The Cybersecurity and Infrastructure Security Agency (CISA) has released guidelines for critical infrastructure owners and operators to review their operational technology (OT) assets and control systems, in direct response to the recent increase in ransomware attacks. Given the importance of critical infrastructure to national security and its people and processes, the U.S. security agency aims at helping organizations build effective resilience to these cyberattacks.
The guidance, released on Wednesday, provides steps to prepare for, mitigate against, and respond to attacks. It offers details on how the dependencies between an entity’s IT and OT systems can provide a path for attackers, and explains how to reduce the risk of severe business degradation if affected by ransomware.
The security agency highlighted that organizations are at risk of being targeted by ransomware and have an urgent responsibility to protect against ransomware threats, in a fact sheet released along with the guidance.
Critical infrastructure asset owners and operators should adopt a heightened state of awareness and voluntarily implement the recommendations, such as identifying critical processes that must continue uninterrupted in order to provide essential services, developing and regularly test workarounds or manual controls to ensure that critical processes and the industrial control system (ICS) networks supporting them can be isolated and continue operating without access to IT networks if needed.
CISA also asked the critical infrastructure owners and operators to implement network segmentation between IT and OT networks, and ensure backup procedures are implemented and regularly tested and the backups are isolated from network connections. These steps will help critical infrastructure owners and operators improve their entity’s functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if affected by ransomware.
To defend against potential future threats and prevent severe functional degradation if the organization falls victim to a ransomware attack, CISA suggests that critical infrastructure organizations practice good cyber hygiene. A significant majority of ransomware attacks exploit known vulnerabilities and common security weaknesses, and can be handled by updating software, including operating systems, applications, and firmware on IT network assets, in a timely manner, and implementing application allow listing.
The security agency urges critical infrastructure owners and operators to ensure user and process accounts are limited through account use policies, user account control, and privileged account management. It also requires multi-factor authentication (MFA) for access to IT and OT networks, enables strong spam filters to prevent phishing emails from reaching end users, and implements and ensures network segmentation between IT and OT networks.
CISA also provided critical infrastructure owners and operators with recommendations in case their organization becomes a victim of ransomware. It advised users to determine which systems were impacted and immediately isolate them. Subsequently, if and only if organizations are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection. Following this, it directed triage of the impacted systems for restoration and recovery.
In addition, organizations must confer with their team to develop and document an initial understanding of what has occurred based on initial analysis. Thereafter, engage the internal and external teams and stakeholders with an understanding of what they can provide to help mitigate, respond to, and recover from the incident, and consider requesting assistance from a third-party incident response provider or CISA.
In case, no initial mitigation actions appear possible, then CISA recommends that the organization take a system image and memory capture of a sample of affected devices. Additionally, collect any relevant logs as well as samples of any ‘precursor’ malware binaries and associated observables or indicators of compromise. They must take care to preserve evidence that is highly volatile in nature, or limited in retention, to prevent loss or tampering. Following this, they must consult federal law enforcement regarding possible decryptors available, as security researchers have already broken the encryption algorithms for some ransomware variants.
All ransomware incidents are federal crimes and should be reported to law enforcement to help bring these criminals to justice. Ransomware events can be reported to the FBI or the Secret Service, according to CISA.
Recent weeks and months have witnessed several ransomware threats and payouts affecting industries across sectors, disrupting operations at industrial units and within the critical infrastructure segments. Ransomware attacks have impacted operations at fuel pipeline company Colonial Pipeline operations, manufacturing operations at Sierra Wireless, and at the world’s largest food producer, JBS.
These cybersecurity incidents are also leading to massive payouts by the victims. After Colonial Pipeline was hit by DarkSide ransomware leading to a compromise of the fuel pipeline company’s IT networks and affecting its operations, the company paid close to nearly US$5 million as a ransom to the attackers, Since then, the Department of Justice seized on Monday 63.7 bitcoins, currently valued at approximately $2.3 million, which Colonial Pipeline allegedly paid the DarkSide hackers.
On Wednesday, JBS USA confirmed that it paid the equivalent of $11 million in ransom in response to the criminal hack against its operations. At the time of payment, the vast majority of the company’s facilities were operational. “In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated,” it added.
Weighing in on whether organizations need to develop a ransomware payment policy, anticipating a potential future attack, Kris Lovejoy, Ernst & Young’s Global Consulting Cybersecurity Leader said that the decision to pay a ransomware demand must be taken carefully, with acknowledgement and acceptance of risks and in concert with various stakeholders. “The time to figure out the policy toward ransomware payment is not during the event.”
“It is strongly advised that organizations tabletop the incident with relevant stakeholders, pre-define the alternatives, and practice execution of the plan,” Lovejoy added in her recent insights. “This is all the more critical as it would appear ransomware attackers recognize the limitations of their business model – and are beginning to not simply encrypt data, but exfiltrate it just in case the victim decides to recover from backup,” she added.