New concepts to reduce the risk of ransomware in IIoT environments

Image of IT/OT convergence on a control panel
Courtesy: Chris Vavra, CFE Media and Technology

As we think about Industrial Internet of Things (IIoT) attacks, we break them down into three broad categories. The first is what we refer to as collateral damage. The best example of this is the Colonial Pipeline event where ransomware impacted the IT environment. OT was ultimately impacted not because it was directly targeted, but because of a lack of visibility, a lack of segmentation, etc., leading to an emergency shutdown of the OT systems.

There are attacks that are more targeted, such as insider threats, like the Georgia Pacific case. Very recently this year, we had the case of Oldsmar in Florida, where a relatively unsophisticated attack leveraged an open TeamViewer account. And then finally, we have the more advanced attacks, the ones that, frankly, get a lot of press but are a lot less likely.

The ability for an advanced attacker to impact OT systems is harder because many of them have security by obscurity. But when attackers do get in, the impact can be much more significant – Think of the Stuxnet or the Trisys attacks that impacted or potentially impacted the refinery in Saudi Arabia. You have significant major life risk events.

Ultimately, the way you approach protection and detection in these three types of attacks is different.

Rising IIoT threat

Until March of 2021, cyber incidents affecting the OT/ICS/IIoT environments were a reality, but not as public as what we’re seeing today. Some might argue they are much more frequent, just aren’t public. But in the last six months, we have seen an absolute explosion in the number of industrial targeted, and particularly ransomware events. The MolsonCoors attack, WestRock, Colonial Pipeline, JBS … the list goes on. There are dozens of others that were public, just not as well known as some of these major brands.

This big change within the world of IIoT security has been recognized by governments around the world, particularly the U.S. government, as they start to drive more regulation into the world of OT security. So why are we seeing this? The risks in OT are becoming more available for attackers to take advantage of. Just in the last year, when you look from 2019 to 2020, we had about a 30% increase in the number of ICS advisories from ICS-CERT, and almost a 50% increase in the number of vulnerabilities.

Importantly, the risk score of those vulnerabilities has increased by more than 40%. More and more people are studying these devices, looking into the world of IIoT and finding significant vulnerabilities therein. As a result, as those vulnerabilities get published, we’re inadvertently handing the hackers this information.

According to IBM, manufacturing has become the second most targeted industry, moving from No. 8 to No. 2 between 2019 and 2020. Energy went from No. 9 to No. 3. Why? Because the attackers have found money is in the manufacturing and energy worlds. If I’m going to ransom somebody, I want to ransom somebody who has a big downside risk of not coming back online. As it turns out, manufacturing and energy are the two industries with the biggest impact if shut down.

The “for profit” attackers leverage ransomware to make money. Specifically, ransomware within energy and manufacturing is becoming a critical source of profit. As we think about where to focus our security efforts, in the world of IIoT, this is called SRP: safety, reliability and productivity.

Bringing IT and OT security together

The attacks won’t stop, and we have to find a way to stop this as an industrial world. It’s not just for IT or OT to figure out. We often notice some pointing fingers, like that was security’s fault, or if the plant had only been patching, we’d have been OK, or the network guys didn’t really segment the network. It becomes an “us” versus “them” mentality, but the only way to address this is if we bring these two groups together.

Think global, act local 

It does not make sense for us to have a vulnerability expert in each plant or each refinery or each mill — whatever it is you’re working on. We need to find a way to aggregate that risk data up to some central team that analyzes vulnerabilities and risks globally (i.e., see every asset in every plant around the world in one place).

They can operate security operations center (SOC) and prioritize risks and threats. They can identify indicators of compromise centrally. But now I want to remediate that risk. I want to patch a device. I want to harden a configuration. I want to start removing users that shouldn’t be there for that. We need to act local because we all know that if you start patching control systems on a running refinery or power plant, you’re going to trip that plant. What we need to do is work locally to deploy those patches in a way that’s safe and effective within the OT environment.

First, we must determine if this patch is feasible or not? As an example, determine when that action should be taken. If you get an outage over the weekend, reboot the system over the weekend to execute that patch. Similarly, the team on the ground can identify anomalous processes that are going on. They’re the ones who really understand that OT environment. So they may be the first people to understand that there is something odd going on. But when we think globally, we centralize the analysis.

But then when those actions happen, they can happen locally with the same kind of automation and a decision made by that person who understands the process best. We can do risk assessment, remediation planning, etc.

By bringing these teams together, we can start to engage senior management on why we need a budget for IIoT security, and how to execute that budget in a way that’s safe for operations and isn’t going to trip the plant.

The “think global, act local” approach drives a lower labor cost because you can centralize the analysis. It’s operationally safe because of that local action approach. You can ensure that it’s safe for operations. It gives you that deep visibility you need with better risk management. It allows you to rapidly respond on a specific, least impactful way of responding to any ransomware. We’ve seen this approach be quite successful in the world of industrial and IIoT specifically.

Reduce risk and respond to IIoT threats

When we think about risk reduction and threat response in mitigating ransomware, how does that work?

On the risk reduction side, we can identify and eliminate accounts and passwords that shouldn’t be there or change the old passwords. We can remove risks on the server, identify dual NICs and change the firewall rules.

On the threat response side, we can also detect a threat as it moves into the environment. One of the most effective ways of doing this is what is called canaries. We can deploy a small file on all the servers and workstations. In the environment, that file is never accessed for anything except when ransomware hits it because the ransomware is going to try and encrypt every file.

The minute that file is accessed, we send an alert that the machine is being encrypted. We can alert on unplanned changes to the controllers or field devices. We can monitor for anomalous file access, alert on traffic coming from outside the demilitarized zone (DMZ), etc.

OT systems management

The OT landscape is challenging as we see different architectures, device back planes, etc. So how do we deal with it? We define our approach as “OT systems management,, which starts with a robust asset inventory and visibility to see everything there is to know about every asset in your environment, from your vulnerabilities, your patches, your software users and accounts, etc.

From this deep view of your assets, you start to build “systems management” to manage vulnerabilities without traditional scanning tools. We can do it in a safe way. When we gather this asset inventory, we can apply patches in an automated way to drive efficiency.

OT asset inventory is only the beginning of a robust endpoint management program. A robust OT systems management program includes configuration hardening, user and account management, software management and more.

In many cases, OT systems are, by nature, insecurely designed and unpatched, making them ripe for ransomware. OT systems management is the foundational element that enables reliable and secure control systems.

Verve Industrial is a CFE Media content partner




Keep your finger on the pulse of top industry news