This post also appeared on LinkedIn.
The recent spate of ransomware attacks and the release of the new cybersecurity Executive Order foreshadow increased scrutiny for companies managing critical infrastructure and personal data.
Ransomware attacks are happening more frequently: besides the Colonial Pipeline attack, last week saw Ireland’s health systems shut down, and attackers compromise AXA Partners after it announced its insurance policies would no longer cover ransomware demands.
Attacks like the Colonial Pipeline bring profound real-world implications: millions of people without services, millions lost in revenue, reputations tarnished, general societal chaos and dysfunction, and attackers paid and free to hit other targets. Ransomware attacks have been the norm for more than seven years now. Many organizations, private and public, small and large, have been a victim of such attacks.
And yet, companies continue to underestimate the risk of cyberattacks, especially ransomware. So why isn’t ransomware a top priority for everyone? A previous audit of Colonial Pipeline showed severe security posture flaws, and one researcher said, “an eighth-grader could have hacked into that system.”
The recent Executive Order on Improving the Nation’s Cybersecurity and more stringent privacy laws such as GDPR and CPRA are going to make the ramifications of data theft interesting.
Norsk Hydro’s response to a ransomware attack in 2019 was a model of change that showed a deep desire to learn, improve, and (most importantly) protect the data that the company had in its trust. They used their attack to rebuild their network security from the ground up using zero trust architectures that connect users to applications directly and limit lateral movement across systems by monitoring workflows across different cloud deployments.
Will Colonial Pipeline follow suit?
What have we learned from the Colonial Attack?
- It wasn’t a targeted attack on the Industrial Control Systems (ICS) or Operational Technology (OT). Unlike the Saudi Aramco attack of 2017, this attack has no indications that it caused physical damage to the pipelines or injured plant operations personnel. This is most likely an attack that locked up the IT systems that managed operational inventory and logistics.
- Paying the ransom is not going to restore your operations in time. A well-planned and tested backup and restore strategy can save the day. Paying the ransom only encourages more attacks. An 81-page urgent action plan delivered to the White House April 2021 by a public-private task force noted that enriching ransomware criminals only fuels more global crime, including terrorism.
- Insurance companies are starting to exclude ransom payments. In an apparent industry-first, the global insurance company AXA said Thursday it would stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals (and then promptly got hit with a ransomware attack).
- The US government is finally taking notice. The new Biden Administration executive order requires organizations to go beyond the compliance-based approach. “Within 60 days of the date of this order, the head of each Federal agency shall …develop a plan to implement Zero Trust Architecture.”
- Prevention is a lot less expensive than mitigating attack aftermath. It is easy to see that the loss of revenue from unplanned downtime far exceeds any investment in defending against such attacks.
Why was Norsk Hydro’s response to a ransomware attack the gold standard?
Ransomware attacks can be mitigated and prevented. Companies like Norsk Hydro have dealt with such attacks in the past and shared the wisdom with the world. What did they do?
- Norsk Hydro did not pay the ransom.
- The company went public with the news of the attack and was transparent about its response plan.
- The company reported the attack to authorities and worked closely with the security industry to prevent attacks on other companies.
- Norsk Hydro used the opportunity to rebuild, redesign, and strengthen its security and infrastructure.
- The company is not in denial about the likelihood of future attacks.
Even with the best planning, the reality of a successful attack is much more difficult. For example, Norsk Hydro couldn’t use any of the printers to print safety procedures for plant staff.
“Had Hydro not already moved communications to a managed cloud service like O365, the situation would have been more grave.” - Chief Financial Officer (CFO), Eivind Kallevik.
What should your organization do to plan and prevent ransomware attacks?
Assess the business risk of your IT and OT architecture and reduce your attack surface:
- Don’t go directly into ICS threat monitoring without analyzing the entire attack surface.
- Ask the right questions when assessing your security posture. Do you have a flat network? Are your IT and OT networks sharing the same resources (e.g., domain controllers)? Do your IT security solutions from different vendors natively work together (like your secure web gateway integrating with your endpoint security and SIEM solution) to break the kill chain?
- Consider extending zero trust to your OT environments. Attackers cannot get to systems they cannot see on the open internet.
Air-gapped OT networks do not serve the business needs:
- Allow internet access for ICS workstations through browser isolation. ICS employees with two laptops can create complexity that leads to security issues.
- Replace VPNs with zero trust network access (ZTNA) using a software-defined perimeter approach for remote access of your OT systems.
- Segment the control, management, and IIoT sensor networks in OT environments.
- Don’t aim for full micro-segmentation, as there is not enough downtime on the OT network to implement it. Protecting the intersection of OT and IT will yield the most benefits.
Use the cloud to your advantage:
- Learn from Norsk Hydro's experience and move as many functions into the cloud. This allows for a faster recovery and better protection of critical systems.
- Secure Access Service Edge (SASE)-based security implementation is an easy way to reduce your ICS network’s attack surface and complexity.
In the SolarWinds attack, an intern’s weak internal password for privileged software led to the massive breach of 1000s of enterprises and government organizations, jeopardizing national security. The shared passwords used in the water processing plant in Oldsmar risked the lives of an entire city.
The recent executive order demonstrates a commitment to improving the security posture of United States’ critical infrastructures. Since private companies manage much of that, one would hope the order extends to them as well.
The actions of companies handling critical infrastructure affect millions of people. Companies responsible for critical infrastructure must use the best security practices in order to ensure public safety and well-being.