In the last few years, ransomware has become the most prominent and concerning threat in today’s attack landscape. Through taking down hospitals, enterprises, manufacturers and critical national infrastructure, the threat has cost organizations billions while earning attackers millions, turning it into today’s cyber-weapon-of-choice.
According to a recent Ponemon Institute report, one-third of organizations reported being hit by ransomware in the past two years. More than half of these organizations said they had paid an average ransom of more than $500,000, while some organizations reported paying more than $2m. These figures highlight just how effective ransomware is today and that if organizations are not prepared, it can have devastating financial impacts.
When it comes to targets, no sector is immune. However, attackers want to hit organizations that cannot function when they don’t have access to their data and systems because this increases the likelihood of receiving a pay-out. As a result, industrial organizations that provide essential services to society are a prime target for ransomware criminals.
Industrial organizations include manufacturers, fuel and energy providers and water utilities. When cyber-attacks successfully target these organizations, it’s society that suffers the consequences by way of food shortages, power cuts and disruptions to the supply of fuel and water.
The security of these organizations has become a significant concern recently because many are digitalizing their operations, which is increasing their vulnerability to cyber-attacks. Industrial systems were traditionally air-gapped, and machinery and operational equipment were never connected to the internet and could not be accessed by anyone who was not physically within plant walls. Today this has all changed, and machinery and operational technology (OT) are being connected to enterprise IT to become more efficient, cut costs and improve safety. While these initiatives all offer significant business benefits, they also raise the cybersecurity stakes.
Today attackers can target industrial organizations through their IT networks and move laterally across their environments to gain access to OT. Once they have carried out this infiltration, they can then initiate a ransomware attack, holding both the OT and IT networks hostage until a ransom demand is paid.
Of course, whether attackers are successful comes down to the maturity of security in the organization. When organizations are defending their networks proactively through visibility and segmentation, they are better prepared for attacks and can navigate them successfully. When organizations are not prepared, it can often mean game over.
Therefore, industrial organizations must prioritize their defenses today and ensure their security programs are designed to detect and protect against ransomware. When considering these environments, security teams must take a consequence-driven approach, understanding what assets are considered the ‘crown jewels’ and what operational processes are mission-critical.
Key aspects to focus on include:
1) Increase OT Network Visibility
Having consistent visibility is the most critical foundation of industrial cybersecurity because you can’t protect what you can’t see. Ensuring security teams have visibility across all connected devices so they can be secured is critical.
2) Patch What Can Be Patched, Segment What Can’t
Attackers frequently exploit unpatched vulnerabilities to infect systems with ransomware, so maintaining a regular patch management strategy is vital. Keep IT systems up to date with patches and apply patches to OT, where possible. If a mission-critical system is too old to be patched or can’t be taken offline to apply a patch, segment it from other network areas to prevent criminals from gaining access through the device and traveling across the network. Also, use network segmentation to isolate an industrial organization’s ‘crown jewels’ from other less critical areas of the network – this is critical in preventing lateral movement attacks.
3) Boost Incident Response Capabilities
Understanding weaknesses and minimizing them through incident response training is a critical element in ransomware defenses. Security teams also need to understand that weaknesses can change over time, particularly as digital transformation efforts accelerate. This means having regular security updates when functions within the organization change.
4) Nurture a Security-Conscious Culture
Encouraging and nurturing a strong security culture, where staff are trained on the dangers of threats and attacker techniques, is also vital. Given that most ransomware attacks are propagated through user-initiated actions such as clicking on malicious links or opening malicious attachments in emails, it is important to train staff to be on guard for suspicious emails and rely on them as your first line of defense.
Industrial networks are far more connected than ever, which has significantly increased the security stakes. When organizations increase their visibility into their OT systems, have good OT vulnerability management, a defensible architecture and practice incident response for different attack scenarios, they have a much better chance of coming out safely and minimizing the impact of attacks.