4 Measures Organizations Can Take to Protect OT Systems from Ransomware Attacks

4 Measures Organizations Can Take to Protect OT Systems from Ransomware Attacks
4 Measures Organizations Can Take to Protect OT Systems from Ransomware Attacks
After spending 18 years working for a large organization that develops Operational Technology (OT) products for various industries, I got to see firsthand the effort of work needed to develop, support and maintain this equipment. Everything from large gas turbines to medical devices to Programmable Logic Controllers (PLCs). Early on, there were concerns about cybersecurity from upper management, but with the use of phone lines. Their response was, “the criminals would need to know the phone numbers of the accounts and then brute force the username and password.”
 
Once high-speed internet and VPNs came along, the response was, “well, they don’t know our proprietary systems and our IP addresses.” Then came Stuxnet. It permanently changed the landscape for OT networks. This was malware that was designed specifically for an OT environment and specifically, a nuclear power plant.  Fast forward 10 years, and organizations with OT systems know the importance in protecting these networks. However, ransomware is now not only an IT concern, but one for OT networks as well.
 
A recent article from ZDNet outlined that CEOs are concerned about ransomware attacks to their networks, especially the costs required to recover from the attack and loss of productivity.  For the OT departments, they are highly concerned about an attack in 2020. Less than half of those surveyed are not fully ready for an attack, according to the Siemens/Ponemon study (October 2019).
 
This leads us to ask leaders of IT and OT departments if they are concerned they will be attacked by ransomware, but are they ready?
 
The concern for the OT security department and its nuances as compared to an IT infrastructure are a lot different, mainly due to the required availability that is needed to operate.
 
Manufacturing, energy or other industrial control system environments typically operate at a 99.999% availability and having a shutdown once a month to apply patches is not something organizations want to risk. Especially in the event the system is not back online after the patch or if the whole system is taken down. Granted organizations’ IT departments will be testing the patch on their systems, as will the OT departments, but there is usually one system that doesn’t reboot properly. Focus now must turn to fixing the issue, which reduces productivity and has a potential loss of revenue along with it.
 
Last year, there was a ransomware attack on an OT organization that manufactured aluminum. The Norsk Hydro attack provided a transparent incident response with their recovery procedures and demonstrated excellent communication skills. Ransomware is just the beginning as it continues to evolve from an unavailability attack to full scale data breaches.
 
A recent report (March 2020) released by Joe Slowik of Dragos Inc, an ICS cybersecurity company, detailed a new strain of LockerGaga ransomware that hit Norsk. Months before, a similar version had hit a French company called Altran Technologies. In both cases, the networks were compromised weeks before the victim organization knew the criminals had infiltrated them. Once inside, the criminals pivoted within the network, changing account credentials, disabling network cards and preventing the organization from reversing the work completed. 
 
Attempting to keep their foothold in the networks, the criminals will start the data exfiltration of intellectual property, the deletion of backups or possibly the disruption or the destruction of OT equipment. Overall, the goal is to damage production or services provided before they launch the encryption process. The encryption process happens and then the ransom note is left behind with the details to send payments to criminals using anonymous and untraceable cryptocurrency.
 
Ransomware is not going anywhere, and more organizations need to be aware that these attacks are coming and need to understand the methods to mitigate the risk of an attack. Technology, the employees, training and assessments are four methods that can be implemented within an OT organization to protect against ransomware.
 

Technology: Can Help to Stop Phishing at the Gate

From a technology perspective, there are numerous technologies and electronic devices that can be installed within the infrastructure to prevent phishing emails from getting to inboxes. Email server configurations like Sender Policy Framework (SPF) or Domain Keys Identified Mail (DKIM) help protect your domain against spoofing by the criminals, and it provides verification that the email from your domain is actually from your domain.
 

People: The Human Firewall

The human firewall. The eighth layer of the OSI model. Technology will only work as well as you configure it. The bad guys are out there with the same hardware and set-up, testing their phishing emails against that configuration. Whatever works, they add to their repertoire of attacks.
 
After the phishing email gets through your firewalls and email gateways, it lands in the mailbox of your employee. The employee is an organization’s last line of defense and with new-school security awareness training, they can be trained, assessed and analyzed to decrease the risk of a phishing attack. Based on KnowBe4 studies, the human factor can prevent up to 96 percent of those attacks.
 

Security Awareness Training

This can’t be the annual compliance training to tick the checkbox. This is training that is ongoing, that doesn’t just involve the employee understanding the organization’s policies. Acceptance and willingness must exist in order to do their part in protecting the company.
 
Granted, there will be those who attempt to skip through the training and take the test for the certificate. Training needs to be on-demand, interactive and engaging, with an added level of gamification to entice the user to participate and learn. Awareness modules and videos should educate users on how a phishing or social engineering attempt could happen to them.
 

Phishing Assessments


Once the employees have been trained, an assessment of their understanding must be done with frequent testing of their ability to spot a social engineering scam. At least once a month, test your staff to reinforce the training and continue the learning process. You are trying to create a mindset and new habits. It takes a while to set that in motion. Simulated social engineering tests at least once a month are effective at changing behavior. Track how your workforce responds to both training and phishing and work towards getting less than 2 percent of your employees falling for social engineering scams.
 
Organizations that operate OT facilities, which include industrial control systems, water treatment or manufacturing plants, need to be aware of this level of ransomware evolution, as it increases to an almost nuclear level.
 
Ransomware is no longer a hit and run type of attack. The criminals are utilizing phishing and other social engineering techniques to gain access to the IT network and pivoting through to the OT networks to copy and exfiltrate the data before leaving the customer with their data unavailable. It’s only a matter of time before criminal organizations are able to gain access to more OT facilities and organizations.
 

About The Author


James McQuiggan is a Security Awareness Advocate for the KnowBe4 Company.  Prior to joining KnowBe4, James worked for Siemens for eighteen years where he was responsible for various roles over that time. McQuiggan was the Product & Solution Security Officer Siemens Gamesa Renewable Energy. He consulted and supported various corporate divisions on cybersecurity standards, information security awareness and securing product networks.  In addition to his work at Siemens, McQuiggan is also a part-time faculty professor at Valencia College in the Engineering, Computer Programming & Technology Division.

Click Here for More Information

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..

Subscribe