Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
Operational Technology Not Immune to Extortion
By Michael Mimoso, Claroty Editorial Director | December 15, 2020
Digital extortion—ransomware, in particular—has become refined. Scattered, spammy email-based attacks for relatively low payoffs have largely been replaced by targeted campaigns, where victims are chosen based on their perceived ability and willingness to pay. This has led to a marked increase in monetary demands from attackers and a startling shift in risk-management decisions for chief information security officers (CISOs) and other business leaders.
Manufacturers, health care providers, and municipalities have already been forced to make devastating choices in recent years by threat actors using ransomware to encrypt systems responsible for critical services and processing personal data, including patient information. As more IT systems absorb and manage operational technology (OT), CISOs and executives in discrete manufacturing, food and beverage, automotive, and other industrial settings will have to contend with the growing awareness among threat actors of industrial processes and the risks to them introduced by connectivity to the internet.
Risk Management and Industrial Cybersecurity
Already, we’ve seen malware families such as Megacortex and Snake (Ekans) include process kill lists targeting HMIs and control system historian databases. Any interference with these systems, for example, could impede process monitoring or lead to a loss of historical process data. While still largely a problem impacting IT systems, the inclusion of OT processes in ransomware indicates a keen awareness of the digital transformation trend and an understanding of how the attack surface available to threat actors can expand where this is prevalent.
CISOs and other decision makers should also understand the relative ease with which attackers are carrying out extortion-based attacks. Criminal threat actors, for example, aren’t developing ransomware samples; they’re often bought from service providers operating online much in the same way IT services are bought and implemented. Ransomware-as-a-service is offered mostly as a subscription-based model, where the malware is sold or rented to criminals intent on distributing it. Step-by-step instructions are provided, and often, a dashboard is made available where distributors may monitor victims, collect payments, and share profits with the service provider. In many cases, very little technical understanding is required on the threat actor’s part in order to carry out an attack.
This is the context under which risk-management decisions must be made with regard to industrial cybersecurity. Attacks are a commodity—not to mention targeting of victims has been radically simplified—and extortion is too direct a line to profit to pass up.
Already, we’ve seen victims such as Norsk Hydro and Honda fall victim to large-scale ransomware attacks, which in Norsk Hydro’s incident, forced the Norweigian aluminum manufacturer to revert to manual processes. After the attack, weeks passed before the company’s servers and endpoints were cleaned of the LockerGoga ransomware and back online, and in the end, recovery cost the company $52 million in losses in Q1 2019.
Like the disruptive attack against Norsk, Honda was hit by actors using the Snake ransomware, and critical production networks were forced offline at several facilities almost immediately. Critical customer service portals and financial services were also unavailable in the days following the attack. Snake is one of the only ransomware families to include industrial control processes in a process kill list embedded in the ransomware.
Ransomware attacks can leave victimized organizations offline on average for two weeks, an unacceptable circumstance in many industries that can result in tens of millions in losses, and in the case of some critical industries, put lives at risk.
Attackers may also perceive industrial enterprises as exceptionally appealing targets due to the typically high costs they incur from downtime. These costs, which often far outweigh the ransom amounts demanded by attackers, suggest that manufacturers may be more willing to comply with attackers’ demands in hopes that doing so will restore productivity — which is never a guarantee.
And, as more businesses bring converge OT operations under IT management, businesses also face the risk of data being stolen in these types of attacks. This type of extortion is a real risk facing industrial organizations. Attackers threatening to leak confidential data have been garnering headlines in Israel for weeks, for example, as insurance giant Shirbit struggles against a group known as Black Shadow that has stolen customer and employee data and wants a hefty ransom demand in return.
Shirbit has said it will not meet the attackers’ demands, but these are real conversations that are better had before an incident. Law enforcement and cybersecurity experts stress that organizations should not pay ransom demands, so as not to prop up a criminal enterprise. But there are organizations that have purchased Bitcoin, Monero, and other cryptocurrency in the event of such an attack in order to facilitate a rapid response. Some technology companies offer similar services, where cryptocurrency is held in escrow and negotiations on behalf of victims can be handled.
ICS Risk Management Strategies
Risk management decisions differ across industries. Threats to discrete manufacturing, where connectivity is king, are different than in other industries more sheltered from the internet. There are, however, some commonalities that can be applied regardless of company size or industry. These include, but are not limited to:
The need for visibility: Critical operational technology assets must be identified and inventoried, especially those central to industrial processes with little to no tolerance for downtime. Asset owners must identify these key pieces of infrastructure in order to protect them.
Secure remote connections: With the pandemic a reality for the foreseeable future, operators of industrial systems will rely on remote access to critical infrastructure in order to update and manage these systems. Secure remote access is an important strategy that must be evaluated and addressed.
Vulnerability assessments: Critical vulnerabilities in industrial control systems can be devastating if exploited. Businesses must have a means to identify and remediate software security issues, or, at a minimum, implement mitigation measures that reduce risk.
Segregated networks: Segmentation is a critical strategy to prevent attackers from moving laterally from compromised IT assets to those on an operational technology network. Certain IT services, such as SMB or RDP and other vulnerable OT-specific communication protocols, should be disabled or used discriminately.
Planning, planning, planning: Secure, available offline backups are crucial to rapid recovery from ransomware attacks. Critical systems should regularly be backed up and media stored offline and away from the reach of threat actors. CISOs, meanwhile, should also conduct exercises that map out potential attack scenarios, and more importantly, response activities from across the company beyond IT and OT staff. Those should include executives, legal, media relations, and others.