NIST cybersecurity framework prescribes ransomware risk management across ICS, OT environments

cybersecurity framework

The National Institute of Standards and Technology (NIST) has released Draft NISTIR 8374 that prescribes a cybersecurity framework profile to cover ransomware risk management across organizations and operators of industrial control systems (ICS) or operational technologies (OT) environments. 

The ransomware profile applies to organizations that have already adopted the NIST Cybersecurity Framework to help identify, assess, and manage cybersecurity risks, are familiar with the cybersecurity framework, and want to improve their risk postures, in addition to those organizations who are not familiar with the cybersecurity structure but need to implement risk management frameworks to meet ransomware threats.

The purpose of the ransomware profile is “to help organizations identify and prioritize opportunities for improving their security and resilience against ransomware attacks.” It falls in line with an organization’s ransomware prevention and mitigation requirements, objectives, risk appetite, and resources with the elements of the NIST Cybersecurity Framework. 

It lists additional ‘Informative References’ for each subcategory with specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each subcategory. The Informative References in the cybersecurity framework are aimed at being illustrative and not exhaustive., as they are based upon cross-sector guidance most frequently referenced during the framework development process.

The five Cybersecurity Framework functions include identifying an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. It is also essential to protect by setting up and implementing appropriate safeguards to ensure the delivery of critical services. The ability to detect by developing and implementing appropriate activities is another critical variable to identify the occurrence of a cybersecurity event and enables timely discovery of cybersecurity events.

Organizations must also respond by developing and implement appropriate activities to take action regarding a detected cybersecurity incident, and recovering by developing and implementing appropriate activities to maintain plans for resilience, and to restore any capabilities or services that were impaired due to a cybersecurity incident. 

With ransomware attacks rife across various industries, the U.S. government has been ramping up requirements for protecting the critical assets and infrastructure of its critical infrastructure sector. 

Last week, Fort Dodge, Iowa-based NEW Cooperative was targeted by the BlackMatter ransomware group. At the time, NEW Cooperative had “proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained. We also quickly notified law enforcement and are working closely with data security experts to investigate and remediate the situation,” according to a company statement. 

Crystal Valley, another Minnesota-based farm supply and grain marketing cooperative, also revealed last week that it had been targeted in a ransomware attack. “The attack has infected our the computer systems and interrupted the daily operations of our company.” After the attack, the cooperative was unable to accept Visa, Mastercard, and Discover cards at “our cardtrols until further notice. Local cards do work,” it added.

In an update on Friday, Crystal Valley said that “No money was stolen from Crystal Valley in the cyber-attack. At this time, we are not aware of any data being used inappropriately, or that it was actually obtained by anyone, but we have determined that confidential data could have been viewed by an unauthorized person,” it added.

Apart from ransomware attacks to the food critical infrastructure sector, there was a cybersecurity incident reported last month at a major U.S. port, which was targeted by suspected nation-state hackers, according to officials.

The Port of Houston Authority (Port Houston), said in a statement that it had “successfully defended itself against a cybersecurity attack in August. Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result,” it added.

It’s unclear who was behind the breach, which appears to be part of a broader espionage campaign. When asked about the incident at a Senate hearing last week, U.S. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said she believed a foreign government-backed hacking group was responsible. Attribution of cyberattacks “can always be complicated,” Easterly told the Senate Homeland Security and Governmental Affairs Committee. “At this point in time, I would have to get back with my colleagues, but I do think it is a nation-state actor.”

In the wake of the recent SolarWinds and Pulse Secure campaigns targeting federal networks and the Colonial Pipeline and JBS Foods intrusions targeting the U.S.’s critical infrastructure, Easterly said in her testimony to the committee that, “we are working to address our nation’s shared cybersecurity risk. We must collectively and with great urgency strengthen our nation’s cyber defenses, invest in new capabilities, and reimagine how we think about cybersecurity to recognize that all organizations are at risk and our efforts must focus on ensuring the resilience of essential services.”

“To that end, as the National Coordinator for critical infrastructure security and resilience, CISA is acting with utmost resolve to drive reduction of cyber risk across Federal networks and the National Critical Functions. Achieving the outcomes we seek will require progress in several key areas,” she added.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) also updated its advisory last week to highlight the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities and the proactive steps companies can take to mitigate such risks, including actions that OFAC would consider to be ‘mitigating factors’ in any related enforcement action. 

“The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks,” according to the OFAC advisory

The advisory describes the potential sanctions risks associated with making and facilitating ransomware payments and provides information for contacting relevant U.S. government agencies, including OFAC if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.

The Treasury Department’s updated advisory and sanctioning of a cryptocurrency exchange add complexity to the existing process for evaluating whether to pay a ransom and suggest enhanced enforcement of potential sanctions and anti-money laundering compliance violations, particularly against financial institutions and other organizations that facilitate ransom payments, according to a JD Supra post

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related