Chris van den Hooven from Hudson Cybertec explains how organisations can protect themselves against ransomware attacks
On 7 May 2021 a ransomware attack took down the Colonial Pipeline infrastructure. Ransomware is a form of malicious software designed to encrypt files on a device, rendering any files and the computer systems that rely on them unusable. The impact of the attack on the largest gasoline pipeline in the US was enormous. The restart of the pipeline operations began on 12 May and operations had returned to normal on the 15 May.
The increasing ransomware problem
A ransomware attack is possible on any type of IT infrastructure. There have been many successful attacks on all kind of organisations. One of the most recent attacks took place on Kaseya, a company providing management and security software to managed service providers . By attacking Kaseya, the attackers ended up in affecting more than 1,500 organisations.
The ‘business model’ of such attackers is proven to be very successful. The ransomware groups apparently invested in even better attack tools. A common reaction to a ransomware attack is to restore the systems from the backup. In response, attackers began to exfiltrate data before the ransomware software encrypts the attacked system. The attacker will threaten to leak or auction off company secrets.
Protecting an ICS against ransomware
A ransomware attack can be successful against an industrial control system (ICS), but most of the attacks are targeted to business systems. In its publication Threat landscape for industrial automation systems – Statistics for H2 2020, security firm Kaspersky published a percentage of ICS computers on which malicious software was found (and blocked). For the oil and gas industry it was an alarming 44%. Ransomware threats for ICS are growing. ‘Given the importance of critical infrastructure to national security and America’s way of life, accessible OT assets are an attractive target for malicious cyber actors,’ says the Cybersecurity and Infrastructure Security Agency (CISA). Obviously, this statement is true for many parts of the world, including Europe.
Governments are responding
In reaction to the increasing ransomware problem the US Transportation Security Administration on 20 July 2021 issued a second security directive meant to strengthen critical pipelines against cyberattacks. In Europe, a proposal has been adopted for a revised directive on the security of network and information systems. Another way governments seem to respond is to attack the attackers. In case of the Colonial Pipeline US law enforcement agents successfully retrieved roughly US$2.3 million of the ransom paid. In the case of the attack on Kaseya, the ransomware group behind this attack, called REvil, seems to have vanished. The reason behind this is unknown, but the common belief is that some government forced them to disappear.
Protecting against ransomware
A successful cyber attack, including a ransomware attack, requires several steps. The cyber security specialists of Lockheed Martin were the first to describe these steps as The Cyber Kill Chain. One of the steps could be stealing a company badge or stealing keys from a back door, by which the attacker can get access any time he wants. To prevent a scenario like this, organisations have all kinds of measures in place.
A closed-circuit security camera system makes it difficult to wander around in the building unnoticed. Preventing a successful cyber attack, including a ransomware attack, requires the cyber equivalent of these measures. One might keep an eye on the internet and notice the company is discussed as a potential target. Enforcing strong authentication for network access makes it harder to find a way in and makes it harder to steal a password. Segmenting the network makes it more difficult to get access to the most valuable systems. Monitoring the network and investigating any unusual behaviour makes it harder for an attacker to remain unnoticed.
Where to start
The attacker has an advantage, needing only one loophole, while the defender must have everything in order. It takes time, sometimes months, for an attacker to reach his goal. The advantage will shift away from the attacker and performing a successful attack becomes much harder once there are enough barriers (network segmenting, strong authentication, etc.). When also monitoring is in place it becomes next to impossible for an attacker to remain unnoticed. The value of monitoring is one of the reasons Hudson Cybertec developed OT Insight, a network monitoring and compliance solution.
The IEC 62443 is a series of standards for protection industrial automation and control systems (IACS). This IEC 62443-2-1 describes how to establish an industrial automation and control system security programme. Applying this standard ensures a structured way in improving the cyber security of any IACS system. It will result in enough barriers to stop or slow down an attacker and monitoring to detect malicious activities.
Source: Tank Storage Magazine, November 2021