As ransomware evolves, R4IoT approach could further weaken cybersecurity posture across IT, IoT, OT environments

As ransomware attacks continue to remain a nightmare across the critical infrastructure sectors and operational technology (OT) environments, a new attack perspective called Ransomware for IoT or R4IoT approach has surfaced. The proof of concept (PoC) disclosed the growing sophistication of cybercriminals, as they string together IT, IoT, and OT environments to create a large attack canvas. 

Forescout Technologies’ Vedere Labs showcased how next-generation ransomware exploits IoT devices for initial access, targets IT devices using the deployment of cryptominers and data exfiltration, and leverages poor OT security practices, such as breaching PLCs, to cause physical disruption to business operations. By compromising IoT, IT, and OT assets, the R4IoT approach goes beyond the usual encryption and data exfiltration to cause physical disruption of business operations.

Once the domain controller is under the hacker’s control, they will be able to weaponize it to conduct large-scale malware deployment and establish their channel for command and control (C&C). Basically, at this stage, organizational assets, processes, and networks are laid out like a buffet table for ransom or sabotage. Given the extent of damage that such threats can cause, the R4IoT approach is being described as the next generation of ransomware.

Such threats get further amplified in OT environments, running legacy equipment, which may often be outdated, out of service systems, end-of-life, and/or not adequately security patched, apart from not receiving regular security updates. Furthermore, the move within operational installations toward digital transformation can be exploited by hackers, thereby making the industrial control system (ICS) environment highly susceptible to cyber threats. 

Earlier this year, industrial cybersecurity company Dragos reported a rise in vulnerabilities and ransomware, as ICS/OT systems digitally transform. Additionally, it analyzed that 2021 was a pivotal year for ransomware gangs and their affiliates, with ransomware emerging as the number one cause of compromises in the industrial sector.

When it comes to ICS and OT cybersecurity, it is all-important to build a secured design to compensate for increased cyber-attack surface contributed by the addition of industrial IoT devices to these operational environments. Techniques such as zero-trust and strict adoption of privileged remote access to employees, vendors, operators, integrators, and various third parties must be immediately adopted across the organization.

Analysts have assessed that while organizations in most industries have been focusing on cybersecurity for some time, the maturity of their approaches is not uniform. In 2021, McKinsey estimated that the cybersecurity-maturity level of more than 100 companies and institutions in several industry sectors and learned that while some in banking and healthcare have achieved fair progress, most organizations—in all industries—still have a ways to go to protect their information assets against threats and attacks. 

Industrial Cyber contacted experts to chalk out the response that the critical infrastructure sector must take up to safeguard its business environments and bolster its cybersecurity stand to deal with an inevitable increase in sophistication and scope of traditional ransomware, as demonstrated by the R4IoT approach.

“With the rise of ransomware-as-a-service (RaaS), ransomware attackers are growing more sophisticated, and attacks themselves are becoming more devastating to operations and civilians alike,” Roman Arutyunov, co-founder and vice president of product at Xage Security, told Industrial Cyber. “Because an R4IoT approach compromises IoT, IT, and OT assets, these attacks cause physical disruption of business operations—exemplified in high-profile cases such as Colonial Pipeline and JBS.” 

However, Arutyunov said there is hope for the critical infrastructure sector, and that hope lies in a zero-trust security strategy. “This proactive, identity-based security architecture—in contrast to traditional perimeter-based, detection-and-response models that ransomware can easily break through—ensures that any initial attack vectors to an IT or IoT asset via unmanaged credentials and exposed insecure protocols are confined and isolated, unable to leak into operations and cause a disruption,” he added. 

In other words, with zero trust, malware is unable to traverse from IT/IoT to OT, ensuring that no attacker can exploit any cyber weakness upon gaining access to one part of a network, Arutyunov said. “Zero trust is especially crucial for companies in industries that have been slower to modernize, such as oil & gas, utilities, and energy,” he added.

“It is hard to deny that the entire threat terrain is evolving quite fast,” Terence Liu, CEO of TXOne Networks, told Industrial Cyber. “The adoption of new technologies and devices in the worksite environment is only one factor that often introduces more attack surfaces – we think that the critical issue in this current era of cyber threats is that keeping IoT assets secured with the most up-to-date patches is challenging in OT environments.”

Liu also said that one thing is for certain – the current combination of tactics, techniques, and procedures (TTP) used by hackers makes cyber safety a difficult standard to maintain for any asset owner.

