Ransomware has emerged as one of the biggest threats to industrial organizations in the past few years. Whether you run an IT company or an industrial setup based on an OT environment, you need an effective strategy to defend your business operations and IT/OT environment against Ransomware.

According to a study, ransomware attacks cost the world about $20 billion in 2021 and this figure is expected to surge to $265 billion by 2031. Approximately 37% of industries were affected by some kind of ransomware in 2021. If ransomware hits a business, it doesn’t only result in a tremendous financial loss, but also industrial downtime and a massive productivity loss. Typically, companies experience 21 days of downtime after a ransomware attack on their industrial control systems.

What is Ransomware?

Ransomware is primarily a form of virus, aka malware. The term is used to define a type of malicious software that infects a computer or a company’s IT or OT systems. Hackers use this software to acquire access to a company’s production systems and restrict users’ access to it until they pay a ransom to unlock it. You may have heard about the incident when hackers breached Colonial Pipeline, because of which, the owners had to halt their operations in response to contain the threat.  But, that’s not it. Several similar incidents have been recorded since then, such as ransomware attacks on Martha’s Vineyard Ferry Service and cyberattacks on JBS Snarls Food Chain.

What are the Challenges to OT Environments?

For decades, industries have been investing their finances in establishing prevention-based Cyber Security systems like patching, firewall, authentication, and antivirus. However, as more industries continue to automate their systems and the industrial environments become more connected; their Cyber Security needs have also evolved. 

Because of the increased connectivity, Ransomware can directly impact OT. Even if a ransomware attack is only targeted at a company’s IT network, they may need to pause their industrial processes as a precaution.

Ransomware is consistently evolving, especially with the developments in code targeting devices used for industrial control such as licensing servers, data historians, and HMIs. Some ransomware like EKANS is highly disruptive for industrial operations.

How to Overcome Challenges 

To overcome the challenge, industries need to acquire a cohesive approach. Develop an approach that allows you to not just defect against ransomware, but also effectively respond to its disruptive behavior so it causes zero to minimize damage to your OT environment. 

OT Architecture Review

First of all, you need to evaluate your existing Cyber Security and physical security program, analyze your system’s protection and threat detection capabilities for the ICS framework. If you allow some employees to work remotely, access via remote workstation may open a gateway for ransomware and access to the adversary’s Command and Control (C & C) system.

Next, you need to ensure that your Cyber Security system can identify the vulnerabilities in ICS software and hardware, offers 100% visibility to the risks, and provides you with practical and on-point risk mitigation recommendations. While conducting the architecture review, you need to find out the prime locations from where you can monitor the performance of your OT systems and find out if they are properly segmented from the IT network. 

ICS Visibility

If you want to stay on top of your network architecture you need to make sure that your preventive controls are strategically installed.   Try establishing a continuous monitoring system, to ensure that you’re always informed if any preventive control stops working or becomes ineffective because of any unanticipated connection of equipment, or random changes in the firewall rules. Make sure you’re using the right monitoring technology that efficiently detects threat behaviors. Some common scenarios of Autonomous Response in OT include;

  • A company’s engineering workstation infected with ransomware eventually attacks the systems’ application server file shares.

  • An unknown device starts appearing on the network and interacts with the OT systems.

  • Your engineering workstation starts performing OT inspection scans.

  • HMI infected with malware impacts operational performance.

Incident Response

Even if you’ve established a highly effective and advanced threat detection system you need to have an incident response team ready at all times. If a Cyber Security incident takes place, this team should be equipped with the requisite education, tools, and access to professional incident investigation and response partners,  to mitigate the loss. To evaluate your technical preparedness for a ransomware attack, try running tabletop exercises.