Think Security Not Just Ransomware

By Gregory Hale
Ransomware certainly has been the hot news topic across the United States over the past few week after attacks on a huge pipeline company, a huge meat packing company, a ferry line and insurance companies just to name a few.

The federal government, jumping at a chance to curry favor with voters, is promising remedies and advice while it continues to stir the pot of fear. Feds have been charging forward, though, in an effort to gain a stronger foothold in working with the private sector by doing things like including language in President Biden’s executive order on cybersecurity. Plus, the feds came out with a plan where critical pipeline owners and operators will end up required to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) under the new security directive unveiled late last month by the Department of Homeland Security’s Transportation Security Administration (TSA).

RELATED STORIES

• Meat Producer Operations Up and Running after Attack
• Insurance Firm Paid $40M Ransom: Report
• EU Packaging Maker Hit by Cyberattack
• Toshiba Hit in DarkSide Ransomware Attack

In the wake of the hype over ransomware attacks, more security companies are coming out with solutions they promise will eradicate these types of attacks for the future. “Just buy our product and ransomware will not be a problem for you,” the marketers are saying. A ransomware silver bullet.

Have a Plan
While the added attention and focus from the federal government is a great thing, and will help in the long run, security professionals in the industry are aware these types of attacks have been around for a period of time and if anyone wants to stop them, there has to a solid security program in place that focuses on resiliency, and everyone in the organization need to be aware of it.

“This has been going on for a while. But there is no doubt it is on the rise. Cyber criminals have realized it is a good market for them,” said John Cusimano, vice president of industrial cybersecurity at aeSolutions back in November. “Manufacturing and healthcare have been a good target for them. They have recognized for these industries, uptime is so important for them. In some cases, victims are willing to pay the ransom.”

Don’t get caught up in the hype swirling around. Yes, ransomware is a huge issue and bad guys will continue attacks because it is simple: It works, and it is very profitable.

To Pay or Not to Pay
While Department of Energy Secretary Jennifer Granholm this past Sunday called for more public-private cooperation on cyber defenses, she added to the hype for consumers, and voters, something security professionals in the industry already know and that is adversaries already are capable of shutting down the U.S. power grid.

“Even as we speak,” she said, “there are thousands of attacks on all aspects of the energy sector and the private sector generally.”

One of those companies, Colonial Pipeline Co., suffered a crippling DarkSide cyberattack by a ransomware group last month and the company temporarily shut down its gasoline distribution networks in the South before paying $4.4 million in a ransom payment, which, in turn, the feds were later able to recover a good portion.

“The bottom line is, people, whether you’re private sector, public sector, whatever, you shouldn’t be paying ransomware attacks, because it only encourages the bad guys,” Granholm said.

However, Colonial chief executive, Joseph Blount, might beg to differ. While he may not have wanted to pay, he did say he felt for the good of his company and, as he said, the “right thing to do for the country” he paid the $4.4 million ransom because officials didn’t know the extent of the intrusion by hackers and how long it would take to restore operations. As it was, within a very short period of time after the shutdown, consumers got into panic mode and made a run on gasoline, which forced stations to run out of fuel.

Ransomware is a problem to say the least, but the bigger issue is making sure all manufacturers have a solid security program that will protect manufacturers from all types of issues that could harm an industrial control system. Cybersecurity can’t work and live in a vacuum anymore, there needs to be a complete holistic program for companies to ensure a more secure environment.

Best Practices
For the manufacturing industry or any organization that leverages an industrial control system, the following are some best practices to protect against ransomware:

• Have a resilient model for operations (performing and testing backups, offline backups, testing operational restoration)
• Network segmentation – user operate in an industry where end-of-life legacy operating systems still support some of the most critical manufacturing processes. Segmenting these devices from the rest of the network can drastically reduce the cyber risk of that system. Through network access control lists (ACL), bump-in-the-wire firewall solutions, host-based firewalls are simple, cost-effective tools that can help stop ransomware from propagating across the network.
• Restricting removable disk – disabling USB drives on computers that connect or are part of the OT device. Help reduce malware infections from dirty USB sticks.
• Enabling least privilege mode on the operating system to restrict execution and access to certain applications.
• Take a holistic security approach that continually identifies, assesses and minimize risks and threats to people, assets and operations, across the lifecycle. That strategy, as well as any technology solutions used to help detect, prevent and mitigate risks, need to end up customized for their unique environments, as well as be flexible enough to change and adapt as their operations and business change.
• Employ defense in depth controls across operations, as well as tested, multi-tiered backups. Routine maintenance, updating and patching also need to be priorities: When they learn about vulnerabilities that impact the devices and systems within their operations, they need to take immediate steps to upgrade to remediated versions or to put into place necessary mitigations that alleviate the threat of exploit.
• Training is critical: Making cybersecurity part of the operations lifecycle requires everyone, everywhere, to be responsible for cybersecurity.
• Application whitelisting or application safelisting, which is highly effective, which protects against unknown viruses.
• Good back-up and restoration program. If your defenses fail, you can at least recover quickly because you have back-ups.
• Have a good inventory of all software, so if you are hit with ransomware you know what you have and you know what you have to restore.
• Patching is also another measure to protect. It is never easy to implement a patch management program, but quite a few companies have come to the realization they need to patch.