Five ways to reduce ransomware risk in OT environments

An aerial view of the US Cyber Command joint operations center on the NSA campus. The NSA and CISA have issued a joint alert warning that operational technologies and industrial control systems are at risk to attackers over the internet. Today’s columnist, Ron Brash of Verve Industrial Protection, offers tips for security pros on how to reduce rans...

Ransomware attacks are trendy, and so far, have mostly targeted corporate IT environments, but operational technology (OT) has become collateral damage in many recent cases, including Honda, Garmin, and Maersk.

However, that’s not to say OT environments are immune to ransomware because they are not. So far, most of the attacks render commodity systems such as Microsoft Windows unusable unless a ransom gets paid. That’s vastly different than holding an embedded device at virtual gunpoint (although it’s happening for IT devices), the consequences of which would have tremendous implications for manufacturing operations, vast office complexes and medical facilities.

Given the staggering amount of ransomware attacks, security pros should already consider them a highly-likely cyber threat that will affect OT environments to some degree.

But what should we do about it? There are steps organization can take to reduce impacts when it’s not possible to eliminate risk. Here are five ways to reduce ransomware risk in OT environments:

1. Use endpoint management and perform vulnerability management.

Stand-alone or ad-hoc systems represent more risk than managed systems. They are unlikely to be compliant, have variances, indirect vulnerabilities (guest accounts or local accounts with weak passwords), and are weakly provisioned. In a race against time to recovery, these systems represent an opportunity to improve OT systems management (OTSM) by centrally managing them. Having endpoint security controls on hosts also drives management and both preventative and reactive capabilities. It’s powerful for management, but when most threats enter through commodity systems with older unpatched vulnerabilities or insecure access such as RDP, application whitelisting/policy enforcement makes an attacker’s life very difficult and increases the security team’s chances to deny an attack.

2. Prevent access with proper network segmentation.

It’s critical to limit network access between zones, conduits, devices, and even business units/functions to reduce ransomware impacts. After all, it works in real life preventing/slowing the spread of infectious diseases and applies to malware and attackers. Alternatively, when a single vulnerability affects multiple products, homogenous or “flat” environments can ground the company’s entire operations if exploited. One approach for endpoint security through remote access could be to create barriers such as a VPN with two-factor authentication to gain initial access, then use a secure remote access terminal server internally (also called a jump box), and deploy multiple firewalls for inter-zone access. This increases an attacker’s efforts exponentially if it’s an externally-based attack, or from a network zone that has a lot of churn.

3. Standardize hardened golden images for current and future use.

It might be shocking, but by standardizing hardened images the team can eliminate many common issues out of the gate; improve time to recovery by keeping a standardized base image on hand; and improve security maturity moving forward with minimal investment while reducing the need for “forklift” projects.

4. Expand backup coverage, have offline copies, and frequent snapshots.

The more hosts that are frequently and securely backed up – and assuming an adequate bandwidth pipeline to get systems back those backups – the faster the team can recover from a cyber-related event. However, both recent backups online (hot) and offline (cold) must exist. When backups are restored, the vulnerability needs mitigation, or the host becomes isolated. Otherwise, they may become reinfected, adding delay and additional costs.

5. Practice ransomware “fire drills” and prepare regularly for OT cyber events.

Processes for traditional IT, or even the physical aspects of OT, are usually well-defined, but not tested. Managing cyber events and incidents in OT environments, the processes are not defined or validated. Have your organization and teams regularly validate end-to-end processes to identify gaps and ensure effective escalation or recovery. When the team needs them, it needs them, and they do not want any gaps in communication, roles, and process – especially for ransomware.

While many media outlets and experts pose fancy solutions, effective cyber security is not sexy or glamorous. It’s practical, and when used with a healthy dose of realism, it can work well in IT or OT. Better yet, preparing for a ransomware attack isn’t a new cost sink, but can actually strengthen an organization’s cyber security posture, and improve the ROI on existing security investments.

Ron Brash, director of cyber security insights, Verve Industrial Protection

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.