Increased globalized exposure to ransomware attacks will continue to define ICS cyber threat landscape

Ransomware attacks on critical infrastructure have been rapidly increasing and pose a greater threat to operational technology (OT) assets and control systems. In recent years, the quantity and range of ransomware infections targeting industrial organizations have significantly increased, exemplified by cases, such as EKANS and the Colonial Pipeline attacks. At the same time, the proliferation of such attacks is reaching new heights of sophistication, with escalating demands for payment skyrocketing into the tens of millions of dollars, posing financial and operational risks to industrial organizations globally. 

In 2022, ransomware disrupted operations directly by targeting ICS mechanisms across organizations, vendors, and subsidiaries from various industries, with its frequency increasing. Multiple reasons for the increase in ransomware activity impacting industrial organizations, including escalating geopolitical tensions, introduction of Lockbit Builder, and continued growth of the ransomware-as-a-service (RaaS) model, affecting the threat landscape.

RaaS continued to grow as an attack vector in 2022 with an even greater impact on ICS (industrial control systems) and OT environments. These developers provide their offerings, complete with data exfiltration tools to other cyber hackers, who use them opportunistically to attack organizations. The adversaries employ independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cyber criminals. Furthermore, hackers and RaaS developers collaborate to carry out cyberattacks and then share the spoils amongst themselves.

Industrial Cyber reached out to cybersecurity experts to evaluate how the threat and prevalence of ransomware have affected the approach to ICS cybersecurity. They also address the measures that these environments have put in place to defend themselves against the increasing number and sophistication of ransomware threats and attacks.

Robert Roser, chief information security officer (CISO) and chief data officer at Idaho National Laboratory (INL) told Industrial Cyber that INL had created a separate ICS network whose sole purpose is to facilitate communication across control systems. “This is an internal network. Furthermore, this internal network is segmented so that if breached, one would have limited ability to move from one ICS system to another.” 

Roser added that the connection with the internet is through a DMZ. “A DMZ, or demilitarized zone, is a perimeter network that protects and adds an extra layer of security to an organization’s internal local-area network from untrusted traffic. In addition, we are increasing our monitoring capabilities and added malware protection capabilities to quickly detect if we have an intruder.”

The prevalence of ransomware has truly helped bring attention to the security weaknesses of ICS systems through several high-profile cases, Mark Bristow, director of MITRE’s Cyber Infrastructure Protection Innovation Center (CIPIC), told Industrial Cyber. “Initially, ransomware operators did not appear to be intentionally targeting OT systems. Instead, they were attackers of opportunity, scanning large parts of the internet and phishing employees at many companies to see what they could get. Then, they priced their ransom and extortion appropriately once they realized who they had caught.” 

Bristow added that over time there is a theory that infrastructure owners and operators were specifically targeted as they were more likely to pay ransoms to restore operations, however, there is no publicly available data to support this theory, and most ransomware events go unreported. “After a while, some ransomware operators realized that going after critical systems such as hospitals would bring additional attention to the victims and the attention of law enforcement.  This strategy created additional risk to the ransomware operations, including potentially impacting profits, as additional attention led to asset seizures and in some cases prosecution,” he added.

“Many organizations remain unprepared to deal with a ransomware event. Despite significant attention from government and law enforcement, including recommendations on how to defend against ransomware, some of the mitigations boil down to good security hygiene which is easy to articulate but challenging to implement and maintain over time,” according to Bristow. “Many organizations have implemented an offline backup program which has assisted in the rapid restoration of OT systems, however not all entities have implemented these controls.”

Joshua Magady, director of industrial cybersecurity digital solutions at 1898 & Co., told Industrial Cyber that asset owners are beginning to understand that their control systems are not immune to the threat of attack. “Adversaries are becoming more sophisticated and are actively seeking to exploit vulnerabilities in ICS to achieve their objectives. As a result, organizations realize that it is crucial to prioritize their ICS environments’ security and ensure that they are adequately protected against cyber threats. This realization has stimulated a mindset shift towards prevention and fortification rather than mere reactivity or, in some cases, apathy.”

