Attacks and Vulnerabilities
CISA
Control device security
Critical infrastructure
Features
ICS Security Framework
Identity and Access Management (IAM)
Industrial Cyber Attacks
IT/OT Collaboration
Malware, Phishing & Ransomware
NIST
Regulation, Standards and Compliance
Risk & Compliance
SBOM
Supply Chain Security
The Skills Gap - Training & Development
Threat Landscape

Growing threat of malware and ransomware attacks continues to put industrial environments at risk

May 05, 2024
Growing threat of malware and ransomware attacks continues to put industrial environments at risk

Industrial environments face a growing threat from malware and ransomware attacks, posing significant risks to critical infrastructure, manufacturing facilities, and utilities. These attacks can result in costly downtime, loss of sensitive data, and even compromise the safety of employees and the surrounding community. Implementing robust cybersecurity measures and regular employee training are essential to identify and mitigate these risks, to protect industrial systems from cyber threats.

Malware attacks in industrial environments can disrupt operations, cause equipment failures, and result in significant financial losses. Ransomware, in particular, has emerged as a significant threat, with attackers encrypting critical systems and demanding ransom payments for decryption keys. The consequences of such attacks can be severe, leading to production downtime, safety hazards, and damage to the reputation of affected organizations.

The White House has identified that it ‘faces an era of strategic competition with nation-state actors who target American critical infrastructure and tolerate or enable malicious actions conducted by non-state actors. Adversaries target our critical infrastructure using licit and illicit means.’ In the event of a crisis or conflict, the nation’s adversaries will also likely increase their efforts to compromise critical infrastructure to undermine the will of the American public and jeopardize the projection of U.S. military power. 

The federal government emphasized the importance of identifying and prioritizing critical infrastructure security and resilience based on risk. They aim to implement a coordinated national approach to assess and manage sector-specific and cross-sector risks. Advancing critical infrastructure security and resilience necessitates a risk-based approach, and provides various measures to support this action.

Industrial cybersecurity firm Dragos observed unique developments in the ransomware landscape during the first quarter of this year, including notable successes in law enforcement actions and unexpected shifts in the behavior of cybercriminals, although ransomware continues to pose a significant threat to industrial organizations globally.

Challenges and impact of malware, ransomware attacks 

Industrial Cyber reached out to cybersecurity executives to assess the distinct challenges and vulnerabilities encountered by industrial environments in malware and ransomware attacks. They also examine the impact of recent malware and ransomware attacks on critical infrastructure and industrial operations.

Jon Clay, vice president for threat intelligence at Trend Micro
Jon Clay, vice president for threat intelligence at Trend Micro

“Industrial environments often include systems that run key areas of the business and, in many cases, are critical to a location and its citizens. If water treatment or energy production is taken offline it impacts the people in that area tremendously,” Jon Clay, vice president for threat intelligence at Trend Micro, told Industrial Cyber. “In the past, systems that ran in these industrial networks with Operational Technology (OT) were air-gapped from their network.” 

Clay noted that currently due to the need for connectivity, remote access, remote management, and other reasons, many of these OT networks are now connected directly to the Internet. “This gives adversaries access and allows them to target their attacks. The main challenge with such networks is that, in many cases, OT devices and systems are old, many can’t host security software, and patching is a major challenge for operators. We are starting to see more critical infrastructure organizations being targeted by nation-state adversaries and profit-driven actors like ransomware groups,” he added.

Jason Rivera, director at Security Risk Advisors
Jason Rivera, director at Security Risk Advisors

Jason Rivera, director at Security Risk Advisors, told Industrial Cyber that it is important to first keep in mind that there are various kinds of ransomware, with two of them being encrypting ransomware which works by encrypting accessible files in storage, then demanding a ransom to decrypt and leakware, which is aimed at threatening to leak/distribute sensitive information. 

“Having said that, there’s an array of motivating factors for threat actors and groups propagating ransomware,” Rivera said. “While I’m bearish on the notion that ransomware is ‘targeting’ critical infrastructure or operations, I’m bullish on groups targeting organizations with the highest impact and thus, likelihood of paying up. This would include organizations with ICS/OT supporting critical functions of manufacturing, production and distribution operations whether in pharma, retail, energy, or other sectors.” 

Dino Busalachi, chief technology officer and co-founder at Velta Technology
Dino Busalachi, chief technology officer and co-founder at Velta Technology

Dino Busalachi, CTO and co-founder of Velta Technology pointed out to Industrial Cyber that the lack of visibility within the ICS infrastructure is one of the greatest vulnerabilities. “Many still believe ICS systems are air-gapped and this is simply not the case. Our research uncovers various methods by which ICS networks are connected to external networks. We find cellular modems embedded in machine centers, wireless devices, open ports, and industrial remote solutions installed by third parties.”

