Assessing ransomware risk in IT and OT environments

Courtesy of CFE Media and Technology
Courtesy of CFE Media and Technology

Cybersecurity insights

  • Ransomware is a type of cyberattack where a threat actor steals data from a company and holds it for ransom — although companies have been known to pay the ransom and get nothing in return.
  • When dealing with ransomware, it is important to compare the cost of preventing attacks against the cost of paying a ransom, also known as ransomware risk analysis.
  • The more complex a system is, the more difficult it is to assess ransomware risk, but there are ways to mitigate ransomware risk with complex system analysis code.

Ransomware has become a prevalent form of attack on a multitude of industrial sectors in the last year. According to Dragos threat intelligence and other accounts, manufacturing organizations have been hit the hardest by ransomware – with a ratio of almost two to one when compared with other industries — showing the rise of ransomware risk. During the last six months, ransomware actors have ransomed many manufacturing organizations, including Molson Coors, Honeywell, JBS and Colonial Pipeline.

In the first half of 2021, the average remediation cost of ransomware cyber attacks reached approximately $1.85 million. This includes downtime, people hours, device costs, network costs, lost opportunities, ransom paid, etc.

Industrial organizations and governments are struggling to get their hands around this increasingly complicated cybersecurity issue. This blog presents a new way to look at the ransomware problem using complex systems analysis and advanced mathematics.

What is ransomware?

Ransomware creates unusable file systems and can halt processes, stop production, disrupt distribution, and cause weeks-long headaches for victims. The goal is to extort money from victims by denying access to their file systems and requiring payment to regain control of processes.

Ransomware techniques are varied but have common themes in accessing IT and operational technology (OT) infrastructure through known vulnerabilities. Ransomware actors capitalize on a perfect storm of antecedent conditions:

  • Weak boundaries between OT and IT
  • Poorly understood interactions between systems in OT
  • Poorly understood interactions between systems of systems between enterprise IT and OT
  • Remote access schemas put in place to serve work-from-home pandemic needs.

Once the threat actors achieve initial access to the organization’s critical systems, they execute other programs to gain a foothold to move laterally to other connected systems. Best practices and better defense-in-depth architecture have proven ineffective against the blended approaches ransomware actors employ.

Ransomware victims have very difficult decisions to make in short order: How do we restore operations? How can we quickly and easily stop the money hemorrhage? How can we keep our shareholders happy? These are among the myriad questions facing ransomed organizations.

In some cases, organizations have paid the ransoms only to find that their systems don’t function properly even after the decryption keys are released and the systems are restored.

Ransomware risk analysis compared to cost to reduce risk

Organizations must consider the cost of actions to reduce ransomware risk compared to the cost of recovering from a ransomware attack. The cost of reducing risk can be substantial, but an even greater cost is the risk of losing days, weeks, or potentially months of manufacturing, distribution and delivery.

Organizations are faced with a complex system optimization problem balancing the up-front cost of security controls, implementation, and cyber hygiene against exposure to ransomware attack vectors (unpatched vulnerabilities) with the potential cost of ransoms.

The activities to reduce risk can be substantial and include:

  • Security controls: defense-in-depth methodologies such as segmented networks and establishing a clear understanding of how OT and IT interact
  • Implementation: auditing, secure access controls, secure remote access controls, updated software and hardware across both IT and OT spectra
  • Cyber hygiene: strategic security plan to adjust to changing needs of the organizational IT and OT

Given this scenario, assessing ransomware risk is a perfect fit for complex systems analysis.

Assessing ransomware risk with a complex systems approach

Complex systems are intrinsically difficult to model due to the dependencies, competitions, relationships, or other types of interactions between their parts or between a given system and its environment. This research proposes that ransomware is successful due to a lack of understanding of how complex systems interact with other complex systems.

The study of complex systems regards collective behaviors as the fundamental object of study, rather than looking at their constituent parts and the individual interactions between them. At its core, complex systems analysis considers how systems with many components (abstract or real) interact with other systems and their components.

Most complex systems have three to seven characteristics that define them. We can break the complexity for this research down into four categories: IT, OT, Access Control and Auditing.

Complex systems analysis is relevant to ransomware prevention because it considers how these systems interact. A complex equation for security might look like this, for example:

F(S)=[(s(IT) s(OT) s(AC) s(AU))]

The functions of the security of IT, OT, Access Control, and Auditing comprise the F(S) or the function of security. It instructs the reader on how to create a generalized formula for each function, and references thought leaders in complex systems theory.

Each variable x1+x2+x3…xn represents a measure taken to improve the organization’s cyber defense posture. There can be any number of such measures and a measure can mean a patch, a configuration, a detection or any measure taken to secure an infrastructure.

This mathematical approach to solving the ransomware problem is not a “silver bullet” but it aims to describe a security system using complex systems analysis as the foundation. It further creates a more comprehensive understanding of the variables, their interconnectedness and a potential approach for multiplicatively solving the problem.

Understanding the results

You may be startled by the results of simulating your operations in this model. Because even in relatively well-secured environments, this risk assessment method yields low numbers – meaning, not well prepared.

This mathematical approach puts weight on the value and necessity of measuring the usefulness of assets that perform security functions in a given environment. More work is needed in the measuring of security implementation artifacts and tweaking the formula to determine “overall security.”

This is by no means a fail-safe measurement tool for “absolute security,” and generally speaking, absolute security is unattainable in the majority of contexts. Understanding asset management and the security posture of each asset taken separately or as a whole is the strength of this approach.

Regardless of your results, improving the visibility of OT assets, reviewing the architecture of IT and OT networks and conducting tabletop exercises to practice responding to ransomware attacks will help safeguard your operations.

– This originally appeared on Dragos’ website. Dragos is a CFE Media and Technology content partner.

Original content can be found at Dragos.




Keep your finger on the pulse of top industry news