“To further bolster their defenses, asset owners are investing in advanced security technologies, such as intrusion detection systems, micro-segmentation, zero trust architectures, and endpoint detection and response capabilities,” Magady added. “These technologies are designed to safeguard their ICS against a wide range of cyber threats and to provide asset owners with the necessary visibility and control to detect and respond to potential attacks. Additionally, asset owners are adopting best practices, such as regular security audits and vulnerability assessments, to maintain the resilience of their systems against the ever-changing threat landscape,” he added.  

Ransomware has multiplied in recent years to reach a peak in 2022, Yoann Delomier, business strategy leader for OT at WALLIX, told Industrial Cyber. “Its proliferation can be explained by the industrialization of the various modules that make up the cyber kill chain. The implementation of a payment platform, a C2 (Command & Control) server, or the availability of the code that allows data encryption, are facilities that favor the growth and efficiency in terms of gain of this malware. This logic of productivity and industrialization does not yet directly impact OT environments.” 

Delomier said that these environments are still based on proprietary technologies and quite isolated from the Internet. “The reconnaissance, weaponization, and delivery phases remain more complex to implement in the context of the cost-effectiveness of attacks. On the other hand, these techniques are now widely applied to the IT environment, generating contamination towards OT networks. IT/OT segmentation has been reinforced with one-way security gateway solutions, segmentation at the process level, and the implementation of isolation procedures for production sites in the event of IT network compromise,” he added. 

Erwin Sakkers, director for OT/ICS cybersecurity at Defentos, told Industrial Cyber that in the previous few years, there has been an increase in ransomware attacks against ICS/OT environments, and one of the leading causes of these attacks is geopolitical events. “It’s encouraging to see that despite the global economic downturn, most business owners are increasing their spending on ICS/OT cybersecurity.” 

“To defend themselves from ransomware attacks, industries are placing different control measures in place,” Sakkers added. “Here are a few important ones – training and awareness, insider threat management, OT network visibility tools, and secure remote access. Most importantly, industries are asking for cyber security assessments to know their current cyber security posture to determine what really needs work.”

The executives examined whether the RaaS model had changed the threat dynamics within the OT/ICS domain.

Roser said that the RaaS model had changed the threat dynamics within the OT/ICS domain. “RaaS is a business model in which malware developers rent or sell their ransomware to other cybercriminals, who then use it to launch attacks on their targets. This model has made it easier for less-skilled criminals to conduct sophisticated cyberattacks and profit from them. As a result, RaaS has led to an increase in the number of attacks and the complexity of those attacks,” he added. 

“RaaS makes it easier for organizations to hold data at ransom as you do not need technical capabilities to conduct ransomware activities,” Bristow observed. “There have not been studies on the difference between human-operated ransomware and RaaS against OT systems, but generically you are more likely to see indiscriminate targeting via RaaS services.”

The emergence of RaaS has introduced a new level of sophistication and complexity to the threat landscape within the OT and ICS domain, Magady evaluated. “The availability of RaaS platforms has lowered the entry barriers for less sophisticated adversaries, granting them access to powerful ransomware tools and infrastructure previously only available to highly skilled cyber criminals and well-funded state actors,” he added.

“The customization capabilities of RaaS have also enabled adversaries to tailor their attacks to specific industries, including ICS environments, which are highly valuable targets due to their critical role in industrial operations,” according to Magady. “This customization makes it easier for attackers to evade detection and bypass security measures, as they can create highly targeted attacks that are more likely to succeed.”

Delomier pointed out that RaaS has made cyberattacks generally accessible and democratized. “The approach is now inexpensive, and technical expertise is no longer a prerequisite for an attack. The services offered by these RaaS platforms now allow any malicious group to paralyze a target.” 

“Manufacturing or industry cyber-attacks by nation-state actors, which mobilize numerous expert resources, are now carried out by minimal teams or for-profit organizations. This leaves these expert resources free time to develop targeted and complex attacks against critical infrastructures that can paralyze a state or a major critical activity,” Delomier said. “We are therefore facing a more dynamic and selective ransomware threat, depending on the objective pursued (profit or destabilization).” 

New players appear, with intermediate roles, offering services around ransomware industrialization including marketing messages to target profit ICS environments, and claiming their part of the cake, Delomier added.  

