Between 2020 and 2021, a notable rise in cyber attacks occurred against critical infrastructure – from the Oldsmar water plant hack to the ransomware attacks against Colonial Pipeline, JBS Foods, and NEW Cooperative.
While many of these high profile attacks against industrial systems were based in the US, attacks against industrial systems can happen anywhere and at any time, including in Asia, where unfortunately many industrial sites still operate on legacy operational technology (OT) that is becoming increasingly exposed to new kinds of cyber threats they were not designed to face.
Virus Total reported that ransomware attacks are notably of concern in countries such as South Korea, Vietnam, China, Singapore, India, and the Philippines in this region, as they formed part of the 10 most-affected territories globally for ransomware samples submitted since 2020.
Alarmingly, Gartner predicts that cyber attackers will be able to weaponize OT environments to successfully harm or kill humans by the year 2025. But with this sensationalism comes a greater awareness of the pressing need for specialized OT security solutions and standards. In fact, OT security has become a security issue of national concern.
Singapore recently announced an updated cybersecurity strategy that placed emphasis on OT security, by offering an OT Cybersecurity Competency Framework to guide organizations on the skill sets and technical competencies required for proper management of security risks in OT environments.
Claroty, the industrial cybersecurity company, recently hosted a webinar along with security experts from OT Information Sharing and Analysis Center (OT-ISAC), and the Cyber Security Agency of Singapore. In the webinar, speakers discussed the implications of recent cyberattacks on OT networks, and what key efforts were required to help enterprises improve their OT cybersecurity posture against such threats. Following are three key takeaways from the session.
Ransomware is a long-term issue, so we need sustainable solutions
Once just a nuisance, ransomware in OT environments becomes a serious threat. With large pools of victims to target, attackers can reuse their techniques with great success as disruptions to operations can be drastic, hitting bottom lines and profits of enterprises.
Recent attacks have also underscored the diverse nature and objectives of attacks. The attacks against the Colonial Pipeline and JBS Foods centered on ransom demands, but the SolarWinds supply chain attack included the ability to beacon out to command-and-control servers and exfiltrate data from certain victims. And the attack against the Oldsmar water-treatment facility was a (fortunately thwarted) attempt to poison the water supply.
What we know now is that these attacks and the threat actors behind them are well-resourced and prolific, which makes it impossible for any single entity to address this issue on its own. Even legislation to make ransomware payments illegal will not eliminate this rampant and increasingly destructive threat. Ransomware is here to stay, and as such, sustainable approaches and solutions are required to combat this threat.
No one single group has all the answers: Collaboration is key
Many of the critical functions that underpin our way of life – food, water, fuel, electricity, transportation – are provided by individual companies. In order to protect these companies, an ecosystem of stakeholders (comprising public and private sector entities) must work together to address ransomware across its entire lifecycle: from the initial attack, to the disruption of operations, to the payment system, as well as educating and raising awareness among enterprises.
While the private sector brings in technology and innovation needed to strengthen defenses and build cyber resilience, the public sector has visibility into the cascading effects and interdependencies of such attacks, as well as the means to incentivize the behaviors required to help drive the collaboration needed to address ransomware.
For example, by changing tax laws, mandating timely reporting, and removing liability concerns for those who report attacks, governments can improve knowledge sharing among organizations. With the ability to quickly share lessons learned from each incident, and by applying those lessons to strengthen defenses and build resilience, we can prevent adversaries from using the same techniques with success.
Tapping into the capabilities and advantages of each party in the ecosystem will build the collaboration necessary to envision a holistic defense plan that can improve outcomes.
Organizations lack visibility and confidence to make the best decisions – we can change this
In the throes of an incident, organizations tend to respond to an attack based on what they do not know, as compared to what they do know.
For example, while there may be no indication that an OT network has been affected, the organization under attack often shuts down its operations as a precaution. While organizations are aware that adequate backup systems and recovery plans are essential for building resilience to ransomware attacks, the lack of visibility into impacted systems and the other systems that depend on them – such as financials, billing, OT, and others – limit their ability to understand the extent of the exposure to these systems, and thus their ability to make better decisions, and to act confidently to mitigate the impact of the attack to the OT network.
The panelists on the webinar demonstrated how organizations can equip themselves with the following industrial cybersecurity capabilities to protect their OT environments.
- Deep visibility into the OT network. Organizations need to have a thorough and accurate view of their network structure, endpoints, and connectivity paths. This provides a current inventory so they can patch systems or apply additional verification or other compensating controls on legacy and unsupported systems.
- Continuous network monitoring for unusual activity permits organizations to see when bad actors enter the network and respond faster to make a bad situation better.
- Secure remote access and operations through multi-factor authentication (MFA), role-based access, and least privilege access, along with strict controls over sessions, to provide off-site access to OT environments while minimizing the substantial risks introduced by remote workers.
- Encryption of data at rest and in motion is important for good cyber defense and resilience with respect to ransomware.
- Network segmentation is another critical strategy to impede attackers’ lateral network movement in today’s hyperconnected world where OT networks are no longer air-gapped.
- Convergence of IT and OT under one security operations center (SOC) enables organizations to shift from compliance-based models to threat- and risk-based frameworks for a holistic approach to resilience and risk management.
Essentially, the message from the webinar panelists is that, even though ransomware attacks are here to stay, there’s no need for organizations to be sitting ducks for such attacks.
A holistic approach to security, which includes OT-specific cybersecurity capabilities and an ecosystem that drives the adoption of effective techniques and practices, together with collaborative responses, can protect vulnerable organizations.
Vijay Vaidyanathan is Regional Vice President – Solutions Engineering, APJ at Claroty. Vijay works predominantly on the front lines of customer cybersecurity risks and challenges for their plants, factories, and industrial automation control systems. He has extensive experience in helping industrial and critical infrastructure facilities understand their current status and gaps. He provides guidance on how to protect productivity and availability considering the active cyber threat landscape around us.
TechNode Global publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.
Image Copyright: ilixe48