Ransomware is nothing new to security. It first appeared in 1989 and was distributed on diskettes. However, it took a surprising turn by becoming the preferred operating model of modern criminals: diverting critical resources to industrial environments in exchange for a ransom.
Keyboards are more effective than guns at taking industrial infrastructure hostage. The problem will only get worse until digital asset security is truly considered a priority for industry and critical infrastructure cybersecurity.
A large number of recent ransomware attacks have targeted industry and critical infrastructure traditionally dedicated to the production of physical assets. But most industries are rapidly migrating many of their IT platforms and remote access solutions to the cloud, exposing their control systems and factory sensors to attack vectors that originate in the cloud.
Ransomware attacks cost the industry millions each year
The industrial sector is generally considered to be safe from digital crime. But this is a mistake. In fact, 21% of ransomware attacks target industry. This is the sector that pays the highest ransom amount, with an average of $2.036 million in 2021.
All a motivated hacker can do is break into a manufacturer’s cloud security tools and remotely gain access to critical controllers or sensors, such as IIoT devices located in an industrial or industrial factory environment, and take them out of exploitation. The physical risks of a digital intrusion manifest themselves in a tangible way and force the victim to choose between paying a ransom or facing the consequences of paralyzing their business. For most victims, paying the ransom remains the cheapest option, but costs the company millions of euros.
Ransomware is a very tempting target for cybercriminals because it almost certainly guarantees financial gain. Ransomware as a service even exists on the dark web and comes with support services and support contracts to help budding cybercriminals pick their next victim.
Ransomware deployment is often the last step in a cybercriminal’s infiltration of an industrial environment. It starts with searching for critical assets to disable, revealing intellectual property, and inquiring about the protection offered by the intended victim’s cybersecurity insurance to determine the ransom price. Once in possession of this information, it takes the infrastructure hostage in exchange for paying a ransom, which the majority of victims choose to pay. His dream comes true.
Ransomware attacks on the industry carry real risks
The industry has long believed that cybercrime does not affect it. Whether an industrial production chain produces energy, steel, food or carries out mining activities, for example, to what extent are they targeted by cybercriminals? In fact, this risk of cybercrime is high.
In 2015, a steel mill in Germany was reported to have suffered what was described as the first example of property damage caused by a cyber attack. Cybercriminals were able to gain remote access to some of the plant’s critical control systems that were connected to its computer network and disabled them. Following this event, critical sensors failed to monitor heat levels in the plant, resulting in a major blast furnace failure that these sensors failed to automatically shut down.
The physical world has suddenly found itself exposed to entirely digital risks, and this reality is far from lost on cybercriminals.
Increase in cyber insurance premiums
The decision to pay a ransom in the event of an attack is not without risk for the victim. Cyber insurance companies now face serious revenue losses from paying for ransomware attacks, something they were largely immune to before ransomware was rediscovered. Carriers are now forcing their customers to implement some form of segmentation on their network to make it harder for malware to circulate on it. If customers agree, their monthly premiums may go down, but cyber insurance premiums have still risen significantly in recent years.
Potential victims now have a financial incentive to place a premium on cybersecurity rather than relying solely on insurance to protect them.
Unintended Legal Consequences
The second risk is that many ransomware groups are based in countries that appear on the US government’s blacklist, the notorious OFAC (Office of Foreign Assets Control) Sanctions List. This is a list of foreign dictatorial regimes, drug traffickers, terrorist organizations, and arms dealers against whom the United States has imposed economic and trade sanctions in the name of national security. Anyone in the United States who does business with people on this list is guilty of a crime.
If a ransomware group from a sanctioned country takes a US-based industrial asset hostage and the company decides to pay the ransom, it risks criminal liability because it will have done business with the group. By choosing to pay the ransom, which appears to be the cheapest option, the victim easily runs the risk of inadvertently exposing themselves to criminal and legal consequences.
Protecting Industrial Assets from Cybercrime: Stopping East-West Lateral Movements
Ransomware comes from somewhere. Typically, this occurs on the IT side of the overall cyber architecture. All varieties of ransomware have one thing in common: they all like to move. Once a workload is compromised, the ransomware probes the open ports of that workload to use them as vectors and spread laterally to the next workload and then to the industrial side of the infrastructure, thereby reaching its intended targets.
While most so-called perimeter security tools handle north-south traffic to prevent malware from entering a data center or cloud, ransomware takes advantage of the fact that controlling east-west lateral propagation at scale is a problem , which has not yet been resolved. State-of-the-art security tools located at the north-south border do not provide sufficient protection against inevitable breaches and east-west lateral propagation in the protected network.
Zero-trust segmentation stops ransomware from spreading
The concept of zero trust requires enabling micro-segmentation, also known as zero-trust segmentation, on every workload within an IT environment, regardless of its scale. It is also necessary to adopt a least-privilege access model in all these workloads. Micro-segmentation aims to turn each workload into a separate zone of trust without relying on an underlying network device or cloud fabric to do so. Workload segmentation should be as independent as possible from the rest of the segmentation.
The least-privileged access model across all workloads means that all ports connecting all workloads are denied by default. Workloads rarely have a real need for SSH or RDP on the side between them. All of these ports are enabled in modern operating systems because they are used by administrators to remotely manage these workloads, but access is almost always limited to specific centralized administrative hosts.
These ports should always be disabled by default, then exceptions can be defined to allow access only to authorized administrative hosts. By segmenting each workload from all other workloads and closing all ports laterally between them, the ransomware will no longer have a way to spread laterally into the IT network or the industrial part of the network.
Ransomware can bypass perimeter security solutions, no matter how sophisticated they are, and once it does, it hijacks the first payload it finds. Zero-trust segmentation can isolate this first hijacked workload by disabling all ports between workloads and preventing ransomware from accessing vectors further into the network. Zero-trust segmentation blocks the propagation of breaches throughout the IT infrastructure. It also protects the industrial systems that underpin the architecture.
A second aspect of Zero Trust segmentation is traffic visibility between all deployed systems, whether on the industrial or IT side of the network. Traffic and behavior dependencies between sensors and control systems, for example, should also be clearly visible, as should traffic between IT network systems, whether on-premises or in the cloud.
Strengthening cyber resilience
The cyber threat shows no signs of slowing down and all businesses must take steps to protect their business. Businesses should choose ransomware protection in IIoT systems with Zero Trust segmentation. Because Zero Trust segmentation provides visibility into industrial infrastructure systems.
In fact, no industrial environment is safe from ransomware, regardless of its size. With Zero Trust segmentation, OT systems and IIoT systems deployed within the industrial architecture need not be exposed to the eyes of the next opportunistic ransomware group looking for its next target.
Effectively protecting the IIoT environment against the ravages of ransomware attacks helps preserve a company’s reputation.