Busalachi noted that most attacks are centered around Windows systems used by both IT and OT. “Some of the attacks are conflated in that an OT resource brought malware into a plant from an engineering workstation running Windows but was allowed to connect to the OT environment without any review. Eight out of 10 will allow an outside third party to connect to the OT ICS environment without a system scan to determine whether the device is safe,” he added. 

Mike Hamilton co-founder at Critical Insights (002)
Mike Hamilton co-founder at Critical Insights (002)

OT environments are increasingly a preferred target of cyber extortionists, Mike Hamilton, co-founder of Critical Insight, told Industrial Cyber. “In many industrial environments, operators of SCADA (Supervisory Control and Data Acquisition) and other operational technologies lack backgrounds in cybersecurity or information technology. While vendors usually oversee deployment and recommend changing default settings and establishing security controls, recent tactics used by Iranian actors to compromise programmable logic controllers in the water sector reveal poor implementation of even the most basic security controls.” 

He added that compounding the problem is the shortage of qualified security practitioners and competitive challenges in hiring them. “Notably, these environments generally lack the instrumentation required to monitor and detect failure of preventive controls, thereby hindering the ability to quarantine compromised assets effectively.”

Motivations behind attacks and strategies for prevention

The executives delve into the motivations driving malware and ransomware attacks on industrial environments and explore how these differ from other critical infrastructure sectors. They also examine essential strategies and best practices to prevent the spread of malware and ransomware attacks within industrial enterprises.

Clay identified that ransomware groups are looking specifically at this environment because it’s critical to the organization and, if they can disrupt its operations, the likelihood that the victim will pay their ransom to get systems back online quickly is very high. “The main difference from other sectors is many OT devices are not Windows-driven so adversaries need to know how to infect an Industrial Internet of Things (IIoT) device. However, many of the systems that run these devices are Windows machines which can impact the whole network, if compromised,” he added. 

Clay emphasized key ransomware strategies and best practices, including having a robust incident response plan that integrates business continuity and regular testing. He also pointed to implementing technology that is purpose-made for industrial environments and OT networks; leveraging advanced detection technologies, like AI, that can detect and block ransomware malware; and replacing traditional best-of-breed, siloed cybersecurity products with a platform approach that incorporates ASRM (attack surface risk management) and XDR (extended detection and response).

Busalachi said that industrial environments are attractive because they represent the revenue-producing part of any manufacturing business. “Impeding production/plant operations is costly, measured in the tens to hundreds of millions of dollars (Clorox). There are no time machines to go back in time and make up for losses. Business system interruption for manufacturers pales in comparison to shutting down revenue-generating manufacturing facilities.”

On essential strategies and best practices, Busalachi mentioned “Complete an asset inventory, determine the required communication amongst machines, and remove all unnecessary connectivity and access to the ICS infrastructure. Segment critical systems, and control remote access into these environments with OT-specific remote access platforms. VPN and zero trust strategies are not enough.”

“Not to overgeneralize but the motivation of ransomware is to get the ransom paid,” Rivera said. “Therefore, with industrial environments having the greatest risk to human lives and safety, OT security risk being business risk, and some of the inherent challenges that organizations face in protecting their ICS/OT systems, industrial environments may simply be more vulnerable to ransomware. It’s important to keep in mind that ransomware groups are well-funded and run like any other business. They are opportunistic and lack conscience or morality.”

He added that in his opinion, “the single most critical protection against ransomware for ICS/OT is to make sure ICS/OT systems are segmented from IT systems, and that IT systems in OT environments are also segmented. No inbound connection sessions allowed, encryption around the networks (when/wherever possible), compensating controls for legacy assets, secure architecture for IT/OT convergence, ICS/OT secure remote access instead of overusing IT remote support systems which lack security maturity – and tabletop exercises to expose and prove the weaknesses in perceived defenses.” 

Hamilton noted that there are two main classes of actors threatening operational technology (OT). “Targeting OT is attractive to criminals because toolboxes for compromising OT are becoming more prolific and since OT environments focus on high availability, downtime is costly, making these organizations prime targets for extortion. Manufacturing is much more likely to transfer this risk through insurance, making it even more of a target for extortion-motivated ransomware,” he added.