“The development of modernized cyber attacks is driven by two main factors – the popularity of Bitcoin, and the proliferation of Ransomware-as-a-Service (RaaS), according to Liu. “Because of these two trigger points, organized crime based around a dark web RaaS industry now drives rapid developments in the number of cyber attacks against organizations. Large ransom payouts are the driving force towards more sophisticated attacks such as those that leverage zero-day vulnerabilities or vertical-specific knowledge of protocols and regulations. We have tracked a steady increase in the scope of ransomware attacks, which is, unfortunately, showing no sign of slowing down,” he added.

Given the presence of legacy assets within the critical infrastructure sector, often running without proper protection, at either the endpoint (inspection and lockdown) or network (segmentation and virtual patching) level, legacy assets are like swiss cheese – full of obvious holes, or ‘known vulnerabilities’, that attackers can easily see and take advantage of. 

“Dealing with these sophisticated attacks requires multi-layer protection, including detection and response strategies, that reduce risk and prevent cyber incidents without impacting productivity,” Liu added.

Determining whether proper network segmentation and utilization of both the NIST Cybersecurity Framework and zero-trust architecture can prevent cybersecurity incidents, such as the R4IoT approach, within the critical infrastructure sector, Arutyunov agreed that zero-trust architecture and proper network segmentation are highly effective at preventing ransomware attacks. 

“Because zero trust treats the identity of each machine, application, user, data stream, and other assets as its own independent ‘perimeter,’ operators have access to highly granular access policy enforcement, which ensures that rigorous security enforcement continues even if hackers are initially successful in getting into an IT asset,” according to Arutyunov. “Its efficacy has already been proven by NIST and the United States federal government (namely, in the Biden Administration’s 2021 Executive Order),” he added.

Arutyunov said that contrary to popular belief, zero trust can be fast, cost-effective, and easy to implement. “Much of the delay in implementation for critical infrastructure operations is not due to the specifics of the technology itself, but rather misinformation-based skepticism about beginning a new approach,” he added.

“To be honest, none of the solutions or methods that are currently on the table can guarantee the 100% prevention of cyber attacks,” TXOne’s Liu said. “Instead, organizations have to focus on reducing risk and ratcheting up the difficulty level for would-be attackers using real-world practices. That’s also the reason why offerings that give multi-layered protection from endpoint to network all follow the zero-trust architecture and the NIST Cybersecurity Framework, no matter if they’re for IT or OT use cases,” he added. 

More than that, Liu said that the NIST Cybersecurity Framework addresses how soon an organization can detect a breach or incident, as well as how to reduce the impact, how to recover, and the definition of resilience against cybersecurity incidents.

Liu identified that usually a successful cybersecurity deployment in an OT environment is defined by three requirements – operation will not be impacted after deployment, no significant increase in the number of staff to manage cybersecurity, and when an attacker strikes, the deployment will reduce business impact. “So, usually in diverse OT environments, we suggest our customers start with a small-scale deployment to make sure the first two elements work before rolling out a large-scale deployment,” he added.

Defining the extent to which critical infrastructure asset owners and operators can stand up against the growing sophistication and technique of adversarial attacks, such as the R4IoT approach, Arutyunov said that with a proactive, zero-trust approach, critical infrastructure owners and operators can fully defend themselves against new ransomware threats such as R4IoT. 

“A true zero trust architecture allows operators to either completely block hackers at the source or isolate them to prevent them from disrupting operations,” according to Arutyunov. “Even as hackers’ strategies rapidly evolve, an identity-based zero-trust approach will adapt to the new context, taking into account parameters such as location, repeated access failures, and vulnerability levels to prevent attacks,” he added.

Liu said that with preparation critical infrastructure asset owners and operators can stand up against the growing sophistication and technique of adversarial attacks. “Demand and inquiries are often driven by major incidents in the media – there’s no wrong time to shore up cyber defenses and safety, but by the time an incident has happened, it can be too late to get the upper hand on business impact,” he added. 

One trend “we think will be a big step forward for preventing catastrophic cyber incidents is that many organizations have recently committed to a strong push for better regulations, especially after the Colonial Pipeline attack in May of last year,” Liu said. “We also see that the awareness of and demand for OT cybersecurity are increasing, and more budget is actually being sponsored by decision-makers or upper management who have come to understand that cybersecurity is a foundational risk control for any organization.” 

“From our perspective, most asset owners and operators are now looking for the best practices and success stories that can be referenced and adopted in their verticals,” according to Liu. “We are also working closely with a Global Systems Integrator (GSI) to contribute knowledge to reduce the entry barrier for asset owners,” Liu concluded.