Detection and Response
Prevent Ransomware Attacks on Critical Infrastructure
Cyberattacks against critical infrastructure can cause massive societal disruption and take an enormous financial toll. Discover how to protect six key OT domains to help prevent ransomware and other threats to essential operations.
Cybersecurity Awareness Month 2022 Series
Cyberattacks against critical infrastructure can cause massive societal disruption and take an enormous financial toll. Those high stakes make industrial IT and OT (operational technologies) appealing targets for ransomware in particular. Applying strong cyber defences to six critical OT domains can help prevent ransomware and other threats to power grids, pipelines and similar essential operations.
Ransomware attacks on industrial targets continue to rise, accounting for more than half of all malware on industrial endpoints. They have also become highly sophisticated, able to exploit long unpatched vulnerabilities and—less commonly—zero-day vulnerabilities. Often the labour is divided: one cybercriminal (or group) discovers vulnerabilities, another sells lists of vulnerabilities, others sell tools to exploit different kinds of vulnerabilities, while some other actor handles payment processing. Some ransomware attacks now even escalate to double and triple extortions.
These developments coincide with the evolution of industrial networks from largely self-contained ‘walled gardens’ built on proprietary, vendor-specific communications protocols to IP-based systems that increasingly make use of the corporate IP network, which is shared by other applications. Remote monitoring, configuration and analytics are commonplace, with automation systems and field operations beginning to take advantage of cloud and edge computing. These new connections combined with generally more interconnected IT and OT systems continue to expand the industrial attack surface.
How to prevent ransomware attacks across the six domains
There are six key operational domains where ICS security can help prevent ransomware and other cyber threats: the OT and IT perimeter, OT assets, the OT network, IIoT, offline operations, and security operations centres/computer security incident response teams (SOCs/CSIRTs). In each case, there are specific vulnerabilities to note—and concrete steps that can be taken to address them.
1. OT and IT perimeter — Because OT and IT are more connected than ever before, vulnerabilities in one pose risks for the other. This is exacerbated in many industrial settings by the fact that different parts of the organisation are responsible for different aspects of the OT and IT systems: corporate IT, site-specific IT divisions, production engineering teams, and more. That distributed responsibility means no single unit sees the entire network. To remedy this, critical infrastructure operators need to establish boundaries of defence between the corporate network and industrial sites, and/or between office and field areas.
2. OT assets — The combined IT and OT environment is a ‘system of systems’ with components that have very different lifecycles—from PCs that last five years on average to industrial equipment in service for 20 years or more. That mix of new and legacy technologies means some assets can be protected by up-to-date methods and others may not support security software or be patchable at all. As a result, what’s required is a unified security approach with case-by-case policies based on the varying risks faced by specific tasks, systems, and operations.
3. OT network — The new connectivity types and technologies entering the industrial environment—cellular and RF, cloud and edge computing—require modern security approaches like Secure Access Service Edge (SASE). Specifically, that means a focus not just on repelling attacks but also identifying and containing those that infiltrate the network, with end-to-end network visibility and knowledge of the industrial processes they’re connected to. One particular area of vulnerability identified by Trend Micro research has to do with protocol gateways, which facilitate information exchanges between devices and systems. These are commonly used to interconnect OT and IT systems and, if compromised, can grind industrial processes to a halt. Network security approaches therefore also need to be adapted to consider these and other industrial protocols used in field networks.
4. Industrial Internet of Things — IIoT deployments increasingly depend on private 5G networks, which has four possible penetration routes and three points at which signals can be intercepted in the core network. The core network, in turn, can be used as a springboard to attack a manufacturing site overall. All technologies associated with IIoT, including 5G connectivity, industrial clouds, and IoT sensors, need to be folded into the security approach.
5. Offline operations — While not every facet of industrial operations is networked, offline technologies that interface with the network such as removable media and maintenance terminals can also be points of vulnerability. These, too, must be considered in any complete scheme to prevent ransomware and secure the industrial environment.
6. SOCs/CSIRTs — SOCs and CSIRTs are part of the corporate IT team that monitors the network, including the enterprise-to-site boundary. What they need is an effective unified platform to provide end-to-end visibility across the entire OT/IT environment for threat identification, response, and containment.
Deploying the right measures
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on how to prevent ransomware attacks in ICS settings, outlining a four-stage process: preparation, detection and analysis, containment and eradication, and recovery. These can be boiled down further to a pair of overarching principles: reduce infection risks and minimise impacts after incidents. Covering that scope requires a unified security platform with full visibility across the industrial environment.
The CISA approach to anti-ransomware ICS
Above all, a unified security platform should provide complete situational awareness, exposing all risks and threats across the OT and IT infrastructure to ensure resilient critical operations, with security controls for both legacy and current systems.
What a unified security platform should deliver
The other essential component is extended detection and response (XDR). While XDR originated in the IT world, it applies equally well to today’s OT context—with some adaptation to suit the unique characteristics of OT such as narrow bandwidth, lack of internet access, shared IP addresses across devices and the like.
XDR monitors multiple traditional silos—from email and endpoints to servers and cloud workloads—correlating the data across them to pick out events that seem benign in isolation (a hallmark of stealthy ransomware attacks) and recognise them as meaningful indicators of compromise (IOCs). Security teams can detect and respond faster, handle more alerts, and improve the overall security posture of the organisation.
To prevent ransomware attacks against critical infrastructure, the combination of a unified security platform with XDR meets the requirements of all six OT domains by:
- Preventing malware attacks between the IT and OT environment and in the cloud
- Securing legacy endpoints through application controls and infected device recovery
- Improving situational awareness with inline deployment or passive monitoring
- Protecting IIoT devices with purpose-built ICS malware prevention
- Ensuring removable media and devices brought into the OT environment are safe to use
- Correlating deep data across multiple vectors for integrated monitoring
The reality today is that ransomware is becoming more effective and more profitable than it has ever been, and critical infrastructure and other industrial environments are lucrative targets. Security controls need to be deployed that are specifically suited to the combined OT and IT context, with layered protection, early detection and response, and a unified platform for maintaining security across the entire network.
Next steps
For more information on ransomware and cyber risk, check out these resources:
- How to Prevent Ransomware as a Service (RaaS) Attacks
- [VIDEO] How Ransomware Threatens Critical Power Operations & What You Must Do to Protect Your Systems
- [REPORT] Trend Micro 2022 Midyear Cybersecurity Report: Defending the Expanding Attack Surface