ICS systems: Ransomware’s Prime Target. Learn how to fortify critical infrastructure against digital threats. Attacks against medical centers and other operating entities tend to garner the most headlines, and with good reason. During the COVID-19 pandemic, gangs like Conti and REvil victimized critical infrastructure sectors such as healthcare and food/agriculture services.
However, no industry is spared from ransomware attacks. In fact, in 2022, construction and property businesses came in eighth place for targeted industries in a survey conducted by Sophos.
Industrial Control Systems (ICS)
Unlike traditional IT systems, industrial control systems (ICS) monitor or control physical processes in industries such as manufacturing and utilities. An attack on an ICS could cause physical damage or disruption, and the impact may be far reaching, affecting all stakeholders. The ICS networks of the aforementioned sectors were often built at a time before cybersecurity was a major concern, and they may contain vulnerable devices. As a result, attackers may be able to gain access to the systems and take over operations — stealing data or holding the systems at ransom.
While many ICS operators have taken steps to improve their security posture, experts believe that hackers will continue to exploit weaknesses in the sector. In fact, some ICS cyberattacks are even more dangerous than traditional IT attacks. For example, if an attacker were to target a PLC in an ICS network and successfully spread the infection across the entire system, it could lead to the poisoning of city water or a loss of power to an entire region.
Attacks on ICS can also result in significant financial losses. A recent incident in which the ticketing machines of San Francisco’s Muni transit systems were infected with ransomware led to days of delays and a backlog in tickets that cost the company thousands of dollars. A similar attack hit JBS Foods, the world’s largest meat supplier, resulting in the shutdown of plants and panic buying that caused price hikes in several states.
According to Sophos, construction and property businesses are frequent ransomware targets. For instance, public-traded real estate investment firm Marcus & Millichap suffered a ransomware attack in 2020 that TechTarget suspects was perpetrated by the BlackMatter gang. Another common attack target is MSPs. In a 2022 report, Unit 42 found that 40% of MSPs suffered ransomware attacks in the previous year.
In addition to these high-profile attacks, many ICS firms face challenges in securing their networks due to a lack of visibility into their own environments. A recent Dragos study found that 89% of manufacturing companies have poor visibility into their OT environments and that they have the highest rates of attack from malware such as Lockbit, REvil and Conti.
Industrial Networks
The cybersecurity industry has long acknowledged that industrial systems are a key target for ransomware attacks. But despite the wake-up call of the 2021 Colonial Pipeline incident, the industry continues to struggle with security. Many industrial environments rely on aging technology, often with a dated operating system that may not receive security updates. This can make the underlying technology vulnerable to the same TTPs used by ransomware attackers. The resulting attack can impact both IT and OT networks, and the disruptions that can ensue can be severe.
The issue is even more problematic in the case of OT networks, which are not designed to handle such attacks and are typically less resilient. This means that industrial users must ensure that OT-specific applications are isolated from IT applications. The good news is that there are steps organizations can take to mitigate these risks, including ensuring the use of strong passwords, deploying software patches and implementing multi-factor authentication. However, it’s important to remember that these security measures won’t prevent all attacks and can only reduce the impact of a ransomware incident, not eliminate it.
According to a 2022 report from industrial cybersecurity firm Dragos, attacks on critical infrastructure organizations nearly doubled in the previous year. These attacks impacted a number of manufacturing sectors and subsectors, including metal components, electronics (IT) and automotive. The research also pointed out that many of these attacks resulted from phishing email and remote desktop protocol exploitation, along with the exploitation of software vulnerabilities.
In fact, the report concluded that professional and legal services — particularly law firms — were today’s most-targeted ransomware victims. That conclusion was based on data found on ransomware leak sites, where criminals post victims’ stolen data.
The report also noted that distribution and transport companies are also taking a hit, with 74% of respondents to a Sophos survey reporting that they’d sustained recent ransomware incidents. These attacks impacted their ability to deliver goods and services, with two-in-five companies not returning to normal operations within a month of an attack.