The RaaS model has significantly changed the threat dynamics within the OT/ICS domain, Sakkers said. “This model allows even inexperienced attackers to launch ransomware attacks, providing them access to pre-built ransomware tools and infrastructure that they can use to target ICS/OT environments.”

“RaaS providers typically take a percentage of the ransom payments made by the victims, providing attackers with a financial incentive to launch ransomware attacks against ICS/OT systems,” according to Sakkers. “This has led to increased ransomware attacks against these systems, as attackers seek to take advantage of the vulnerabilities present within the ICS/OT environment. The ease of access to RaaS infrastructure and tools has increased the number of ransomware attacks against ICS/OT systems. Attackers are more likely to attempt to target ICS/OT systems, as they can do so with minimal effort and resources.”

Sakkers also pointed out that the RaaS model has lowered the entry barriers to launching a successful ransomware attack. “Attackers no longer require extensive technical skills or resources to launch ransomware campaigns against ICS/OT systems, as pre-built ransomware tools and infrastructure are readily available through the RaaS model.”

Cybersecurity experts evaluate the reasons why OT systems have become a tempting target for ransomware attackers. They also investigate what makes cybercriminals more motivated and focused on OT environments than ever before, and what potential motivating factors are driving this change.

INL’s Roser points to a couple of reasons. “First, OT systems can be highly visible and often make the news so an adversary will see a visible reaction. Taking down certain OT environments can be a threat to national security. Second, OT technology has not kept pace with IT. Typical OT installations are expected to run for 20+ years whereas in IT the equipment life cycle is 3-5 years.” 

“To modernize technology requires plants to shut down for the upgrade, Roser said. “If the process that the OT systems are running hasn’t changed, the only impetus a company has to change it is spare parts, local knowledge, and cyber. It’s not like IT where to increase in compute and network speed matters.” 

He also added that the RaaS model had enabled attackers to target smaller businesses and organizations that may not have the resources or expertise to defend against sophisticated attacks. “This has expanded the attack surface for ransomware and made it easier for attackers to find vulnerable targets, and thus paying customers.”

“OT systems are tempting for several reasons. The security of OT systems is frequently under-resourced and the need for high process availability often creates incentives for continuing operations for years between software updates or re-design with modern security controls,” MITRE’s Bristow said. “There are some ransomware operators who appear to more heavily target OT and critical infrastructure environments, however, they do not openly disclose their reasons for doing so. On one hand, critical infrastructure operators may be more motivated to pay ransoms to quickly restore operations, however, the additional attention on critical infrastructure ransom events could create more risk for the operators,” he added.

Magady pointed out that the proliferation of standardized computing systems and protocols in ICS has led to reduced complexity, enabling attackers to reuse previous modules and techniques across different systems. “This, coupled with the criticality and increasing interconnectedness of these systems, has created a prime target for criminal organizations and state actors.” 

“Motivated by financial gain, the potential for physical harm, and operational disruption, attackers are drawn to the relative lack of security controls in these environments,” Magady added. “Ransomware attacks on OT systems have the potential to cause significant disruption to critical infrastructure, with far-reaching economic and social consequences. The vulnerability of OT environments, combined with their importance, makes them an easy and attractive target for attackers.”

Industrial environments generate by definition important material and financial flows, and any production downtime means major financial losses, which are part of the hackers’ economic logic, Delomier said. “Industrial systems are essential to the functioning of society and represent interesting targets to create chaos, geopolitical destabilization, or to be used as leverage for interstate negotiations.”

In this objective of destabilization, the RaaS model has created opportunities for new actors, such as terrorist groups that previously did not have the means to invest in the training of hackers,” according to Delomier. “The risk to the industry and critical environments has never been so high in terms of the motivations driving these organizations. Of course, the digitalization of these environments, combined with a design that dates back to a time when cyber threats were not very well evaluated, is a key motivating factor for cybercriminals.” 

Delomier added that ICS environments are subject to significant vulnerabilities and are increasingly exposed to remote connections, and remain difficult to protect in their operational context.

