Growing Ransomware Threats: Looming Danger for ICS, Industrial Companies

In recent years, the world has witnessed a significant surge in ransomware attacks, posing a growing threat to industrial control systems (ICS) and industrial companies. These malicious attacks have become more sophisticated, frequent, and financially devastating, highlighting the urgent need for enhanced cybersecurity measures. This article explores the alarming rise of the ransomware threat and its potential consequences for ICS and industrial organizations.

Escalation of Ransomware Attacks

Ransomware attacks on manufacturing processes, production lines, and the overall supply chain can have severe and far-reaching consequences, Oleg Vusiker, CTO of Israel-based OT/ICS data recovery specialist Salvador Technologies, told Industrial Cyber, adding that these attacks involve malicious actors encrypting a victim’s data and demanding a ransom payment in exchange for providing the decryption key.

He added that the consequences can vary based on the extent of the attack and the preparedness of the targeted organization. “Firstly, operational disruption, supply chain delays, and consequently financial losses, damage to the company’s reputation, it could have regulatory and legal consequences, not to mention harm employee’s productivity and morale.”

Vusiker mentioned that many critical infrastructure systems are directly related to public safety. He cited that a ransomware attack on a power grid can disrupt electricity supply to hospitals, emergency services, and essential facilities. Attacks on water treatment plants can compromise clean water supply, leading to health risks. Similarly, attacks on transportation systems can disrupt traffic control and transportation safety measures.

Financial and Operational Risks

“In critical infrastructures, the longer an organization’s operations are disrupted, the greater the financial losses. Industries reliant on continuous operation, such as energy, transportation, and manufacturing, can experience substantial economic setbacks due to downtime,” Vusiker highlighted. “Recovering from a ransomware attack involves several expenses, including hiring cybersecurity experts to assess the damage, restore systems from backups, and decrypt encrypted data if a ransom is not paid.”

He added that organizations should identify the potential costs: ransom payment, recovery efforts, operational disruption, and reputational damage. “Estimate these costs, evaluate the potential impact of supply chain disruptions, and take into consideration the recovery effort they will have to implement.”

Alex Yevtushenko, Salvador Technologies’ CEO, noted that ransomware cost is usually a small portion of the financial damage for the company. “From the moment it is attacked, the company starts to lose money: operations stop, employees who actually cannot work need to be paid, and manufacturing machines are halted. In addition, during the downtime, the company pays the incident response team (usually a few teams are involved to speed up the recovery process), fines to their customers for delayed supply of the product, and fines to regulatory bodies have also become more common in recent years,” he added.

Sophistication and Collaboration

Vusiker outlined that ransomware attacks have become more sophisticated, employing advanced encryption techniques and evasion tactics to avoid detection by security systems. Attackers are increasingly using targeted attacks, researching and profiling their victims to maximize the potential impact. Some use a ‘double extortion’ strategy. Apart from encrypting data, they steal sensitive information before encryption and threaten to release it, if the ransom is not paid.

“Many vendors are dealing with finding a way to detect as much as possible the infected files that are stored in the backups,” Yevtushenko pointed out. “They are using techniques, such as scanning, analysis, and detection of known threats. While no technology can ensure backups and storage are clean from malware, redundancy is very important when dealing with backups.”

Addressing the techniques and methods ransomware operators employ to bypass improved security measures in IT environments and reach critical OT systems, Vusiker said that they use phishing and social engineering, some targeting specific individuals within an organization. “We see attackers using malicious toolkits that contain vulnerabilities. The tactics vary a lot and constantly evolve.”

On how understanding these evolving tactics helps organizations bolster their defense against ransomware propagation, Vusiker said that to “our approach, a ransomware attack has become inevitable. Looking at the exponentially increasing cyber rate and the cost of prevention and detection measurements we understand it’s game over and any OT organization has to focus on recovery, since it’s not a question of ‘if’ anymore but rather of ‘when.’”

