Building coping mechanisms to deal with ransomware attacks across critical infrastructure sectors

Critical infrastructure sites have in recent weeks and months emerged as hotbeds for ransomware attacks. Adversaries have targeted hospitals, a rail company, a shipping port, a mining site, a mail delivery service, and government agencies, making such devastating attacks the rule rather than the exception. To deal with this rising and dangerous trend, organizations across critical infrastructure sectors must increase coordination with allies, develop and share appropriate cybersecurity standards, apart from identifying and addressing vulnerabilities at these sites and developing federal strategies for deterrence options against cyber threats.

Access to critical services such as electricity, water, Internet connection, heating, transportation and financial services is essential and typically identified under the critical infrastructure sectors. Their criticality makes them juicy targets for cyber adversaries, who can, and do, disrupt infrastructure with little more than an Internet connection.

Data released by cybercrime threat intelligence firm KELA disclosed that in 2022, almost 2800 victims of ransomware and extortion attacks were claimed by hackers across various platforms. The victims were listed on approximately 60 different platforms, with about 52 percent of these sources emerging in 2022 alone. The average ransom demand was around US$3.7 million, based on negotiations observed by KELA.

Last year, KELA said that it became even more difficult to distinguish between groups that actually use ransomware and those that just mimic their methods without actually using encryption malware. The top five attackers tracked by KELA were responsible for more than 50 percent of all victims in 2022 including LockBit, Alphv, Conti, Black Basta, and Hive, deploying ransomware and extortion attacks with the US accounting for 40 percent of the attacks, and the UK, Germany, Canada and France, recording between 4 to 6 percent of overall victims each.

KELA data also revealed that the manufacturing and industrial sectors suffered the most attacks, followed closely by the professional services sector in 2022. The technology, engineering, and consulting sector, as well as the healthcare and life sciences sector, had a similar number of victims. 

“For cybersecurity, it’s not a matter of ‘if.’ It’s ‘when,’” Professor Brett Tucker, technical manager of cyber risk at the Software Engineering Institute (SEI) at Carnegie Mellon University, and an adjunct professor at Heinz College, said in a recent publication focusing on the immediate need for the building of critical infrastructure protection and resilience. “You can imagine that the tactics, the techniques, what our adversaries are using, are going to be effective some of the time. And to be honest with you, they don’t have to operate to the same moral values or standards as we do.”

Mike Rogers, chairman of the board of trustees for MITRE, and Keoki Jackson, a senior vice president and general manager at MITRE National Security Sector, wrote in an opinion for The Hill that the U.S. has made great strides in detecting cyber threats, but it has not made significant progress in deterring hostile cyber actors. The national security professionals propose a couple of recommendations to jumpstart and operationalize a ‘whole-of-nation’ approach. These include updating and empowering the defense industrial base, empowering allies and partners through collaboration, and defending the homeland against cyber threats.

Industrial Cyber interviewed professionals to elucidate the struggles OT (operational technology) systems go through when dealing with the worsening ransomware threats and cyberattacks in essential infrastructure sectors and OT networks.

The main challenges that OT infrastructure faces with respect to evolving ‘disruptionware’ attacks come in the forms of criticality, age, and culture, Joyce Hunter, executive director at the Institute for Critical Infrastructure Technology (ICIT), told Industrial Cyber. “OT systems are expensive and many lack redundancy. These systems are mission-critical but if they are disrupted through attacks like ransomware, they cannot be taken offline or replaced with a backup. In some cases, code has been internally developed specifically for the systems and if wiped, it cannot be easily replaced,” she added.  

Hunter also highlighted that many OT systems were built on legacy technologies that either were not designed with security throughout the developmental lifecycle or were not designed with foresight toward the advent of IT-OT convergence and the internet of things. “Finally, an often under-discussed challenge in OT security is the false hope that they can be secured through isolation. Nearly two decades ago, attackers proved the ease at which malware can cross an air-gap. Now with management terminals, user GUIs, poisoned updates, IoT, and IT-OT convergence, OT infrastructure protected ‘by isolation’ is equivalent to unprotected.” she added.

OT environments, such as those used in critical infrastructure sectors, are increasingly at risk for ransomware attacks. This is due to several key challenges that these environments face, Mohammed Saad, senior director of sales for Honeywell OT Cybersecurity, told Industrial Cyber. “One major challenge is the prevalence of legacy systems,” according to Saad. “Many OT systems are older and may not have the same security features or capabilities as newer systems. This makes them more vulnerable to attacks. Additionally, OT environments often have limited resources for security in terms of personnel and budget. This makes it difficult to keep up with the latest threats and implement robust security measures.”

Saad also pointed to the interdependency of systems and processes in OT environments as another challenge. “The failure of one system or component can have cascading effects on other systems and processes, making them even more vulnerable to attacks. Finally, ransomware attacks on OT systems can have a significant impact on the operations and availability of critical infrastructure, with possible consequences for public safety, national security, and the economy,” he added.

