It’s no revelation that ransomware incidents have been on the rise across the last couple of years. The shift towards remote working, accelerated by the global pandemic, has created more opportunities for hackers, resulting in some high-profile cases in 2021.
When we think of ransomware, our minds generally turn to threats against information technology (IT), which is not an unreasonable leap to make. However, while IT is at the frontline in vulnerability to ransomware, industrial operational technology (OT) can be just as susceptible to attacks, both directly and as an extension of that IT environment.
Here’s the thing: When ransomware infiltrates OT, it isn’t just a matter of information or privacy being compromised, it can lead to widespread injury and even death. We can’t consider ransomware in an isolated IT bubble; we need to look at it in a broader context incorporating OT, and identify how ransomware is rapidly changing to adapt to our new ways of functioning.
The US Department of Commerce’s National Institute of Standards and Technology (NIST) responded to the increasing prevalence of ransomware with a Cybersecurity Framework Profile for Ransomware Risk Managementthat, at the time of writing this article, was in draft form following a call for public comments. This Framework has been purpose-designed to support organisations in preventing, responding to, and recovering from ransomware events.
To clarify, NIST defines ransomware as follows:
“A type of malware that encrypts an organization’s data and demands payment as a condition of restoring access to that data.”
While this definition has been the traditional modus operandi for ransomware, it is now more commonly deployed as a ‘dual extortion’ approach:
“Ransomware may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the public.”
NIST then goes on to acknowledge ransomware’s impact on OT, as well as IT:
“Ransomware attacks target the organization’s data or critical infrastructure, disrupting or halting operations and posing a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and restore operations themselves.”
“Techniques used to promulgate ransomware will continue to change as attackers constantly look for new ways to increase pressure on their victims.”
Ransomware’s ability to adapt to new circumstances means we’re seeing more and more examples of OT critical infrastructure falling victim to hackers. The segregation between IT and OT is far less pronounced in this technologically integrated world, so – without the unique, specialised security demands of IT and OT being accommodated on a level playing-field – organisations are essentially ‘opening the gate’ to their critical infrastructure by way of sub-standard IT protocols.
This was exemplified earlier in 2021 with a hack that took down the largest fuel pipeline in the US. All it required was one compromised password via a VPN account – an account unprotected by multifactor authentication – to shut down the entire gas pipeline for the first time in Colonial Pipeline’s 57-year history. The hackers stole nearly 100 gigabytes of data and threatened to leak that data if US$4.4 million in Bitcoin was not paid. Colonial Pipeline paid the ransom.
While Colonial Pipeline insists there is no evidence the hack infiltrated their OT systems, the point remains: They still chose to shut down their critical infrastructure for fear of a breach further penetrating their OT. They were vulnerable. Amid the widespread disruption, the shutdown of this critical infrastructure resulted in “panic buying in the eastern US and a spike in gasoline prices as Washington waived clean air regulations and rules on shipping and trucking to alleviate shortages.”; a ripple effect that is likely more dramatic than having solely shutting down their IT.
We can only assume that dual extortion ransomware, as evidenced in the Colonial Pipeline event, will become increasingly prevalent among OT-focused organisations as the escalated threat of a data breach along with conventional availability disruption will create additional pressure to acquiesce to ransom demands.
Similarly, state-sponsored ransomware attacks on OT environments is another worrying trend predicted to grow over the next five years. One of the largest and most disruptive ransomware attacks in history, NotPetya, was attributed to a nation-state actor. This attack brought down the Ukrainian electricity grid and disrupted global operations of the Maersk shipping conglomerate.
The complexities of cyber attribution, along with increased industrial automation of critical infrastructure is likely to lead to the weaponisation of ransomware attacks as an obfuscated form of cyber warfare. This is the kind of threat from ransomware agents that industry needs to prepare for.
It is high-time that industry stopped seeing ransomware as an IT issue and look at mitigating risk with a company-wide people, process and technology focus. With the adoption of more sophisticated means of operations across industry, so too does ransomware develop in its abilities to penetrate the cybersecurity of organisations. To not prepare for the worst is just inviting trouble.
Prepare for ransomware attacks against your OT. Speak with the experts at SIS.