Assessing how industrial companies and critical infrastructure providers address the lack of confidence in their current defenses and protections against ransomware attacks, Vusiker pointed to a survey conducted earlier this year. “We found that more than 60% of OT professionals say their current cyber-attack recovery plan does not adequately support OT/ICS and 63% of them are not confident in their cyber-attack recovery plan (i.e., business continuity) for critical OT workstations and machines. Most of them admit OT/ICS environments differ dramatically from IT and require an OT-specific approach to cyber security machines and rely on manual methods that require a long process to recover,” he added.

Impact on ICS Frameworks

Ransomware can disrupt production even without targeting ICS assets. Vusiker said that his “customers feel more confident in their ability to regain operations. For some, the implementation of our technology resolved a regulatory deficiency. The easy deployment is a big advantage, as many report that they don’t have to depend so much on IT teams.”

On the specific challenges and vulnerabilities that make industrial companies and critical infrastructure particularly susceptible to ransomware attacks, Vusiker said that industrial systems often have a longer lifecycle than typical IT systems. “This means that organizations might delay updates and patches to avoid disrupting operations, leaving them exposed to known vulnerabilities.”

Additionally, Vusiker noted that industrial companies often rely on third-party vendors for critical systems. “If these vendors have weak security measures, they can become potential entry points for attackers. It can be because operational teams in critical infrastructure maybe lack IT security expertise, making them less prepared to detect and respond to cyber threats.”

Looking into why companies have struggled to halt the propagation of ransomware into their OT production networks, Vusiker detailed that OT networks are traditionally designed for reliability and safety, with less emphasis on security. “Many OT systems use legacy hardware and software that lack modern security features and are more vulnerable to attacks. Upgrading or replacing these systems can be costly and complex.”

Production Halt and Lack of Confidence

Addressing why many companies manually take their production systems offline following a ransomware attack, and whether this displays a lack of faith in existing organizational protections, Yevtushenko said that taking the entire systems offline is a common practice after a cyber-attack detected on one of the computers or segment in the network.

He added that this is to investigate the damage and assume the risk before continuing the operations. “This is done usually due to a lack of resilience plan in place, and another significant reason is lack of redundancy in the systems in the form of protected and ready-to-use backup systems that serve as additional layers to keep operating the non-impacted systems taking the risk it may be infected as well. If the backup system is secured, you can rerun the system in such a case.”

In light of the inevitability of ransomware attacks, Yevtushenko addressed various strategies that organizations should adopt for effective data recovery without succumbing to ransom demands. “The organization should have been prepared for such a case when it will be attacked and have a recovery plan and solution in place. It must have air-gap-protected backups to avoid these being impacted during a cyber-attack. This backup should allow fast restoration of the entire system to allow fast recovery and minimize the downtime, eliminating the need to pay ransom if the downtime is very short.”

Recovery Strategies and Incident Response

Looking into how ‘quick recovery’ factors into the best practices that industrial companies and critical infrastructure providers should implement to mitigate the impact of ransomware attacks on production capabilities, Yevtushenko said that ‘if the downtime is long – the cost is tremendous, while if the downtime is short, the cost of the ransomware attack is reduced to non-significant impact to the company.”

On incident response planning and implementing robust backup and recovery strategies factor into mitigating the impacts of ransomware attacks, he added that “If you prepare with a recovery plan and robust backup, your risk drops significantly.”

In light of the inevitability of ransomware attacks and with their increased capabilities that led to the initial ‘cross-industry disruptive/destructive’ ICS/OT malware, it is crucial to assess the kind of strategies that organizations should adopt for effective data recovery without succumbing to ransom demands. Additionally, evaluating a robust ransomware defense strategy not only protects immediate operations but also contributes to the long-term sustainability of industrial processes.

“Organizations should segment the network and have security tools in place. The number of attacks is unlimited, those tools reduce the likelihood of the attacks. Having this said, many attacks will still penetrate the system and result in costly downtime,” Yevtushenko detailed. “This means organizations should be prepared to handle the attacks with a good recovery plan in place, training the team to react to the attack, have appropriate SLA with an incident response team (if external), and most importantly have air-gap backups that will not be impacted during the attack and that allow fast and efficient restoration process.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.