It’s also worth noting that these attacks can have a broader impact on the economy, which is why industrial sectors need to step up their efforts. To this end, they should adopt a defense-in-depth approach that includes a combination of network segmentation, collaboration and visibility/monitoring. They should also consider leveraging identity-based access controls and zero trust, as well as making sure all devices connected to OT networks have the appropriate level of protection.
Network Security
As organisations seek greater efficiency, value and simplicity to meet customer demands, they are digitising systems by converging IT with Operational Technology (OT), leveraging the cloud and Industrial Internet of Things (IIoT) technologies. This exposes OT to increasing risks and leaves them vulnerable to sophisticated cyberattacks.
Unlike IT systems, OT devices are often designed with connectivity in mind, meaning they can connect to the internet and other network infrastructures, including legacy industrial protocols that have been in use for decades. This opens ICS to attack vectors that are typically seen in IT environments, such as malware, botnets and remote access attacks.
A slew of cyberattacks on critical infrastructure assets — such as the Colonial Pipeline ransomware attack in May 2021 that shut down one of America’s most important fuel pipelines — has served as a wake-up call. It underscores the need to integrate security processes and procedures for IT, OT and industrial control systems.
In addition, many ICS devices were developed at a time when cyber security wasn’t considered a priority. That has led to a gap in security, which leaves these devices at risk of physical damage as well as disruption to business operations. An attack on a power generation or water treatment plant could result in a loss of critical services or even an outage, which would have significant financial and reputational impact for companies and communities alike.
The good news is that the US government is stepping in to help critical infrastructure asset owners with their cyber defenses. In March 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which requires that owners of critical infrastructure report cyber incidents and ransomware payments to CISA within 72 hours.
With this mandate in place, CISA is launching a pilot to test the ability of the government to identify vulnerabilities at the source. The goal is to develop a model that will allow the agency to alert infrastructure owners of threats before they cause real-world damage.
The media, entertainment and leisure sector has also become a popular target for ransomware attacks. For example, Macmillan Publishers reported a ransomware attack in June of 2022 that shut down its IT systems and halted book orders. The education sector has been another big target, with universities such as Savannah College of Art and Design in Georgia, William Carey University in Hattiesburg, Mississippi and North Carolina Agricultural and Technical State University falling victim to the threat. In a 2022 survey, 64% of higher education institutions told Sophos they had experienced ransomware attacks.
Data Security
A ransomware attack encrypts data, rendering it unusable and forcing the victim to pay a ransom to regain access. This type of malware has become an increasingly popular method for cybercriminals to extort money from organizations.
In a 2021 incident, the Colonial Pipeline that operates the nation’s largest fuel pipeline was subject to what was described as “the worst cyberattack against critical infrastructure in our country’s history.” It caused the company to shut down operations for almost a week, resulting in the evacuation of more than 100,000 residents and halting gas distribution across the East Coast of the United States.
The company was forced to pay a $70,000 ransom to regain full functionality, but the damage was done. Experts have warned that the escalating number of attacks on industrial control systems and other industrial technology could cause an even greater impact.
Attackers are looking for industries where they can expect the maximum financial payouts when extorting a ransom. This is why companies such as universities, telecommunications providers and law firms are top targets for ransomware attackers. They tend to have smaller security teams and a more dispersed user base that often engages in file sharing, making it easier for attackers to breach their defenses.
Additionally, attacks against these sectors typically generate more publicity and attention, which can entice attackers to make their attacks more brazen. Medical facilities and law firms, for example, may be more likely to pay a ransom to keep the details of their breaches quiet. In addition, experts have found that attackers target companies in affluent regions and countries because they can more easily exploit the organizations for larger payouts.
In the latest State of Ransomware report, Sophos identified construction and property businesses as a major ransomware target. The organization noted that these sectors were hit at a rate of 63%, second only to professional and legal services. The report also indicated that these sectors tend to operate in affluent areas and are more likely to have higher PC adoption rates.
To protect against these attacks, it is vital for organizations to maintain offline backups that can be accessed without paying a ransom. This requires organizations to implement automated, protected backup processes and to test these backups regularly. It is also important to isolate systems in a controlled manner and to use out-of-band communication methods in order not to tip off the malicious actors that their actions are being monitored.
