It’s been over a decade since the technology industry began facing the stark reality of digital extortion. The dark and lucrative industry of kidnapping and holding humans hostage for ransom transformed and plagued the digital world in the form of holding critical infrastructures hostage. Commonly known as ransomware, this cyber-attack method has been around for over 15 years and consistently grows as an issue for businesses around the world. Cyber attackers typically use social engineering tactics to infect unsuspecting users with ransomware. Once enabled, the malicious software encrypts everything it can find, working to spread to as many machines on the network as possible. This essentially blocks users from accessing resources they need, often bringing victims to a halt for weeks at a time in some cases.
Cybersecurity Ventures has estimated that within the next year, a business will be hit with a ransomware attack every eleven seconds and these attacks will cost $20 billion globally. This is almost three times the figure from 2018. This year, supply chain attacks impacting operational technology and critical infrastructures remain a growing concern for organisations. Recently, the Maastricht University of Netherlands fell victim to a ransomware attack that took all of their IT systems down. The University confirmed that systems impacted critically included email, and that the systems would take several days to restore.
The latest ransomware attack involving operational technology
According to a report
from the Cybersecurity and Infrastructure Security Agency (CISA) released on February 18, 2020, the organization responded to a cyber-attack against a natural gas compression facility. The attack started with a targeted phishing email from a malicious hacker that, once clicked, enabled unauthorized access to the victim organizations' assets. Soon after, the attacker was able to move laterally throughout the organization and hop from the information technology network to the operational technology network. As a result, assets were blockaded from accessing real-time data from operational technology devices impairing human operators’ ability to leverage this information. These systems were offline for two days resulting in both lost productivity and lost revenue.
"The cost of ransomware attacks is predicted to reach $20 billion in 2021" – Cybersecurity Ventures
A few lessons learned
- Attacks are getting more sophisticated: Ransomware attackers continually grow in sophistication and popularity for several reasons. One is that Ransomware as a Service (RaaS) providers make it easy for anyone to launch advanced ransomware attacks, even if they are not a sophisticated hacker and have little technical skills. Another is that while data back-up strategies remain a crucial component in preparing to survive ransomware attacks, modern versions also learn to seek out back-up files to encrypt those as well.
- Ransomware attacks are expensive: Towards the end of 2019, the average ransom demand for a popular ransomware variant Ryuk averaged near $400,000 per case. While a standard recommendation is not to pay the ransom, the industry is alive because victims continue to pay.
- Cost isn't the only concerning impact: Unlike typical breaches often seen in the news that result in detrimental financial and reputational damages, ransomware attacks within critical infrastructures have the potential to impact operations and, ultimately, the safety of people. In the recent pipeline attack, for example, the interface used to read and control critical operations in the establishment was offline for two days. Depending on the systems' criticality and duration of downtime, this could impact the livelihood of those depending on that natural gas facility. When healthcare sector entities are hit with ransomware attacks, sometimes patients have to be moved to new locations, digital medical files may become unavailable or lost forever, badging systems can stop working, and so on. Additional operational technology-dependent areas such as oil and gas, manufacturing, transportation, automotive, defence, chemical, maritime, and more face similar challenges. Safety should be a number one priority for every business, and the risk of ransomware impacting safety is a significant concern within operational technology.
Actions companies should take to combat attacks
While technology can play a critical role in combatting ransomware attacks, existing products and solutions are not a silver bullet. Starting with the basics of cyber security hygiene is the best place to begin.
- Train staff on cyber security basics such as how to detect and avoid phishing emails
- Implement basic network and data protection mechanisms such as firewalls, anti-virus, access management, and routine back-ups of critical information stored offline.
- Test your security with proactive vulnerability scanning and penetration testing, and fix the issues promptly. Regularly apply system patches as soon as possible.
- Establish an incident response program so that you are prepared to react quickly and efficiently in the event of an attack or breach.
Respond to attacks:
- Activate your incident response program, which may include contacting local law enforcement agencies. The key is to be prepared well in advance.
- Avoid paying the ransom as this does not guarantee your data will be returned. Many companies pay, only to be still unable to decrypt and recover the data. In addition, paying increases the likelihood of being targeted again and generally increases the overall success of these attacks giving cybercriminals no incentive to slow down.
Ransomware attacks against operational technology organisations are a growing concern for many reasons. The stakes are higher, the potential for impact on safety is unnerving, and pressure to contain and overcome attacks is even more critical. Through preventative and responsive measures, the risk of ransomware can be mitigated.