For years now, the government has been warning openly and clearly of targeted attacks against government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The recent ransomware attack attributed to the DarkSide cybercrime group against Colonial Pipeline made the risk real for all of us. Not only did the attack against Colonial's IT network prompt the company to shut down its pipeline operation to contain the attack, but the shutdown also sent prices climbing and consumers in some states scrambling to find gasoline at the pumps.
Recently, Mike Mimoso, Claroty's Editorial Director, gathered Claroty experts on the front lines of industrial cybersecurity for a webinar, "The Implications of Ransomware on OT Networks: What you need to know post-Colonial Pipeline about how ransomware impacts industrial processes." Among the panelists was Admiral (Ret.) Michael S. Rogers, Claroty Chairman, Board of Advisors, who set the tone with his perspective, "Never let a crisis go to waste. Use it to drive change." It is in that spirit that he, together with Gary Kneeland, Sr. Product Manager, and Justin Woody, Director of Innovation, shared their observations, advice and next steps for IT and OT teams.
Below are just a few of the highlights from the discussion. For further insights, we encourage you to watch the webinar on demand.
Ransomware attacks are largely opportunistic. In this instance, the cybercriminals leveraged a ransomware-as-a-service operation to target large organizations which they believed could pay large ransom demands. We don't know the initial attack vector at this point for Colonial Pipeline, but the three most typical ways are unpatched systems, phishing, and leaked credentials which can be stolen or purchased. As companies prioritize digitization and the convergence of IT and OT networks expands dramatically, the lines between IT networks and OT networks are blurring. Once inside the network they can move laterally to other network domains.
To date, we haven't seen any examples of ransomware specifically targeting OT components and this holds true for Colonial Pipeline; the ransomware infiltrated the IT network and there is no evidence that it directly impacted the OT network. However, out of an abundance of caution Colonial shut down the OT side of the network, thus precluding their ability to distribute fuel. This move on their part was driven by lack of visibility and understanding of their level of exposure and limited confidence in their ability to mitigate the impact to the OT network, which leads us to the next area of discussion...
While the panelists discussed several security practices, here are five top recommendations:
Foundational to any security program is having visibility and accurate knowledge of your network structure, endpoints, and connectivity paths which have been growing steadily and dramatically increased over the last 15 months. With an always current inventory you can patch systems or apply additional verification or other compensating controls on legacy and unsupported systems.
Encryption of data at rest and in motion is important for good cyber defense and resilience with respect to ransomware. While secure, available offline backups are crucial to rapid recovery from such attacks.
Network segmentation is a critical strategy to impede attackers' lateral network movement. In today's hyper-connected world, OT networks are no longer air-gapped and network segmentation compensates for this.
Continuous network monitoring for unusual activity allows you to see when bad actors enter the network and respond faster to make a bad situation better.
Planning and testing plans with tabletop exercises and red team/blue team exercises can be done without impacting your production environment. The more you train and test, the better prepared you are to respond rapidly and effectively. If you work with third parties, make sure disaster recovery is included in your services agreement.
As ransomware attacks increase in frequency and sophistication, several questions were raised by the audience and will remain important topics for discussion for some time to come, including: