Authored By: Vijay Vaidyanathan, Regional Vice President – Solutions Engineering, APJ at Claroty
Between 2020 and 2021, a notable rise in cyber attacks occurred against critical infrastructure - from the Oldsmar water plant hack to the ransomware attacks against Colonial Pipeline, JBS Foods and NEW Cooperative.
While many of these high profile attacks against industrial systems were based in the US, attacks against industrial systems can happen anywhere and at any time, including in Asia, where unfortunately many industrial sites still operate on legacy operational technology (OT) that is becoming increasingly exposed to new kinds of cyber threats they were not designed to face. Virus Total reported that ransomware attacks are notably of concern in countries such as South Korea, Vietnam, China, Singapore, India, and Philippines in this region, as they formed part of the 10 most affected territories globally for ransomware samples submitted since 2020.
Alarmingly, Gartner predicts that cyber attackers will be able to weaponise OT environments to successfully harm or kill humans by the year 2025. But with this sensationalism comes greater awareness of the pressing need for specialised OT security solutions and standards. In fact, OT security has become a security issue of national concern.
Singapore recently announced an updated cybersecurity strategy that placed emphasis on OT security, by offering an OT Cybersecurity Competency Framework to guide organisations on the skill sets and technical competencies required for proper management of security risks in OT environments.
Claroty, the industrial cybersecurity company, recently hosted a webinar along with security experts from OT Information Sharing and Analysis Center (OT-ISAC), and the Cyber Security Agency of Singapore. In the webinar, speakers discussed the implications of recent cyberattacks on OT networks, and what key efforts were required to help enterprises improve their OT cybersecurity posture against such threats. Following are three key takeaways from the session.
Ransomware is a long-term issue, so we need sustainable solutions
Once just a nuisance, ransomware in OT environments becomes a serious threat. With large pools of victims to target, attackers can reuse their techniques with great success as disruptions to operations can be drastic, hitting bottom lines and profits of enterprises.
Recent attacks have also underscored the diverse nature and objectives of attacks. The attacks against the Colonial Pipeline and JBS Foods centred on ransom demands, but the SolarWinds supply chain attack included the ability to beacon out to command-and-control servers and exfiltrate data from certain victims. And the attack against the Oldsmar water-treatment facility was a (fortunately thwarted) attempt to poison the water supply.
What we know now is that these attacks and the threat actors behind them are well-resourced and prolific, which makes it impossible for any single entity to address this issue on their own. Even legislation to make ransomware payments illegal will not eliminate this rampant and increasingly destructive threat. Ransomware is here to stay, and as such, sustainable approaches and solutions are required to combat this threat.
No one single group has all the answers: collaboration is key.
Many of the critical functions that underpin our way of life – food, water, fuel, electricity, transportation – are provided by individual companies. In order to protect these companies, an ecosystem of stakeholders (comprising public and private sector entities) must work together to address ransomware across its entire lifecycle: from the initial attack, to the disruption of operations, to the payment system, as well as educating and raising awareness among enterprises.
While the private sector brings in technology and innovation needed to strengthen defences and build cyber resilience, the public sector has visibility into the cascading effects and interdependencies of such attacks, as well as the means to incentivise the behaviours required to help drive the collaboration needed to address ransomware.
For example, by changing tax laws, mandating timely reporting, and removing liability concerns for those who report attacks, governments can improve knowledge sharing among organisations. With the ability to quickly share lessons learned from each incident, and by applying those lessons to strengthen defences and build resilience, we can prevent adversaries from using the same techniques with success.
Tapping into the capabilities and advantages of each party in the ecosystem will build the collaboration necessary to envision a holistic defence plan that can improve outcomes.
Organisations lack visibility and confidence to make the best decisions – we can change this.
In the throes of an incident, organisations tend to respond to an attack based on what they do not know, as compared to what they do know.
For example, while there may be no indication that an OT network has been affected, the organisation under attack often shuts down their operations as a precaution. While organisations are aware that adequate backup systems and recovery plans are essential for building resilience to ransomware attacks, the lack of visibility into impacted systems and the other systems that depend on them – such as financials, billing, OT, and others – limit their ability to understand the extent of the exposure to these systems, and thus their ability to make better decisions, and to act confidently to mitigate the impact of the attack to the OT network.
The panellists on the webinar demonstrated how organisations can equip themselves with the following industrial cybersecurity capabilities to protect their OT environments.
Deep visibility into the OT network. Organisations need to have a thorough and accurate view of their network structure, endpoints, and connectivity paths. This provides a current inventory so they can patch systems or apply additional verification or other compensating controls on legacy and unsupported systems.
Continuous network monitoring for unusual activity permits organisations to see when bad actors enter the network and respond faster to make a bad situation better.
Secure remote access and operations through multi-factor authentication (MFA), role-based access, and least privilege access, along with strict controls over sessions, to provide off-site access to OT environments while minimising the substantial risks introduced by remote workers.
Encryption of data at rest and in motion is important for good cyber defence and resilience with respect to ransomware.
Network segmentation is another critical strategy to impede attackers’ lateral network movement in today’s hyperconnected world where OT networks are no longer air gapped.
Convergence of IT and OT under one security operations centre (SOC) enables organisations to shift from compliance-based models to threat- and risk-based frameworks for a holistic approach to resilience and risk management.
Essentially, the message from the webinar panellists is that, even though ransomware attacks are here to stay, there’s no need for organisations to be sitting ducks for such attacks.
A holistic approach to security, which includes OT-specific cybersecurity capabilities and an ecosystem that drives the adoption of effective techniques and practices, together with collaborative responses, can protect vulnerable organisations.