“Ransomware attackers have increasingly set their sights on ICS/OT environments due to the critical nature of the infrastructure they support,” Sakkers said. “The nation’s reliance on these environments makes them an attractive target for attackers seeking to cause significant problems affecting people, the environment, and the country’s economic stability. Because of these impacts, the potential for significant financial gain is also high for ransomware attackers.”

As the importance of these environments continues to grow, so does the potential for economic growth, making them an increasingly lucrative target, he added.

The executives also provided methods that can be used to prevent the entry and proliferation of ransomware across industrial environments, and safeguard the threat landscape.

“First, there is raised awareness of the importance of cybersecurity in the ICS environments, which is good, and companies and governments are starting to focus on this problem that has been largely ignored for quite some time,” according to Roser. “The approach is the same as it is in the IT world, namely a focus on people, process, and tools. One needs cyber expertise to pay attention, instrument the environment so that there is visibility to what is happening on the networks, do the cyber basics like multi-factor authentication on logins, patch the systems on a regular cadence, backup your systems regularly, use firewalls, and provide cyber awareness training for employees and the like.” 

Finally, Roser added that it is crucial for organizations to maintain open communication channels with government agencies and cybersecurity experts to stay informed about emerging threats and best practices for mitigating those threats, as well as share indicators of compromise if breached to help protect the broader enterprise. “Cyber is a team sport.”

“What you are starting to see is organizational changes at companies where their CISO is also gaining responsibility for the security of operational technology.  These new roles are helping to bring together both operations and cybersecurity to ensure that proper mitigations are put in place,” Bristow said. “It also helps organizations understand the links between OT and IT. To help with securing OT, there is a growing list of resources to help organizations defend and recover from compromises. In addition, you are seeing pre-conditions before insurance can be purchased, and assessments of OT systems are becoming more popular.”  

Since many of these organizations have issues replacing OT technology, they have been focusing on resilience to minimize the impact of any event if it eventually happens, Bristow added. 

“The most effective organizations are using threat-based and risk-based lenses to help determine which mitigations reduce the susceptibility of their OT,” according to Bristow. “We also see advisory emulation to test these systems against the TTPs of specific attackers and to ensure that those systems are detecting and defending against the tactics of their current adversaries. What you will see in the future is technology and processes aimed at engaging adversaries to both delay and learn their TTPs.”

Magady outlined that to stop the entry of ransomware and its proliferation across industrial environments, asset owners are conducting rigorous risk and security assessments, providing security awareness training for their employees, and investing in advanced security technologies such as intrusion detection systems, micro-segmentation, zero trust architectures, and endpoint detection and response capabilities.

“Asset owners are also adopting best practices such as regular security audits and vulnerability assessments to maintain the resilience of their systems against the ever-changing threat landscape,” Magady added. “There is a growing understanding that security plays a significant role in the reliability and safety of ICS, and asset owners are taking the necessary steps to ensure that their systems remain secure, reliable, and safe at all times.”

“To secure and block ransomware, manufacturers must absolutely secure vendor access (Privileged Account Management), which is a major vector for malware introduction,” Delomier said. “Access must be based on protocol breaching functions, in order to limit the possibilities of dissemination and exchange with a C2 server. EPM (Endpoint Privileged Management) solutions adapted to ICS environments can be used to harden critical stations and block any potential encryption mechanism.”

“In addition, identity management and associated password security is an important security factor. Passwords are still widely shared and distributed by internal teams and service providers,” according to Delomier. “These credentials are very often resold and exploited by hackers to break into industrial organizations.”

He added that the cybersecurity solutions providing the best user adoption due to operational constraints will be the most efficient response to a growing ransomware threat.

Sakkers identified that several methods are currently being used to prevent the entry and proliferation of ransomware across industrial environments, including conducting regular backups of critical data, ensuring that all software is current, implementing strong access controls, and conducting regular employee awareness training.

He also listed using the latest anti-virus and anti-malware software, implementing network segmentation to reduce the attack surface, conducting regular vulnerability assessments and penetration testing, implementing multi-factor authentication and strong password policies, limiting the use of administrative privileges, and implementing incident response plans.

Sakkers concluded that by adopting a multi-layered approach to security, organizations can reduce the risk of ransomware attacks and effectively respond to them when they occur to prevent further damage or loss.