Ransomware and Industrial Control Systems

Chris van den Hooven from Hudson Cybertec explains how organisations can protect themselves against ransomware attacks

On 7 May 2021 a ransomware attack took down the Colonial Pipeline infrastructure. Ransomware is a form of malicious software designed to encrypt files on a device, rendering any files and the computer systems that rely on them unusable. The impact of the attack on the largest gasoline pipeline in the US was enormous. The restart of the pipeline operations began on 12 May and operations had returned to normal on the 15 May.

The increasing ransomware problem

A ransomware attack is possible on any type of IT infrastructure. There have been many successful attacks on all kind of organisations. One of the most recent attacks took place on Kaseya, a company providing management and security software to managed service providers . By attacking Kaseya, the attackers ended up in affecting more than 1,500 organisations.

The ‘business model’ of such attackers is proven to be very successful. The ransomware groups apparently invested in even better attack tools. A common reaction to a ransomware attack is to restore the systems from the backup. In response, attackers began to exfiltrate data before the ransomware software encrypts the attacked system. The attacker will threaten to leak or auction off company secrets.

Protecting an ICS against ransomware

A ransomware attack can be successful against an industrial control system (ICS), but most of the attacks are targeted to business systems. In its publication Threat landscape for industrial automation systems – Statistics for H2 2020, security firm Kaspersky published a percentage of ICS computers on which malicious software was found (and blocked). For the oil and gas industry it was an alarming 44%. Ransomware threats for ICS are growing. ‘Given the importance of critical infrastructure to national security and America’s way of life, accessible OT assets are an attractive target for malicious cyber actors,’ says the Cybersecurity and Infrastructure Security Agency (CISA). Obviously, this statement is true for many parts of the world, including Europe.

Governments are responding

In reaction to the increasing ransomware problem the US Transportation Security Administration on 20 July 2021 issued a second security directive meant to strengthen critical pipelines against cyberattacks. In Europe, a proposal has been adopted for a revised directive on the security of network and information systems. Another way governments seem to respond is to attack the attackers. In case of the Colonial Pipeline US law enforcement agents successfully retrieved roughly US$2.3 million of the ransom paid. In the case of the attack on Kaseya, the ransomware group behind this attack, called REvil, seems to have vanished. The reason behind this is unknown, but the common belief is that some government forced them to disappear.

Protecting against ransomware

A successful cyber attack, including a ransomware attack, requires several steps. The cyber security specialists of Lockheed Martin were the first to describe these steps as The Cyber Kill Chain. One of the steps could be stealing a company badge or stealing keys from a back door, by which the attacker can get access any time he wants. To prevent a scenario like this, organisations have all kinds of measures in place.

A closed-circuit security camera system makes it difficult to wander around in the building unnoticed. Preventing a successful cyber attack, including a ransomware attack, requires the cyber equivalent of these measures. One might keep an eye on the internet and notice the company is discussed as a potential target. Enforcing strong authentication for network access makes it harder to find a way in and makes it harder to steal a password. Segmenting the network makes it more difficult to get access to the most valuable systems. Monitoring the network and investigating any unusual behaviour makes it harder for an attacker to remain unnoticed.

Where to start

The attacker has an advantage, needing only one loophole, while the defender must have everything in order. It takes time, sometimes months, for an attacker to reach his goal. The advantage will shift away from the attacker and performing a successful attack becomes much harder once there are enough barriers (network segmenting, strong authentication, etc.). When also monitoring is in place it becomes next to impossible for an attacker to remain unnoticed. The value of monitoring is one of the reasons Hudson Cybertec developed OT Insight, a network monitoring and compliance solution.

The IEC 62443 is a series of standards for protection industrial automation and control systems (IACS). This IEC 62443-2-1 describes how to establish an industrial automation and control system security programme. Applying this standard ensures a structured way in improving the cyber security of any IACS system. It will result in enough barriers to stop or slow down an attacker and monitoring to detect malicious activities.

Source: Tank Storage Magazine, November 2021

HUDSON CYBERTEC

In the spotlight

Monitoring your OT environment is essential. You know what is happening on your network and see to what extent you are compliant with various cyber security standards and laws and regulations.

IEC 62443 Standard

The IEC 62443 standard offers your organization tools to improve the digital security and safety of your IACS environment. Implementation of the standard improves the cybersecurity level of your organization's OT / ICS / SCADA environment.

The IEC 62443 is the international cybersecurity standards framework for operational technology (OT). The framework consists of a collection of standards, technical reports and related information for securing Industrial Automation and Control Systems (IACS).

read more

Hudson Cybertec’s IEC 62443 Competence Center has extensive experience with this standard. We play an active role in the development of the standard, actively promote it internationally and have developed a training program around the IEC 62443.

read more

It is becoming increasingly important for organizations to be able to demonstrate that the digital security of the OT environment is in accordance with standards frameworks. It is therefore possible to certify (parts of) your IACS environment according to IEC 62443.

read more

If you want to know more about this standard and need training on how to apply it within your own organization or at your clients, Hudson Cybertec has a number of very interesting training courses for you.

read more

The IEC 62443 standard provides organizations with tools to improve the digital security and safety of OT / ICS / SCADA environments.

read more

How digitally safe is your organization?

Curious about the possibilities? Please contact us!

Contact us

Newsletter

Sign up for our newsletter. We will keep you posted on the latest developments in our cybersecurity services.

  • This field is for validation purposes and should be left unchanged.