CISA released two alerts on threats to critical infrastructure operations. The first was an alert about a series of attacks on water and wastewater systems over the past year, primarily relating to ransomware but also insider threats and other risks. And the second highlights the emergence of a variant of ransomware-as-a-service (according to CISA, possibly a re-branding of the Darkside RAAS group) called BlackMatter. Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.
These two advisories come on the heels of a June 2021 fact sheet on the “Rising Ransomware Threat to Operational Technology.” All three of these documents provide suggestions on remediation and response strategies critical infrastructure operators can take to protect themselves from the risks of ransomware and other OT attacks.
You can find links to these 3 reports here:
- Rising Ransomware Threat to Operational Technology Assets – CSIA fact sheet, June 2021
- Blackmatter Ransomware – Joint Advisory from CISA, FBI, NSA, October 2021
- Ongoing Cyber Threats to U.S. Water and Wastewater Systems – CISA Alert (AA21-287A), October 2021
These alerts and recommendations highlight the increasing threats to the world’s critical infrastructure. While CISA is a United States entity, the threats are not limited to organizations in the U.S. Over the past two years, ransomware has become a major threat to all industrial organizations as attackers have realized the profitability of targeting infrastructure that can cause significant safety issues or financial costs if not available. According to the 2021 SANS survey on OT/ICS Cybersecurity, ransomware has moved from fifth or sixth on the list of greatest risks to number one by a large margin.
Defend, detect and recover from ransomware
CISA recommends a series of actions to defend, detect and recover from ransomware. We summarize these below, but there is a more detailed list and description of recommendations in the alerts and fact sheet.
- Prepare for a possible cyberattack
- Identify all assets and categorize them based on their criticality to operations
- Maintain visibility to changes to security status, especially including backup status
- Prepare and test incident response plans
- Provide cybersecurity awareness training to OT personnel.
- Mitigate potential threats
- Identify and assess network and endpoint security control risks such as lack of appropriate network segmentation, insecure user and account access, unpatched or outdated systems, etc.
- Remediate risks: conduct network segmentation, patch critical vulnerabilities, harden configuration settings and disable risky services, utilize application whitelisting, etc.
- Monitor for threats both through security monitoring of logs, flows, etc. for signatures of BlackMatter and other threat actors, but also by monitoring the process and performance of OT systems for anomalous behaviors that may not appear to be security-related
- Respond and act on ransomware
- Engage the incident response plan
- Coordinate with CISA and other government entities to support response activities.
All of the recommendations provided are solid security fundamentals for the protection of OT systems, and all critical infrastructure organizations would do well to follow these.
However, one of the biggest challenges we continually hear from organizations is “where do we begin?” As CISA recognizes in their reports, many water, wastewater, and other critical infrastructure organizations lack OT personnel skilled in cybersecurity. And anyone that works in OT security agrees that IT security policies, procedures, and technologies can cause harm to OT systems if not done carefully and with proper focus on the sensitivity of these systems.
CISA’s suggestions are robust and comprehensive. They include elements of network security, endpoint management, endpoint protection, network and endpoint monitoring, incident response, backup and restore, etc.
Where should we begin with OT security?
Start with a detailed assessment and specific risk-based roadmap. One of the biggest gaps in OT security is a basic view of the current security status of the systems. Lack of knowledge of endpoint risks such as vulnerabilities, patching, user and account risks such as dormant users or inappropriate access, etc. creates challenges in knowing what is required to secure those assets. Industrial organizations often do not have visibility into networking rules, connectivity, and flows to identify whether the system is appropriately segmented.
The good news is there are a range of assessment possibilities available. First, CISA offers its own assessment support to critical infrastructure operators. Second, there are many consulting organizations that can offer survey or questionnaire-based assessments. Finally, there are technology-enabled assessments that use OT-safe security technologies to gain deep visibility and specific endpoint recommendations. All of these options enable an organization to prioritize the greatest risks to secure its environment.
But some assessments can lead to challenges in implementing the recommended roadmaps. Often the assessment calls out gaps in network protections, backup procedures, lack of secure account management, etc., and suggests a roadmap with a series of somewhat disconnected initiatives. In many cases, this starts with “apply network segmentation between IT and OT” and separately, “update software and firmware on critical systems” and again, separately, “remove access for dormant or unnecessary accounts and users and change password policies.”
When the organization tries to execute these various initiatives with different parts of the team pursuing its focused area, this leads to frustration as the network segmentation is much harder than anticipated because the OT networks are not well documented; trying to determine what is connected to what and what needs to be connected becomes a long, challenging process.
Similarly, many OT devices cannot be upgraded or patched due to legacy requirements or OEM limitations. Without an integrated picture of the security risk of that asset and what compensating controls might reduce the risk of an unpatched system, the endpoint security efforts become frustratingly incomplete.
Benefits of a technology-enabled vulnerability assessment
This type of assessment provides an integrated and asset-by-asset risk view for balancing risk across endpoint, user, access, network, etc. as well as the appropriate sequencing of initiatives rather than siloed efforts.
Second, this vulnerability assessment approach leverages a consolidated view of all of the security management of each asset. For instance, if a system is missing key patches, but cannot be patched, this consolidated view monitors compensating controls such as hardening configurations or deployment of application whitelisting in strict lockdown or presence of an application and network firewalls, etc.
Third, it accelerates the remediation process. Because the assessment provides that asset by asset view, segmentation is much quicker, determining the relative risk reduction from patching vs. whitelisting or other endpoint controls is more fact-based, etc. And because the technology is already in place, the organization can accelerate the ultimate remediation processes at the endpoint level.