Willi Nelson, CISO for operational technologies at Fortinet, told Industrial Cyber that ransomware attacks against OT are increasing, spurred on by the convergence of IT and OT networks and the accessibility of attack kits available on the dark web. 

“Over the last two years, the range of targets that represent operational technology and critical infrastructure has grown,” Nelson said. “Some attacks have even been able to target OT systems by gaining access via compromised home networks and devices of remote workers. If we look at the state of security, the attack surface is absolutely expanding, and malware is being created to take advantage of that fact. We’re also seeing a shift to advanced persistent cybercrime because cybercriminals are becoming more skillful and resourceful. And then there’s also the connectivity problem.” 

Nelson added that the attack surface goes from the core to the edge, to space, literally, with low earth orbit satellites. “We have a connected, integrated attack surface now, and cybercriminals are looking at how they can hit these targets.”

Analyzing the critical factors that have caused critical infrastructure sectors and OT environments to become tempting ransomware targets for hackers and state-sponsored hackers, ICIT’s Hunter said that OT infrastructure is often specific to the sector, organization, and purpose. 

“It is expensive and in some instances, it relies on custom-built hardware or code. Most of the time, it’s mission-critical, and successful disruptive attacks cripple the organization,” Hunter said. “Victims are less likely to have implemented adequate security controls and defenses and are more likely to pay the ransom in the hopes of regaining the system and stymieing their losses. Every minute of downtime can be measured in terms of lost revenue, productivity, and future delays against the often proportionally lesser ransom.”

Hunter also said it is understandable why victims convince themselves to pay (though neither recommended nor condoned) and because they continue to pay, attackers continue to target OT infrastructure. 

Saad said that several critical factors have led to critical infrastructure sectors and OT environments emerging as tempting ransomware targets for hackers and state-sponsored hackers.

“One major factor is the prevalence of legacy systems and limited resources for security in these environments. As mentioned previously, many OT systems are older and may not have the same security features or capabilities as newer systems,” according to Saad. “Additionally, these environments often have limited resources for security in terms of personnel and budget. This makes it difficult to keep up with the latest threats and implement robust security measures.”

Another major factor is the limited visibility and lack of security in many OT systems, Saad pointed out. “These systems may not have been designed with security in mind and lacked the visibility and monitoring capabilities needed to detect and respond to cyber threats. The rise of connected and Internet-enabled OT systems has also greatly increased their attack surface. Remote access and control of these systems can be targeted by attackers, and if not properly secured, can be leveraged to launch attacks on the networks.”

Finally, Saad identified that the high business impact of ransomware attacks on OT systems in critical infrastructure sectors can make them a tempting target for hackers and state-sponsored hackers. “Ransomware attacks on these systems can have a significant impact on the operations and availability of critical infrastructure, with possible consequences for public safety, national security, and the economy,” he added.

“As more OT systems interact with IT systems, and therefore the internet, this IT/OT network convergence increases the level of risk,” Nelson said. “Although IT solutions can add unique value when integrated with OT operations, the main issue with IT/OT network convergence is that when OT controls for physical equipment are connected to broader IT computer networks and the internet, malware, and cyberattacks can penetrate industrial organizations in new ways that OT technology and security teams have not had to face before.” 

He also pointed out that the loss of the ‘air gap’ between IT and OT expands the attack surface and increases the number of breaches. “One thing that’s common across all the subsectors of operational technology is the dependence on legacy hardware and software that can be decades old and more easily compromised,” Nelson added.

With phishing, malware, and ransomware attacks on the rise and recovery from such intrusions time-consuming, the experts outline the measures that critical infrastructure sectors and OT infrastructure must immediately put into place. Additionally, they also dig into the steps that these environments must deploy to prevent the spread of ransomware from the IT network into the OT environments. While network segmentation and software updates are always advisable to these organizations, it is also important to adopt encryption for both email traffic and network traffic.

Hunter said that the ICIT recommended a shift towards zero trust and least privilege since at least 2017; those strategies remain strong recommendations, though the threat landscape has evolved even further. “Sophisticated anti-malware and identity and behavior management technologies from reputable and reliable vendors that detect anomalous activity before attackers laterally move or execute code is the strongest modern recommendation,” she added.

However, Hunter also warns against investing in a solution just because it piggybacks off of industry buzzwords like ‘artificial intelligence’ or ‘machine learning.’ “Money spent on silver-bullet solutions or panacea software could be better allocated to comprehensive and robust security controls that secure against risk and limit access and privilege at each layer and device on the network,” she added.

Honeywell’s Saad said that with phishing, malware, and ransomware attacks on the rise, recovery from such intrusions is time-consuming. “It is easy for the IT environment to implement robust email security, including advanced anti-phishing and anti-malware technologies, as well as employee training on how to identify and avoid phishing attempts. But all this is not easy to be deployed in an OT environment due to the proprietary nature of the control systems and limitations,” he added.

