How to Protect Against Ransomware in your OT Environment
Know how an IT attack can impact OT, build clear incident response gameplay, and prioritize risks to ensure as little impact on operations as possible in case of emergency.
- Well-defined maps of potential threats and impacts. One of the biggest questions is the risk levels and priorities of assets and systems. What systems are tied to what systems, not just technically but operationally? The great news is many industrial organizations already have disaster recovery plans. We need to extend those to cyber events so we understand what we can disconnect, what we can keep operating, etc. This is key as attacks can spread from IT to OT so easily.
- Risk prioritization: These exercises then can determine the true crown jewels – which systems are the lynchpins to operations, all the way down to the individual servers etc. This then allows the organization to prioritize risk management on those systems and add extra layers of security to protect those key assets.
- OT Challenge: OT specific policies and procedures – Most IT tools and behaviors MUST be modified to provide similar effects without disrupting OT. This type of balance requires significant knowledge of both security practices but also Operational awareness
- Robust backup and recovery: Expanded backup coverage and frequent snapshots (more hosts): The more hosts that are frequently backed up SECURELY, and assuming an adequate pipeline to get systems back those backups (e.g., enough network bandwidth), the faster you can recover from a ransomware attack. However, you must ensure the vulnerability is mitigated or the host is isolated when the backup is restored, or they may become re-infected.
- OT Challenge: Legacy systems, lack of bandwidth and need to track multiple backup solutions/products in most OT environments makes management difficult
- Have offline backups of critical assets: Offline backups as a resilience or disaster recovery strategy is critical to ensure your most important OT assets are protected or can be readily restored if your infrastructure is down. This includes PLC logic code, configuration, documentation, and system images/files. It may sound expensive, but it is often accomplished with securely encrypted USBs that are periodically rotated such that file integrity is maintained.
- OT Challenge: Complexity of OT environments, number and variations of source code type, location, etc – requires a wholistic backup and recovery program
- Regularly have “cyber fire drills” to test backups and their recovery: Again, I cannot stress this enough, a frequent training regime should be absolutely applied for OT and cyber-related events. Forensics, failed hardware, shutdowns, etc. should have at least an initial note for cyber, just to ensure it was not cyber-related, and if so, a chain of custody and due diligence can be assured. Secondly, it is important that your resources know what to do when there is an issue, so this is another way to double-check processes while improving the likelihood of a quick recovery.
As stated above, one of the reasons organizations use an “abundance of caution” and shut down their OT processes is the fundamental endpoint risks on these assets. While we might like to avoid this hard topic, the reality is that resilience requires more secure OT endpoints.
The first question in this effort (as well as in beginning monitoring for potential threats) is ‘what do we have and how is it configured’? In other words, you need to know about the endpoints in question. To do this you need many items but for starters the following are fundamentally required:
- Asset inventory:Effective endpoint management begins with a robust asset inventory. As the age-old saying goes, if you don’t know what you have, you can’t manage the risks. A rich view of a 360-degree picture of each endpoint enables proper endpoint management.
- OT challenge: Incorporating an automated asset inventory that includes all asset types from OS based to networking but also embedded with deep asset profiles including set criticality, users and accounts, presence of compensating controls, etc.
- OT systems management:OT asset inventory is only the beginning of a robust endpoint management program. A robust OT Systems Management program includes configuration hardening, user and account management, software management, etc. In many cases, OT systems are insecurely designed and unpatched, making it ripe for ransomware.
- Patch management: Most threats enter through commodity systems such as Windows machines. You cannot patch everything in OT, but an end-to-end patch management program(i.e. automation and intelligent application of patches) is of great importance due to several environmental factors such as compliance, legislation, and risk management (e.g., patches on hosts with RDP or firewalls connected to the Internet should be prioritized over a PLC protected by several layers). Where unfeasible, application whitelisting, and policy enforcement makes an attacker’s life very difficult to improve your chances to defend or deny a ransomware attack on your OT organization.
