Don’t let ransomware risks in critical infrastructure keep you awake at night
The challenge of 2021 for security professionals is undoubtedly ransomware. It has, of course, been around for some years – but really gaining notoriety when the WannaCry and NotPetya attacks affected the NHS in the UK and the global shipping giant Maersk.
More recent attacks have cemented this malware genre at the high end of the risk spectrum; with recent examples being the Colonial Pipeline attack in May that led to fuel shortages and impacted US gas prices, the subsequent JBS Foods outbreak that caused food supply chain disruption, the continued attacks on healthcare in Ireland and New Zealand and even an attack on the insurance giant AXA SA.
Ransomware is disruptive
The problem with ransomware is the level of disruption it causes. When you’re faced with encrypted and inaccessible data it doesn’t just mean that you can’t open files; on some systems the loss of that data stops many more important things from working. If, for example, it’s a domain controller or database the IT team will try to contain the spread of the infection by turning systems off, quarantining systems or even disconnecting the Internet.
This means that parts of the business that are otherwise unaffected can also lose the ability to operate. We saw this with Colonial. The billing system was affected by ransomware, but the pipeline systems were impacted (and deliberately isolated) by the response to it.
Additionally, the recovery process itself might not go entirely to plan. Colonial paid the ransom but found the decryption tool was too slow, so they had to revert to backups anyway. In the case of a food distribution business, getting data back and systems running again may not be quite as time dependant, but the concentration of food producers could quickly create a single point of failure. In healthcare the stakes are even higher, where interruption to IT medical systems can have immediate and fatal implications. Sadly, it’s for this reason that cynical ransomware attacks on healthcare systems are so prevalent. The implications of ignoring the threat are too high; and criminal groups know that.
Critical Infrastructure is … critical
Everyone is concerned about ransomware and they are right to be; but in the critical infrastructure sector the problem of loss of data and availability of systems is acutely felt, and not just by the company. Depending on the victim it can affect every one of us.
The problems come when the services and supply chains affected are time critical or they have the potential to impact our wellbeing. Petrol supplies can run low or be rerouted before there are major issues, food supply chains likewise, but in sectors like healthcare substitution is more difficult. Yes, you can postpone operations or treatment but that may lead to life threatening consequences.
If water supplies are disrupted, the power goes out, gas supplies are cut, or telecoms are down the effects are much more immediate and widespread. If people can’t heat their homes, cook food, or access clean water – these things impact our wellbeing and quickly take their toll. The threat of ransomware attacks in these types of business are of most concern because of their potential to have major ramifications for our society, much more severe than even the worst scenarios we have seen so far in 2021.
Initially the threat models that were contemplated and planned for in these sectors were intrusion by skilled and malicious hackers intent on disrupting service delivery – someone who would gain access and subvert systems to disable pumps, alter flows, disable control systems or destroy machinery.
The concerns were that the attacks would be focussed on the industrial controls systems (ICS) themselves or SCADA equipment. Defending against ransomware in the wider IT environment as it spread across the more traditional (and less important) platforms, and progressively turn systems into an encrypted logjam, was a priority.
It was these more sector focussed attacks on ICS/OT/SCADA that were front of mind when initiatives like the NIS directive was instituted by the EU back in 2016 and when the US National Protection and Programs Directorate (NPPD) was set up in 2007 (and its successor CISA in 2018).
More recently, the NCSC in the UK has published guidance on mitigating ransomware, ACSC in Australia likewise and the Whitehouse issued a “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems” on 28 July 2021 (read it here) which followed hot on the heels of “Executive Order on Improving the Nation’s Cybersecurity” in May (read that here).
In Australia things are moving quickly. A new Critical Infrastructure Bill (CIB) seeks to (i) expand the sector beyond traditional utilities and, (ii) in consultation with participants, agree a regime of enhanced cyber security safeguards for the sector. Following the Colonial and JBS attacks, Australia has seen the risks of cyber attack on infrastructure targets as so urgent they have sought to accelerate legislation by splitting the CIB. Part 1 of the CIB, currently before Parliament, seeks to quickly give the government last resort powers to “step in” to assist an organisation during a cyber attack. Part 2 of the Bill which includes the definition of protective risk management programs, yet to be agreed to by each industry, will then follow.
As its variants continue to yield worsening consequences for victims, ransomware sits menacingly between specialist SCADA and OT controls systems and the wider IT network security environment. The implications of an attack, therefore, can be highly disruptive either in the IT or OT environments and even worse if it impacts the provision of critical services to customers.
The recent events confirm, absolutely, that critical infrastructure providers need to avoid ransomware at all costs. This means that while they can contemplate specific detection systems and malware controls, they also need to focus on the basics of cyber security protection across both the OT and IT environments. Defending risk vectors with acknowledged security controls that can measure and report effectiveness levels to cyber risk management teams is vital.
Prevention is better than detection
The aforementioned guidance from Australia’s ACSC sums up the best approach concisely:
“Investing in preventative cyber security measures, such as keeping regular offline backups of business-critical data and patching known security vulnerabilities, is more cost effective than the comparative costs incurred when attempting to recover from a ransomware incident.”
Ransomware Readiness means having controls to:
- Prevent – The initial infection (ie. avoid a patient zero)
- Contain – Should that fail, stop the spread of an infection across systems
- Recover – Restore data and systems and initiate a well rehearsed incident management playbook
Prevention is obviously vital, but Containment is especially critical for CI organisations where the knock-on effects, regulatory pressures, and affected parties can quickly become overwhelming.
A commercial business might have no qualms about closing off parts of its systems and slowing its ability to take orders for a few days. A power company, however, cannot shut off electricity supplies in the same way.
Get visibility of your risk
From what we’ve discussed, the logic is simply:
For boards and senior managers of CI organisations it is important to have confidence that security controls are in place and operating effectively.
There are numerous Information Security Management Systems standards and frameworks that operate effectively across the sector. What is most important in the CI sector, however, is that operations and senior management teams can quickly gain visibility of the state of their security control effectiveness, on-demand, from a baseline set of quantitative KPIs. If shortcomings are identified in any of the controls they can then be quickly mitigated and the risk of a security breach effectively managed.
If the best policy is to prevent impacts – through stopping initial infection, containing the spread and recovering data – these controls must be managed just like safety critical systems are in OT environments. This is where risk management comes in: you might have controls, but you can’t wait until they fail to be alerted to their potential for failure. If there are vulnerability gaps, they need to be quickly identified, and mitigated and corrective actions taken. Accurate reports need to clearly evidence the state of security maturity.
Lack of understanding and adequate oversight are arguably two of the biggest challenges when it comes to effective security management. The presence of basic security controls, like patching, must be confirmed and their effectiveness measured so that any deficiencies can be quickly identified and fixed. Failure to mitigate these weaknesses are the gaps that attackers search for; and so systematic risk assessments can improve your intel and reduce the risk of ransomware attack.