Ransomware Attacks and OT: Expert Interview Series, Hayley Turner, Darktrace

When it comes to cybersecurity, there has been one word on everyone’s lips of late: ransomware. Ransomware attacks are surging. Major companies like the Colonial Pipeline, meat supplier JBS, and Kia Motors have all found themselves in the crosshairs. But it’s not just large companies getting hit, and it’s not just information technology (IT) that’s under attack. Operational technology (OT) systems can also be compromised — in fact, there is malware that has been specifically designed to impact OT systems — and that can have huge ramifications on critical national infrastructure, says Hayley Turner, director of industrial security at Darktrace.

One of the primary reasons for the rise in ransomware attacks is the increased connectivity of the industrial control system (ICS) environment. Not long ago, if you wanted to infect an OT environment with ransomware, you would have needed to physically gain access, perhaps with infected media like a USB stick. But these days, systems are far more open, connected and accessible, and that connectivity is coming from a range of different places. COVID-19 lockdowns, which forced companies to increase the level of remote connectivity for third-party contractors and OT engineers, opened up many new avenues for attackers, but Turner also cited the adoption of new technology platforms like ICS cloud, ICS-as-a-service and industrial IoT devices.

The spillover effect

While OT systems and critical infrastructure are increasingly being impacted by ransomware attacks, that doesn’t always mean they’re being targeted.

“A lot of the ransomware attacks that we’re seeing are genuinely accidental in their impact on the operating environments of critical infrastructure,” Turner said. “In fact, a lot of ransomware-as-a-service (RaaS) operators will specifically say, ‘Our product is not to be used against critical infrastructure.’ But the reality is, once an attack has been launched, it’s very, very difficult to contain.

“The extreme example of that being NotPetya. I think it was originally targeted toward the Ukrainian financial system and shut down the Port of LA, for example, amongst many other things. So there is that accidental impact where these attacks are spilling over, or they’re impacting some crucial IT systems and resulting in some manual shutdowns.”

Another example of that was the Colonial Pipeline. There’s no evidence the attacker intended to actually shut down the pipeline, but the impact at the end of the day was the same. Out of an abundance of caution and because of Colonial’s interconnected systems, they temporarily halted operations, causing runs on gasoline in many southern U.S. states.

Another reason for the increased volume of ransomware attacks is that they’re easier than ever to unleash. You used to need a lot of highly specialized ICS knowledge to launch a ransomware attack against the OT operations of a major company. That’s not necessarily the case anymore. Threat actors looking for a quick payout can purchase commodity malware online and take advantage of companies’ increasingly interconnected platforms.

“These days, you could have some IT ransomware that perhaps has a small OT-specific module appended to it, and off you go,” Turner said. “Definitely, the barrier of entry has been reduced dramatically.”

Targeting ICS systems

However, there has been a lot more direct and deliberate targeting of ICS environments in recent months, said Turner, and for good reason. Critical infrastructure is a big pressure point, so it’s easy to understand why attackers go after it.

“If you’re running a hospital, a gas pipeline, an electricity grid, and an attacker has managed to shut down your systems, you’re going to feel an awful lot of pressure to give in to the attacker’s demands, because society is basically counting on us to get it back up and running,” Turner said.

When a threat actor can impact the operating environment of any industry — but especially critical infrastructure — the stakes are high across a range of different domains. First, the financial impact of shutting down operations can be enormous, running into the millions of dollars per day depending on the industry and the scope of the compromise. But there’s also the compounding impact of reputational damage. If you factor in the supply chain, things get even more complicated. An attack on one company can make it difficult for companies upstream and downstream to get their products and services to market. The biggest risk, however, might be the one to national security.

“One of the most important things that make these attacks particularly of concern is that they can cause physical damage, physical harm to human safety, to the environment,” Turner said. “You might be talking about environments with high pressure, high temperatures, high voltage, for example. A sudden unplanned shutdown of these operations could have very significant implications for either the environment, with the release of toxic chemicals, for example, or to human safety, as well.”

Ransomware attacks and critical infrastructure

According to Turner, there are a number of different ways ransomware can compromise critical infrastructure. There’s the traditional, direct route of introducing ransomware directly into the operating environment. For example, an employee could plug an infected USB stick into an ICS workstation. But it’s far more common these days to see hackers using traditional IT attack methodologies — i.e., a phishing email or a watering hole attack — to get onto the enterprise network and create an initial foothold in the IT environment. From there, they can leverage IT/OT convergence to pivot directly into the operating environment, but there are also accidental spillovers. Turner said WannaCry is an example where the attack came in via IT and ended up unintentionally impacting ICS environments.

The bigger concern, according to Turner, is when ransomware disturbs operations without ever reaching that environment — where the attackers don’t intend to shut down OT, but it happens anyway.

“Some companies may be set up that without particular levels of visibility, for example, over the operating environment from IT systems that are running in the enterprise network, they can’t have confidence in those operations, and they need to shut them down,” Turner said. “Or examples where the company can’t be confident that they have sufficient visibility over their environment and over the areas of convergence between their industrial and their enterprise networks, that once the attack has taken hold in the IT environment, they feel that they need to have a manual shutdown, because they don’t have confidence that it’s been contained. I believe Colonial was an example of that, where in an abundance of caution, they had to power down their systems so that they could be confident that the ransom agent didn’t come in and do it for them.”

Even though most ransomware attacks have come in through IT systems, OT doesn’t get a free pass. Companies and government agencies need to create a holistic cybersecurity approach that brings IT and OT professionals to the table. The two sides don’t always speak the same language, and they need to work together to protect modern, interconnected environments from motivated attackers.

“There’s ransomware that we’re seeing that has been specifically designed to impact an OT system,” Turner said. “Traditional ransomware tends to have a pretty significant impact anyway, given there is a lot of IT equipment that tends to run at the upper levels of an OT environment, but we’ve seen examples — Ekans, for example, the ransomware which impacted the Honda factory last year — that had actual ICS mechanisms in its kill list. It was designed to shut down aspects of an operational environment. We’re definitely seeing an increase in that sort of direct targeting.”

Watch for Part 2 of our interview with Darktrace’s Hayley Turner in the coming weeks, where she will discuss how to defend against ransomware attacks, recent cyber trends, and how to get IT and OT to work together. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.




Keep your finger on the pulse of top industry news