When discussions of cybersecurity arise, there’s one topic that’s impossible to avoid these days: ransomware. Ransomware is a type of malware that infiltrates computer systems and networks and restricts access to data by encrypting files until the victim agrees to pay a ransom. In theory, once the ransom is paid, the cybercriminal provides a decryption tool so companies can regain access to their critical information.
These types of attacks have been surging in the last year, with threat actors striking major pieces of critical infrastructure like the Colonial Pipeline and JBS. But these large companies are far from alone. According the Department of Justice, more than 4,000 ransomware attacks have occurred daily in the U.S. since 2016, and ransomware is currently the most prominent malware threat going. Everyone from higher education to health care facilities to small manufacturers is in the crosshairs, as attacks continue to get more sophisticated and more costly. The pandemic, coupled with more people working from home, has only increased the prevalence of ransomware.
So why are these attacks, especially on national critical infrastructure, on the rise?
“The one thing about critical infrastructure is that it’s all based about productivity,” said Ron Brash, director of cybersecurity insights at Verve Industrial Protection. “If the product needs to move from point A to point B, in the case of a pipeline, if you’re manufacturing, most of the stuff is just-in-time, so you’re going to have a sense of urgency. And that sense of urgency and that nonstop flow makes you a very good target for criminals because they know that you’re more likely to pay.”
Mastering the basics
In most of these incidents, companies that have fallen victim to ransomware are missing the cybersecurity basics, making them more susceptible to attack. Often, critical cybersecurity positions are going unfilled, legacy systems are left unpatched and significant budgets are not being appropriated to information technology (IT) and operational technology (OT) security. And it’s not just small companies leaving the front door unlocked, said Brash. Large, sophisticated technology companies like SolarWinds and Kaseya are just as guilty.
“The problems that we’re seeing in ransomware and cybersecurity basics are largely around the fact that, to correct the rot, the security rot, that’s present in these environments is going to be very costly,” Brash said. “Most organizations don’t put aside the appropriate amount as a capital expenditure to put in place the basics, to re-orchestrate their networks, to harden those old legacy systems that they’re dependent on. Like scheduling for pipelines to get product in and out, those are ancient systems that are probably running on an old IBM AS400 kind of system. That’s the nature of the beast.”
One of the reasons the cybersecurity basics haven’t improved in many companies is the process requires downtime. Systems might need to go offline, which means loss of profit. If a pipeline, for example, can’t move oil, the pipeline company can’t make money until its systems are back online.
“Basically, we bought a car, we didn’t change the oil in it, we didn’t change the brakes on it, and we’re wondering why the engine is blown,” Brash said. “That’s where we’re at today with ransomware.”
To protect against ransomware and other cyberattacks, many companies are using tools like sensors and passive network monitoring. While those do have value, they should not be a starting point. Brash said they are a capability best added later, once you have the basics down pat.
“What good is having an alarm on your house if the thief is going to come into my back office here, smash the window, grab my laptops, grab my monitor and be gone in 30 seconds,” he said. “That’s ransomware. They get in, it’s over in a couple of minutes and it’s spreading like wildfire. If you’ve got alarms, what are you going to do? By the time the service ticket winds up on a bunch of people’s desks, it’s already over. You’re dealing with an incident.”
Money well spent
Having a good backup is an essential part of cybersecurity, but that’s only part of the solution. Brash said company money might be better spent elsewhere.
“If I were to spend $300,000 on sensors in the equipment, I would much prefer that asset owner spend 300 grand on other things that are more enabling,” he said. “If your network is on old managed switches or 1 gigabit but you actually need 4 gigabits of bandwidth, spend the 300 grand on things that are going to give you something today but also into the future. That are going to allow you to then do backups and recovery at scale, because now you have the bandwidth to do so on your network infrastructure. You need those core things.
“If you build a house, if you’re going to build it on sand, you’ve got to drive down piles. You don’t want to have a house on shaky ground. So do the right things to solidify that basis before you move forward into bells and whistles and silver bullets that don’t solve your problems.”
As Brash said, ransomware attackers are always looking for critical pain points, industries that must maintain their service and can’t afford to go offline. This can include everything from manufacturers to hospitals. Most cyberattacks begin on IT systems, but because modern networks are interconnected, they often spill over onto OT systems. Threat actors understand they don’t have to break or disable complicated OT technology to shut down production.
Brash uses the example of a pulp and paper manufacturer. There are machines that make big rolls of paper, but there are also machines tracking the paper and checking for defects. This eventually leads to accounts receivable so companies can handle payment and processing.
“If all that goes down, you don’t even have to break the pulp and paper machine,” Brash said. “You just need to break the tracking, and [systems go offline]. That was true at Honda. Honda had a bunch of just-in-time manufacturing facilities. So you’ve got a bunch of cars on the road. They’re all welded, they’re all set up, and they’re waiting on the engines to be delivered that day for that batch at a certain time. No engines, the line doesn’t move, cars don’t come off the line into the next step, which might be putting wheels on it. You break the system very easily, even though it’s not proper OT or industrial control system-related.”
And businesses need to game plan for almost any cyber eventuality. Once networks go down, many are forced into using old-school paper and pen tracking, so they need to have systems and training in place to facilitate that.
“It’s not just about backups and it’s not just about basics, but do you have the processes and the business continuity and disaster-recovery plans, DCPs (data continuity plans) and BRPs (business resumption plans), to continue moving on?” Brash said. “That’s the piece that’s not there yet, and that’s why people choose to pay the ransom. A: because there’s no consequence really for paying it, and it’s cheaper than actually doing the right thing in the first place.”
The ransomware payout
With ransomware, attackers are usually just looking for a simple — and sizable — payout. The question of whether a company should pay or not is a complex one, but the answer often comes down to a cost-benefit analysis.
If a company’s profit margins are strong and they’re making money, the last thing they’re going to want to do is shut down. Companies generally look at how much the outage is costing them and compare that to the amount being demanded by the attacker. Unfortunately, it’s often cheaper to pay the ransom and move on. But Brash said there’s more to consider than just the profit-loss sheet.
“Because [many businesses] just pay it, as if it’s like a tax that someone decided — it’s like a toll going over a bridge that you didn’t really want to pay, but you will pay — they’ll just do it and they’ll write it off. It’s a business loss. Great. Shareholders don’t care. The company is still making money. Everything’s wonderful.
“That’s where we start to wind up in problems, where you start to apply the ethics of it. Does it make sense to be paying someone that’s very likely to attack you again? Or are you financing something else that you shouldn’t be financing in another country? That’s another conflict of it. So I think what needs to happen is paying ransom should not be your playbook. That should not be what your go-to plan is when this event occurs.”
Brash argued that company money is much better spent preventing attacks than responding to them. Instead of losing profits to hackers, forward-thinking manufacturers should put that money into improving their systems. If threat actors are willing to expend time and effort, businesses must be, as well.
“When you think about it, most critical infrastructure and most manufacturing environments are papier-mâchéd together. We’ve got to start doing some proper capital expenditures to actually get those things moving and get them maintained,” Brash said. “To fix it, you’ve got to at least put in the core infrastructure that would enable your business to run on the worst days possible.”
Keep an eye out for Part 2 of our interview with Verve’s Ron Brash in the coming weeks, where he will discuss the government response to increasing cybersecurity threat. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.