Ransomware 101: How to Prevent an Attack and What to Do if You Fall Victim
It seems like ransomware attacks are lurking around every corner—a threat that is especially heightened for industrial control systems and utility companies in the U.S. For these industries, a ransomware attack could mean dire consequences for a wide range of people. In the below Q&A, our Vice President of Cybersecurity & Compliance, Dominick Birolin (CSSP, CISA, NSE3), shares how you can safeguard against these attacks and what to do if you fall victim to one.
Q: Why is ransomware dangerous for utility and industrial control systems – what’s at stake?
A: For utilities and industrial control systems, it goes beyond what you’d find on a normal enterprise network. These networks impact the real world around us. There are wide-reaching consequences in the event that these networks are compromised. For instance, it could mean a shut down on the oil pipeline (as in the case of Colonial Pipeline 2021), power grids could be blacked out (Ukraine power grid attack 2015), manufacturing can stop (Honda manufacturing plants 2020) , and so on. With industrial control systems—like emergency management systems or transportation networks—they can all cease to work properly and that can impact millions of people and have wide ranging impacts to health, resources, and finances.
Q: Why is ransomware so prevalent right now?
A: The motivation with hackers and ransomware, first and foremost, is the financial incentive. Exfiltration of intellectual property to resell later is another financial component. These attacks are becoming more and more prevalent now because there has been a culture of not having proper cybersecurity controls in place to mitigate against the propagation and infiltration of attacks. ICS/OT systems present unique security challenges. They have a much longer patch cycle, some systems may be end-of-life, protocols are different from traditional IT networks, and remote access for trouble shooting by vendors are often not secured properly.
You have to remember that over 50% of attacks are actually introduced to networks via the enterprise or IT network and then they propagate across to the OT/ICS boundary.
These networks used to be air gapped but that’s no longer the case. The culture is to run lean, so it becomes increasingly difficult to apply cybersecurity controls such as patch mitigation, perimeter defense network segmentation, etc. But the need to pull data out of these networks has increased attack vectors that the industry previously hadn’t seen and there has not been a Defense in Depth approach needed to counteract that. Because early networks were air gapped, this wasn’t initially a concern but with the need to pull data from these control system environments, we have increased the attack vectors and with it, the likelihood of attacks.
Q: What can companies do to safeguard against ransomware attacks?
A: First we need to address the fact that there’s no magic bullet. Every comprehensive strategy is a Defense in Depth approach, which involves many components, some of which are:
- Testing your disaster recovery plan to ensure it is viable
- System data configuration and inventory of your file backup systems
- Patch management and vulnerability mitigation programs
- Quarantine capabilities including network segmentation and application layer inspection of segment ingress/egress traffic
- Network monitoring and threat detection to know if you are indeed infiltrated by ransomware and be able to respond to it
- Incident response is also key – not just this but also training cybersecurity personnel to deal with these types of ransomware attacks, mitigation of threats, communications to government agencies, and roles and responsibilities of responders
- Network perimeter defense
- Endpoint Detection and Response (EDR)
- System Hardening techniques
Q: What should companies do immediately after realizing they are victims of a ransomware attack?
A: First, enact your incident response plan and hopefully apply kill chain to stop the propagation of the ransomware. Then, assess where you are from a disaster recovery standpoint while preserving the cybersecurity forensic evidence for further investigation.
The next steps are really just evaluating what it’s going to cost you to recover or if you should pay the ransom. Do you have the ability to recover to full functionality without paying the ransom? That leads to other considerations like: is it legal to pay the ransom? What’s the operational impact cost? What’s the total loss of the incident going to cost you and how much will it cost to recuperate from that?
Root cause analysis is also key. In these environments we routinely see that companies recover from ransomware attacks and they don’t do a root cause analysis. This leaves them prone to having a repeat attack and it is the ransomware gang’s modus operandi to repeat these attacks on organizations that do not mitigate the root cause.
These are all considerations, but one point to emphasize is that whatever any cybersecurity professional does needs to have defensible evidence to support their case.
Q: What, if anything, should companies be doing to inform employees about cybersecurity best practices to avoid ransomware attacks?
A: It all starts with employees. The most likely attack vector is your enterprise or IT network – like I mentioned previously, this accounts for over 50% of attacks. There are four main causes for this: phishing emails, remote desktop protocol (RDP) used for propagation, click bait, and drive-by downloads.
The key here is having a robust cybersecurity awareness program that informs employees on what to recognize in a potential attack and encourages them to report anything suspicious to their IT department.
Q: If you had only one piece of advice for companies around ransomware, what would it be?
A: Be diligent in your cybersecurity approach. Develop and apply a comprehensive cybersecurity risk management program. Cybersecurity is not convenient but knowing the impact to your operations and then mitigating to your acceptable risk level is key to being successful in this area.
Q: What can utility companies do to know if they are properly protected or not?
A: If you’re unsure and don’t have the internal resources to check, you should hire a capable consulting company or third party like ours to validate your cybersecurity protection via a ransomware readiness assessment.