the different industrial sectors where the profiles determine which strategies are essential to protecting their critical infrastructure,” he added.

“Cybercriminal gangs can operate from anywhere in the world,” Edwards said. “Therefore, greater emphasis on international collaboration, assessment of risk, and collaborative incident response capabilities to tackle the ever-evolving threats can go a long way in bolstering the ability of industry and governments to prevent the most advanced attacks. It’s equally critical that security requirements are grounded in consensus-based international standards to ensure alignment with global best practices,” he added.

The NIST Cybersecurity Framework is an excellent model, which also references international, industrial control systems security standards such as ISA/IEC 62443, and is therefore applicable for industrial and manufacturing organizations, Edwards said.

The Counter Ransomware Initiative uses various efforts to improve national resilience to experiences that address the misuse of virtual currency to launder ransom payments. However, the effect of the efforts made by these countries could turn out to be limiting, as Russia and China are not part of the initiative, which have repeatedly hosted cybersecurity incidents on U.S. infrastructure and networks.

A senior administration official said the U.S. has engaged directly with Russia on the issue of ransomware, as part of the US-Kremlin Experts Group, which is led by the White House and established by U.S. President Joe Biden and Russian President Vladimir Putin. The official said discussions with Russia are ongoing, the U.S. has shared information on specific criminal actors within Russia, and that the country has taken initial steps to address the issues being raised. On China, a National Security Council spokesperson told The Record earlier this month that China was not invited to the Counter Ransomware Initiative.

“Geopolitical policy considerations, diplomacy, and communication are the first steps in bringing Russia and China to the table,” Veeneman said. “However, regardless of Russia and China’s support or involvement, the primary objective has to be shoring up cyber defense and resilience against ransomware, as the process for criminal prosecution of ransomware gangs on foreign soil is not without its hurdles,” he added.

Nation-states are in on the fight, Busalachi said. “There will be no comprising until there is a clear winner, and China and Russia at the moment do not believe they are losing,” he added.

“While it would be helpful if all global governments agreed to crack down on cybercriminal gangs, it is vitally important for critical infrastructure organizations to adopt risk management frameworks to harden their systems against the likelihood of attacks,” Edwards concluded.