“But the most important measure is to implement network segmentation, which can limit the spread of malware and ransomware within the network,” Saad said. “By separating the IT and OT networks, organizations can limit the potential damage of a successful attack and reduce the risk of malware or ransomware spreading from the IT network into the OT environment.”

Saad also suggested implementing intrusion detection and prevention systems can also help to detect and prevent malware and ransomware attacks. Regularly conducting vulnerability assessments and penetration testing can also help to identify vulnerabilities in the network that could be exploited by attackers.

“Finally, it is important to have a robust incident response plan in place and to train employees on how to respond in the event of an attack. This can help to minimize the damage of an attack and speed up recovery,” according to Saad.

In addition to these measures, Saad called upon organizations to consider implementing security frameworks such as the NIST Cybersecurity Framework (NCSF) or the International Organization for Standardization (ISO) 27001. These frameworks provide a structured approach to security management and can help organizations identify and mitigate risks, protect against attacks, and respond effectively in the event of an incident.

Nelson said that being proactive is key. “The costs of security readiness and the upfront cost of investing in security and proactive incident response planning is much less than the damage that occurs as the result of a breach. In enterprise environments, the average cost of a data breach is more than $4 million, but in OT, that number can get much higher because we start talking about manufacturing and supply chain concerns that could affect millions,” he added. 

Cybercriminals are focused on trying to evade security, detection, intelligence, and controls using extremely clever malware that includes a lot of heavy obfuscation, according to Fortinet’s Nelson. “These types of sophisticated ransomware and payloads are targeting and affecting OT environments. The only way that you can prevent that proactively is through behavioral-based detection with up-to-date, real-time threat intelligence.” 

Nelson also added that cybercriminals are increasingly spending their time on reconnaissance, finding ways to weaponize new technologies and evade controls. “So, OT organizations need behavioral-based counter action that includes artificial intelligence and machine learning.”

The security experts listed techniques and procedures that critical infrastructure sectors and OT environments must adopt to build a risk-based response as ransomware attacks become inevitable. 

“Organizations must do more to understand Information Security as more than IT or cyber. Information Security secures the people, processes, and technology against risks that are calculated through a comprehensive and continuous risk management lifecycle,” Hunter said. “The cycle doesn’t end just because a vendor solution is purchased, a control is implemented, or a compliance threshold is met. Lessons from previous iterations are incorporated, culture is improved and training is updated to reflect evolutions in the threat landscape, and the focus is proactive instead of reactive.” 

Hunter added that technologies, threats, and systems will continue to evolve in their sophistication, complexity, and integration; but only threats are expected to decrease in their ease of access, capability threshold, and resource allocation. “It behooves organizations to design their systems with security throughout the development lifecycle and design their governance with a fierce proactive mindset.”

Saad said that to safeguard against ransomware threats and attacks, critical infrastructure sectors and OT environments must adopt a comprehensive approach that begins with the formation of an IT/OT organization reporting to the CISO or CIO. “This organization acts as the bridge between IT and OT teams and develops a cybersecurity program that is tailored to the unique needs of OT environments.” 

The program should include standardizing technology and security strategies across the company, and should at a minimum: include regularly updating software and firmware on all devices to the latest approved patches, and implementing security best practices such as network segmentation, intrusion detection, and regular backups, according to Saad. He also recommends conducting regular cybersecurity risk assessments and penetration testing, establishing incident response plans and regular training, implementing robust access control measures, monitoring the latest ransomware threats and adapting security measures accordingly, and implementing security frameworks.

“Network segmentation is a vital component of this approach as it can limit the damage caused by a successful attack and prevent malware or ransomware from spreading from the IT network to the OT environment,” according to Saad. “Additionally, implementing a secure media exchange method to manage media access and USBs and training employees on identifying and avoiding phishing attempts can also aid in protecting against these types of attacks. By implementing these best practices, critical infrastructure sectors and OT environments can significantly reduce the risk of a ransomware attack and minimize the impact if one occurs,” he added.

Nelson said that next-generation firewalls (NGFW) can be a good solution as organizations figure out how to stop ransomware attacks. “NGFWs scan the traffic coming from both sides, examining it for malware and other threats. In this way, a NGFW can ascertain where a file came from, where it is headed, and other information about how it traveled and then use Threat Intelligence to know whether it is likely to contain ransomware,” he added.

“Another effective way to minimize the risk of internet-connected devices is by employing a zero-trust access model that verifies users and devices before every application session,” according to Nelson. “Zero Trust Access, or ZTA, confirms that users and devices meet the organization’s policy to access that application and dramatically improves the organization’s overall risk posture. Organizations can also leverage micro-segmentation in their networks to minimize and mitigate security threats before they spread broadly.” 

By segmenting and isolating the attack surface into specific control zones and controlling what data flows across those zones through defined conduits, businesses can proactively address the growing threat to the IT or OT environment in a contained manner, limiting any attack to a small subset of the business and preventing east-west traffic, minimizing the chance for a bad actor’s lateral movement through the network, Nelson concluded.