Recovery from industrial cyber-attacks just became a lot easier

Rampant cyber threats and attacks have brought about the consciousness within organizations of the need to build their operations, in order to identify, protect, detect, respond, and recover. These functions provide cybersecurity outcomes based on existing standards, guidelines, and practices that organizations can customize to properly manage and reduce their cybersecurity risk. Planning operational recovery has become critical for industrial environments.

The last arm, ‘Recover,’ is often overlooked and underinvested. Preparing an actual recovery plan can be tricky, particularly across critical infrastructure and industrial environments. It’s difficult to ascertain where the adversary will target, what systems will be impacted, and what would be the likely fallouts.

A new hope

Enter Salvador Technologies – this Israeli-based OT/ICS data recovery specialist provides an eloquent solution with its standard in operational continuity and cyber-attack recovery. The startup sets out to fill the market gap to bring about a full system recovery in just 30 seconds while ensuring the continuous operation of critical workstations and servers worldwide. Primarily focused on OT and critical infrastructure environments, Salvador’s solutions are based on air-gapped protected storage and sophisticated data corruption detection.

Targeted at industrial and critical equipment, Salvador Technologies’ solutions are “unlike most of or any other vendors in the industrial cybersecurity field, as we are not focusing on the detection and prevention,” Oleg Vusiker, CTO at Salvador Technologies told Industrial Cyber, in an exclusive interview. “Because according to our philosophy, you cannot detect or prevent 100% of attacks. We focus on the incident response and the recovery velocity. If you agree with the assumption that it is not a matter of if, but when, this approach makes complete sense,” he added.

The company’s unique technology brings the capability to recover within 30 seconds, as it backs up OT/ICS data onto large external disks, supported by NVMe storage. These disks remain offline and air-gapped. When a cyber-attack occurs, the external disks replace the internal disks and enable the organization to reboot their computer systems and servers and continue their operations with minimal impact and business disruption.

Don’t pay the ferryman

“According to our philosophy, the offense is always one step ahead of the defense because the offender is trying to penetrate a system and he will always be one step ahead, and eventually he will be able to attack the critical systems. That’s why the incident response is so critical,” he added.

Vusiker pointed out the security investment today and the ransomware costs, which are growing exponentially. “Despite the enormous effort that companies put in visibility solutions, detection, and prevention, there is still a huge gap regarding the incident response specifically in the industrial field. “We use an approach that is pro-active and forward-moving: it’s not what happens, it’s how you react,” he disclosed.

The dreaded downtime and measuring the cost

“Downtime causes are not limited to cyberattacks, but it can also be due to failures, such as hardware failures, or software failures,” Vusiker observed. It can also be due to misconfiguration or simply a device just stops working because of some mechanical reason or some other reason. “Most OT systems have been working for many years without replacement. Hence, the probability of some kinds of failure in the computing system during the years is pretty high. Also, the probability of cyber-attacks is also there,” he added.

While today, many industrial companies are manually backing up critical systems, some are not backed up at all. Vusiker also called attention to the fact that many of those systems are still working with legacy operating systems, such as Windows 7, which Microsoft does not support. “There are a lot of security gaps because Microsoft has not released any kind of security updates for those systems,” he added.

Recovery time or recovery velocity is key when minimizing the impact on system downtime. Vusiker provided specific cases of downtime caused by cyber-attacks at large industrial corporations, such as Merck, TSMC, and Norsk Hydro, which suspended operations for weeks. “The downtime in Norsk Hydro was three months. In Israel, just last year, a power semiconductor manufacturer was hit by a ransomware attack, and all their employees were sent a vacation without payment for more than a week, because of the downtime of the manufacturing process,” Vusiker added.

What makes Salvador different

Salvador uniquely offers a physical failsafe solution that turns off the electrical voltage of the disk that contains the backup. That’s how the company provides a guarantee that no one can ever, without physical access, bring this disk to an online state. The only way that you can bring the disk to an online state is by pressing the button on the device.

“In case of a cyber-attack, all you need to do is to press a single button on the device, restart your critical machine, restart your critical server or critical computer, and boot up from this device. You just continue to operate from it,” Vusiker stated. “You can do it right away in 30 seconds because you are simply replacing the corrupted disk inside your machine with the new disk located in our device,” he added.

Targeted at any kind of computer or server, the Salvador device for small-scale networks is called Cyber Recovery Unit, which is plugged into the USB port, and attached to every critical engineering workstation or HMI (Human-Machine Interface). In addition, an internal version using SATA is currently being developed, according to the company.

Industrial Cyber asked Vusiker about historians within the OT environment, which collect information and changes in the environment. In response, Vusiker said, “you can install it in this kind of equipment.”

Not every Industrial Environment is the same

He also highlighted the multiple use cases, including HMIs, industrial computers, and building management systems. “In the building management space, for example, you find just one centralized building management system in each building, so one device is enough. Energy productions you have in each, for example, in each site, you’ll have few computers. You don’t have many of them. You have a maximum of dozens of them,” he added.

For larger-scale production lines, such as semiconductors manufacturing or manufacturing of cars, Vusiker has another breakthrough solution. “We are collaborating with Nvidia in developing a centralized storage solution. The idea is implementing our cybersecurity algorithms inside Nvidia’s network adapter rather than on the server. Since the network adapter is in an isolated, air-gapped environment, we have an air-gapped management port inside the network adapter. We bring in the same solution, but it is centralized for large-scale storage. You can just boot from the storage and retrieve the backup. It’s the same principle,” he added.

According to NIST SP 802-82, the latest guidelines released by NIST, Vusiker noted that “you must verify that the backups are valid and working, and you must include testing of the restoration process. Our system is continuously monitoring backups and their validity at every point. The web management platform that can be on-premises or in the cloud to monitor the entire process.”

Salvador offers a single point of monitoring that is a web-based interface and all the devices, “if we have dozens of boxes inside your organization, in your critical infrastructure, you can immediately see the status of each of the backups,” according to Vusiker. Another major advantage is “the restoration tests that you can do. In order to do these tests, you can just plug off the device from the machine, plug it into your laptop, for example, and you can restore the backup in 30 seconds. You can see if it’s working, operating, or not,” he added.

Simple and Verifiable

”Today, many asset owners are simply doing the backups and hoping that they will work, and they don’t check the restoration process because it’s complex in the OT environment.” Vusiker said. “Using our solution, you simply boot the backup in any kind of equipment or computer, and verify the restoration,” he added.

Another crucial guideline from CISA and FBI released last year after the Colonial Pipeline attacks were that “you must ensure backups are up to date, easily retrievable, and air-gapped. Our solution combines all three of them,” Vusiker said. “Currently, most of the backup and restore companies are focusing on IT. In the IT world, there are excellent solutions because you can just recover your virtual machine with one click in 30 seconds. However, they’re not applicable in the OT because they’re mainly for the cloud and virtual machines,” he added.

Vusiker said that the OT space will continue to be a major target for malicious and nation-state actors – just need to look at the activity around the Ukraine invasion. “You must have a better solution to be able to recover from those attacks. The question is not if they will happen, but when they will happen.”

One of the main challenges faced by Salvador is to adapt the technology to support the legacy systems like Windows XP and Windows 7. It’s challenging, and the company is carrying out specific efforts in order to support those kinds of systems.

Vusiker says that Salvador’s goal is to lead the charge toward a new standard of backup and restoration and push “recovery” front and center.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.