- OT challenge: need to have a prioritized patching process and move to compensating controls when/where necessary.
- Removable media:USBs, removable media, and transient devices are other forms of low hanging fruit, especially if your network is “air-gapped” or heavily controlled. Users WILL bypass your controls by way of removable media. As a best practice, system policies are easily deployed, whitelisting software used, registered secure drives, and other technologies such as 802.X ensure authorized systems are allowed on network segments.
- OT challenge: Enumerating, applying, monitoring and enforcing removable media policies as well as extending to transient cyber assets
Monitor network, system and application logs for anomalies
An attack often has precursory elements that indicate an infection. However, it could indicate a vulnerable system that is amidst an attack or is about to be compromised giving your defensive team an advantage to prevent a wide-scale infection or attack. One way of doing this is with what is called a “Canary ” that places a system in the network that acts as the “canary in the coal mine” and alerts as the ransomware is impacting that endpoint allowing you to more quickly react.
- OT challenge: providing ‘OT context’ to traditional SIEM and alerting tools
- Monitored external attack surfaces: Many attacks are successfully accomplished due to a misconfiguration or an inadvertent hole caused by a gap in change management. It is a best practice to monitor for exposed services (e.g., Shodan).
Access Control and network segmentation
Stopping the spread of ransomware often comes down to placing firebreaks in its path. These can be in the form of network protections such as firewalls or other forms of segmentation or strict access control.
- Implement network separation or segmentation. One key way to slow the spread of ransomware is to place network barriers between IT and OT (or even within segments of IT and/or OT) networks. This approach is a foundational element but one, because of its technical challenges, often underutilized.
- OT Challenge: segmentation is not easy on IT or OT but in OT particular challenges arise due to legacy equipment, need for physical cabling, the downtime required to move systems onto new firewalls, etc. OT segmentation requires a team with deep knowledge of networking and the OT systems themselves.
- Isolate systems based on software, user role, and function: To protect systems compromised through remote access, local Windows networking flaws (e.g., print spool or SMB/NETBIOS), or Office/Acrobat, isolate them based on function and ensure unnecessary software is NOT included in standardized golden images or the same AD server is not serving policy for IT and OT. This also applies to user-based accounts; if an HMI is an HMI, treat its operator as an operator, not as an administrator.
- OT Challenge: Finding, profiling and securing these types of controls – ability to correct and enforce baselines
- Technical Diversity between zones or systems: Consistency across systems has scaling advantages, but when a single vulnerability affects multiple products this strategy grounds your entire operations if exploited. Barriers such as a VPN with 2FA, a remote access terminal server, and multiple firewall vendors exponentially increases the efforts it would take for an external attack to be successful.
Conclusion and success stories
Improving these five categories reduces the risk and impact of a ransomware attack, leverages existing technology investments, and improves recovery in the event of a compromise. Each of these add successive protections and safeguards against a possible ransomware attack.
OT-specific challenges are identified in this document not to show that a robust OT security program is unattainable or improbable but rather to help the reader identify key decision points that will help a successful program to achieve maximum protection with minimal challenges.
The application of ‘IT-like’ security controls in OT is increasingly being achieved in numerous industries, companies and countries around the world. But the true measure of success is in the maintenance and monitoring of their initial efforts. The companies that are significantly improving their security posture are acknowledging the unique challenges of an OT environment and making decisions such as:
- Building robust, 360-degree asset views
- Incorporating multiple functions into a single platform
- Tying together IT and OT skill sets at an enterprise level to review, monitor, plan and execute systemic security controls
- Automated data collection and remediation tasks
- Partnering with proven OT safe software and services vendors/consultants
To learn more about options for your operational environment look no further than your local CS2AI chapter for access to a significant body of OT professionals, best practices, research, resources and insight.
Read the article “How to prevent ransomware in 2021” for more info here.
This is an excerpt from the “How to prevent ransomware in 2021” article, written by Rick Kaun and and Ron Brash published here.