The ransomware threat to industrial organisations
04 April 2022
In the last year, ransomware has skyrocketed to become the most dominant threat in today’s attack landscape, with 37 percent of global organisations falling victim.
The spike in attacks is largely being driven by the proliferation of ransomware-as-a-service (RaaS) tools, which are offering cybercriminals a means to rent ransomware infrastructure and execute attacks quickly and affordably. This is providing all attackers, regardless of their skills, with a ‘get rich quick scheme’, which is turning ransomware into today’s cyber-weapon of choice to target industries and businesses across the world.
Industrial ransomware on the rise
According to the Dragos 2021 Year in Review, ransomware was the number one cause of security compromises within industrial organisations in the last year. Ransomware was responsible for a spate of damaging attacks spanning fuel providers, food manufacturers, hospitals, transport and agriculture suppliers, all of which demonstrated how vulnerable these organisations are when it comes to ransomware.
Of all the industrial sectors in 2021, ransomware groups targeted the manufacturing industry more than any other, and nearly twice as much as the other industrial groups combined. Analysing industrial security trends during 2021, Dragos compiled data on ransomware attack targets and discovered that manufacturing accounted for 65 percent of attacks, food and beverage came in second at 11 percent, while transport came third suffering 8 percent of attacks. When looking at attack groups, the analysis also discovered that 51 percent of industrial ransomware attacks were carried out by the infamous Lockbit 2.0 and Conti cybercrime gangs.
Today, industrial organisations are at a heightened risk of ransomware attacks because of a move towards digitisation within their environments. These organisations are looking to improve processes and cut costs by overhauling manual tasks with automation. However, this means important operational technology (OT) and plant machinery are being connected to IT networks, which potentially opens doors to attackers. This means attackers can now target an industrial IT network and move laterally across their environment to reach OT, where they can then access critical functions, or in the case of ransomware, hold an entire industrial environment hostage until a ransom demand is paid.
However, even when attackers don’t pivot to OT, the damages ransomware causes industrial organisations can be just as severe. Often, as soon as industrial operators notice ransomware within their IT environment, the first action they take is to shut everything down. This prevents the malware from spreading to OT and impacting employee and public safety. However, downtime costs money and the priority is often to get the attackers out of the network as quickly as possible, so systems can be turned on again.
This often leads to industrial organisations paying ransom demands purely to end the downtime, but it isn’t the solution. Instead, the focus needs to be on building a more defensible architecture against the threat.
So, what are the key components that build a secure industrial environment?
A defensible architecture
One of the most important foundations of OT security comes down to a strong network architecture. This means having a monitored, inventoried, controlled, secured and up to date network.
Visibility and segmentation
Having a clear view of all network assets is critical, and segmenting mission-critical systems prevents lateral movement attacks. Organisations should also identify the ‘crown jewels’ and ensure they are segregated from IT to prevent unauthorised access. When OT cannot be patched, use segmentation to guard it against attackers.
Incident response planning
By running regular incident response assessments and drills, industrial organisations can identify weaknesses within the infrastructure and harden against them. Carrying out exercises to work out the ways malicious attackers could gain access to the network and then determining how they could move once they are inside, is essential. By running incident response regularly, industrial organisations can spot and mitigate weaknesses as digitisation efforts unfold.
Remote access authentication
Today, many industrial organisations are adopting hybrid working, but this is adding external access points into OT environments, which could be exploited if they are not secured properly. The most effective control for remote access authentication is multi-factor authentication (MFA). The focus should be placed on connections in and out of the OT network and not on connections inside the network.
Given the success that ransomware criminals are seeing, it is fair to say industrial organisations will continue to be a key target in the future. As a result, the security of these environments must be a priority, thus allowing organisations to defend against attacks, while embracing the benefits of digital transformation securely.
Contact Details and Archive...