“Nation-states are also a threat. Disrupting services that rely on OT meets strategic goals of several countries aiming to disrupt and destabilize the US,” according to Hamilton. “This is not necessarily motivated by financial gain; for example, the water utility in Texas and a waste treatment plant in Indiana, which were claimed by Russian actors, involved small facilities where a large payout is not feasible, suggesting the main motivation is destabilization.”

He noted strategies for reducing the risk of compromise are standard: lower the likelihood of an unwanted outcome through the application of preventive controls, and minimize the impact of an event through network, endpoint, and cloud monitoring, combined with rapid and effective response.

Focus on employee training to mitigate risks

The executives delve into the comparison of malware and ransomware attacks in industrial environments regarding sophistication and impact relative to other sectors. They also assess the significance of employee training and awareness in mitigating the risk of ransomware attacks within industrial settings.

Clay said that in most cases, there isn’t a major difference. “Adversaries are looking to disrupt the operations of the business and push them to pay a ransom to get systems back online quickly. The biggest opportunity for awareness training is to inform the teams managing these OT networks that they are being targeted and how to harden their environment to minimize the risk of compromise,” he added.

“There have been a few specific ICS-specific attacks, but those have been well documented. Most attacks still are centered around traditional IT systems (Windows) that are also used in the OT environment,” Busalachi said. “OT infrastructure is not under the same scrutiny as IT. The OT systems tend to be older and not patched. The OT network is outside IT’s purview for obvious reasons (safety, production, and plant operations. Activities that do not fall under IT responsibility),” he added. 

He added the ‘GAPs’ between IT and OT are not well documented and management is looking in the wrong place to secure and protect their ICS from a cybersecurity and ransomware prevention perspective.

“OT needs to take the reins of responsibility to secure and protect the plant floor,” according to Busalachi. “Like safety, they need local personnel to play a role in delivering best practices for OT cybersecurity. The organization needs to think globally but act locally. OT plant floor environments vary from site to site even within the same organization (people, process, and technology)”

Hamilton outlined that employee awareness training is required and can be effective as a control measure. “It generally focuses on employee password management and resistance to phishing/fraud; however, there are many other initial access vectors. Recent trends suggest a greater focus on vulnerability exploitation by threat actors, which raises the bar on vulnerability detection and management. USB malware attacks are also becoming more sophisticated, indicative of domestic actors with physical proximity to targeted organizations,” he added. 

Federal response to adversarial action

The executives discuss the responses of governments and regulatory bodies to the rising malware and ransomware threats in critical infrastructure. They also examine the potential long-term consequences for industrial organizations that experience these attacks.

“The US government has been actively developing regulations and recommendations for critical infrastructure on securing network environments,” according to Clay. “CISA recently published an update to their National Cybersecurity Incident Response plan for critical infrastructure operators. Long-term consequences of an attack could impact the length of time services are offline and affect citizens in those areas.”

Rivera said that guidance from government agencies like CISA and their partners is great to see. “They’re clearly paying attention and using their platform to raise awareness. The depth of knowledge and information contained in publications like the #StopRansomware Guide is impressive. I just wish there was more they could do.”

He added that the long-term consequences for industrial organizations who fall victim to ransomware attacks could be substantial. 

“The worst-case scenario is that ransomware disrupts an industrial function or process with humans involved, and human safety is jeopardized. The consequences of that scenario would be direly unfortunate and resounding,” according to Rivera. “To that end, if organizations have resiliency in mind, run scenarios and test their backup and recovery plans, incident response plans, and have executive support, sponsorship, and awareness of ICS/OT security risks, hopefully, they can recover from an attack which disrupts business-critical operations depending on ICS/OT.”

Busalachi identifies that the government is fanning the flames, but most organizations ignore the mandates in the critical infrastructure space. “Critical infrastructure groups do the minimal requirement (asset inventory). They perform data gathering manually which is outdated soon after completion of the effort. Remember (60 percent + 30 percent) equals 90 percent still wandering in the wilderness.”

He noted that most push back because they lack everything, i.e. resources, budget, experience, skills, knowledge, etc., to pursue a technology and service solution. “We still do not see a widespread effort to close the OT cybersecurity GAP. The lack of metrics on the client end demonstrates the deficits in OT cyber hygiene.”

“Government agencies do not have the proper resources to address OT cybersecurity broadly, which opens them up to ransomware attacks,” Busalachi said. “Currently, critical infrastructure organizations can call on the support of the FBI if an adverse event occurs. Others outside the critical infrastructure domain are on their own to address cyber or ransomware events.”

He added that victims of ransomware attacks lose revenue, cannot get cyber insurance, experience brand loss, lose shareholder value, incur job loss, and their communities and the environment become less safe.

Hamilton identified that long-term consequences for industrial organizations that fall victim to these acts range from loss of revenue and fines to additional regulatory oversight and even loss of business. “If protected records are also stolen, class-action suits are also now the norm.”

“The federal government has been increasing regulatory oversight by the sector-specific regulatory agencies (SSRAs). SSRAs have expanded rulemaking, paused now with a lawsuit that characterized the EPA’s guidance for the water sector as an unfunded mandate,” Hamilton highlighted. “Nonetheless, the trends from SSRA communications have been risk governance, use of the NIST cybersecurity framework, and mandatory incident reporting.” 

He added that mutually agreed-upon standards such as those being advocated in the water sector will take time and are not likely to be auditable. “Without incentives such as grant programs, any additional mandates are likely to be further viewed as government overreach.”

Adopting technology and its cybersecurity implications

The executives evaluate emerging technologies and trends that show potential in defending against malware and ransomware threats in industrial environments. They explore the role of AI in this context and discuss how collaboration and information sharing among industry stakeholders can aid in combating cyber threats within industrial settings.

Clay points to products that help segment the network, protect IIoT devices, improve patch management, use AI to help manage vast amounts of data, and improve visibility into currently available attacks. “Public/private partnerships and the sharing of threat intelligence will also help the industry improve and minimize breach risks,” he added.

“Several technologies in the marketplace support the creation of a defensible architecture, provide deep visibility of ICS environments, and expose vulnerabilities within the OT environment,” Busalachi said. “AI and machine learning platforms are already available in the OT space. Many have displaced the responsibility entirely within IT, and we need OT to take a more proactive role to defend and secure operations as well as production of OT ICS.”

He added organizations need to identify the GAP between the IT, OT, and other stakeholders (risk). “The OT supply chain is playing catch up. Long story short, ‘We need IT team members on the field and in the huddle, they just can’t be the quarterback!”

“There are several companies that have products that are deployed into OT environments,” Hamilton said. “The difficulty for most of these environments, including manufacturing, is 24/7/365 human monitoring of security alerts coming from those technologies. AI can assist here as the ‘first pass’ investigation, but we cannot yet replace human analysts as the ultimate arbiters of whether an asset should be quarantined or isolated.”

Rivera pointed out that executive leadership, awareness and support of the tools, programs, resources, skills, and organizational imperatives to secure ICS/OT environments are the greatest trends. “That’s what enables organizations and teams to adequately build defensive solutions, either people, process, or technology-driven,” he concluded.

Anna Ribeiro

Related

CISA debuts encrypted DNS implementation guidance for federal agencies aligned with zero trust strategy
CISA debuts encrypted DNS implementation guidance for federal agencies aligned with zero trust strategy
Vulnerabilities in GE Healthcare Vivid ultrasound system could allow malicious insiders to install ransomware, access patient data
Vulnerabilities in GE Healthcare Vivid ultrasound system could allow malicious insiders to install ransomware, access patient data
Australian-NCSC-coordinates-response-to-major-health-information-ransomware-breach
Australian NCSC coordinates response to major health information ransomware breach
Senator Vance issues warning on China-backed Volt Typhoon threat to US critical infrastructure
Senator Vance issues warning on China-backed Volt Typhoon threat to US critical infrastructure
NIST releases finalized security guidelines for controlled unclassified information in SP 800-171r3, SP 800-171Ar3
NIST releases finalized security guidelines for controlled unclassified information in SP 800-171r3, SP 800-171Ar3
New Claroty report focuses on challenges and priorities of federal OT cyber incidents 
New Claroty report focuses on challenges and priorities of federal OT cyber incidents 
CISA issues ICS advisories on hardware vulnerabilities from Rockwell, SUBNET, Johnson Controls, Mitsubishi Electric
CISA issues ICS advisories on hardware vulnerabilities from Rockwell, SUBNET, Johnson Controls, Mitsubishi Electric
Elevating industrial cybersecurity: Insights from the 2024 RSA conference
Elevating industrial cybersecurity: Insights from the 2024 RSA conference
Two new MITRE programs central to strengthening cyber defense work on building global cyber capacity
MITRE releases EMB3D cybersecurity threat model for embedded devices to boost critical infrastructure security
Critical vulnerabilities in Cinterion cellular modems pose significant threat to industrial devices
Critical vulnerabilities in Cinterion cellular modems pose significant threat to industrial devices