Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
Ransomware Attacks on Critical Infrastructure and the Role of Government
By The Claroty Team | June 14, 2021
Claroty experts recently came together in a webinar to discuss the implications of the Colonial Pipeline ransomware attack and what you need to know about the impact of ransomware on industrial processes. The panelists discussed a range of topics including one complex and pivotal issue emerging this year: the role of government. Specifically, the discussion concerned the degree to which the government should be involved when an attack impacts critical infrastructure that is integral to our daily lives, even if that critical infrastructure is operated by a private organization.
Colonial Pipeline, the single largest distribution mechanism for fuel for the most densely populated portion of the U.S., the East Coast, made the decision to preemptively shut down its pipeline out of an abundance of caution. The move sent prices climbing and consumers in some states scrambling to find gasoline at the pumps. But imagine if this had happened in January, and we were talking about heating oil distribution. This problem pales in comparison to such a shortage in the middle of winter. How we determine whether to shut down operations amidst a ransomware attack bears discussion.
The U.S. government’s response to this attack, which brought industrial ransomware threats to the forefront of public awareness, has been unprecedented. The White House issued an Executive Order focused on protecting IT and operational technology (OT) networks. And the Transportation Security Administration (TSA) is mandating incident-reporting procedures and hardened cybersecurity practices from pipeline owners and operators, many of whom operate privately within this critical infrastructure sector. No longer can they turn a blind eye to alerts or opt out of cybersecurity controls suggested by the federal government.
Less than a week after the mandate, the world’s largest meat supplier, JBS Foods, was also hit with a ransomware attack that disrupted operations. This adds a new dimension to the discussion—the implications to the U.S. government’s traditional sector-based approach to cybersecurity when a problem transcends sectors.
Protecting the nation’s critical infrastructure is going to require public-private sector partnerships to close the current gaps and potential risk to the U.S. supply chain and national security. While perhaps not applicable to every segment, for companies in some critical sectors—such as energy, oil and gas, transportation, finance, healthcare, and food and beverage—the decision to shut down may need to be made in consultation with the government and not in a vacuum. However, if this is the case, provisions must be made for immediate access and dedicated attention to support companies during a crucial period. Whether that is a different agency per sector or one overarching body or some approach in between, resources must be allocated and remain available. While we’re still in the early stages of sorting out options and roles, we cannot let this distract us from our top priority to mitigate industrial cyber risk.
Decisions Grounded in Data
Regardless of the parties involved in the decision to shut down operations, these decisions must be based on data. You can’t protect what you can’t see, therefore effective industrial cybersecurity must start with knowing what needs to be secured. You always need a current inventory of all OT, IT, and Industrial Internet of Things (IIoT) assets, processes, and connectivity paths into the OT environment. With an accurate picture, you can tackle inherent critical risk factors—from vulnerabilities and misconfigurations to poor security hygiene and untrustworthy remote-access mechanisms. Visibility into process values—such as temperatures, chemical composition, and product formulas—can help ensure the quality and consistency of outputs. You can establish a behavioral baseline against which to monitor the network and understand the vulnerabilities, threats, and risks that may be present—including anomalies that may indicate an early-stage attack—in order to take pre-emptive actions.
In addition to strengthening your industrial network defenses, you also need to build resilience. When executed effectively, network segmentation is an effective strategy for impeding attackers’ lateral network movement. In today’s hyper-connected world, OT networks are no longer air-gapped, and network segmentation compensates for this. Since these environments are often geographically dispersed, deploy virtual segmentation to zones within the industrial control system (ICS) network to regain control over isolated sites. This will alert you to lateral movement as malicious actors try to establish a presence, jump zones, and move across the environment. Virtual segmentation can also improve network monitoring and access control, and greatly accelerate response time. In the event an attacker does establish a foothold, you can shut down only portions of the network, regain control, and drive intruders out, saving cost and reducing downtime. Additionally, encryption of data at rest and in motion is important for good cyber defense and resilience with respect to ransomware. Secure, available offline backups are crucial to rapid recovery from such attacks. Make sure you know where backups are, how to access them and that they are regularly tested.
To paraphrase one of the panelists on the webinar, Admiral (Ret.) Michael S. Rogers, Chairman of Claroty’s Board of Advisors, in the absence of data, decisions to shut down are made because an adversary may be inside the production environment. With a “self-imposed mission kill” we are doing for the opponent what they were trying to do but failed to do. But when we gain visibility and understand risk, we can strengthen defenses and build resilience.
Regardless of who is involved in the decision to shut down operations when a ransomware attack happens, there are steps organizations can take, no matter where they are in their cybersecurity journey, to help make better decisions. And since we’re talking about infrastructure that underpins our way of life, we need to get started now.