Protecting OT Networks from Ransomware Attacks

Cyberattacks that impact industrial (OT) operations, to the point of losing control over the operational network, as in the Colonial Pipeline , JBS Foods and several European oil and gas chemical ports ,have unfortunately become a regular occurrence in recent years.

Just in the past few weeks we’ve witnessed a string of ransomware attacks on a number of European oil tanker terminals in Belgium, the Netherlands, and Germany (which according to expert sources were non coordinated), believed to be linked to the BlackCat and Conti families. The  cyberattack on Oiltanking GmbH and Mabanaft GmbH caused oil conglomerate Shell to reroute oil supplies to other depots, while the attacks in Belgium and the Netherlands that targeted facilities belonging to SEA-Invest, a global oil terminal operator, had shut down port operations for a few days.

Although no disruptions to the fuel supply chain have been reported, according to experts the attack on Oiltanking and Mabanaft caused many millions of dollars in damages. No ransom has been reportedly paid to the attackers in either incident.

In this post we will review the Ransomware attack tactic, which has been used in the Colonial Pipeline, JBS Foods, oil port terminals and many other recent attacks.

How does ransomware enter OT networks, and what does it do once inside?

Ransomware can affect OT networks using a number of attack paths:

• Through the inter-enterprise network, i.e. ransomware moving from the enterprise-IT network to the OT network through IT-OT connections or through joint IT-OT assets
• From the outside: using network access authorization granted to a 3^rdparty (vendor or other partner) or by taking advantage of vulnerabilities in remote access products and/or architecture
• Old-school direct access to OT assets: using removable media, technician’s laptop , etc.
• Through vulnerabilities in internet-facing applications and assets, including malware which exploit known vulnerabilities, for which a patch exists, as well as unknown (Zero-Day) vulnerabilities for which there is no patch available

Once in, the ransomware adversary will typically try to leverage the following tactics:

• Privilege escalation: the ransomware will attempt to propagate inside the network using weak credentials of high-privileged users, and similar authorization-circumvention methods
• Lateral movement inside the network: the ransomware will use open remote services and remote access protocols (e.g. RDP, VNC), vulnerable Windows-based  protocols (e.g. SMB) and others.

The eventual execution of the ransomware payload is done through injection into known processes or running scripts (such as PowerShell).

[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]

Mitigating ransomware attacks on OT environments

The good news is that ransomware attacks on OT networks can be mitigated. Here’s a list of mitigation steps that OT network and security operators should implement, if they haven’t done so:

• Define and secure your IT-OT conduits (while making sure that vulnerable protocols are not crossing through firewalls)
• Prioritize patching your external access apps and appliances, such as VPNs and Jump/gateway servers
• Implement multi-factor authentication (MFA) for sensitive external access
• Minimize your OT workstations’ attack surface by hardening them: disable remote desktop (RDP) services, and remove/avoid unnecessary apps like MS Teams
• Prioritize patching your VMware/ESXi infrastructure, as most OT servers and apps run on virtual environments, including VMware which is one of the most exploitable applications
• Continuously monitor your OT network to detect anomalies, policy violations, vulnerable protocols and early signs of malicious activity
• End-of-life (EOL) assets, which are very common in OT environments, are typically never maintained and therefore serve as “hotspots” for malicious adversaries. It’s highly recommended to isolate these devices as “island assets” to minimize external communications
• The last line of defense is validation of network restore procedures from backups

Protecting the IT-OT network’s backup system

In the event of a ransomware attack, the ability to restore the network quickly and efficiently is crucial. Therefore protecting the backup system in its entirety should be a high priority.

As a rule, you should continually back up your important data and store it offline. Test these backups and run restore drills periodically.

Viable measures to protect the backup system include:

• Create an isolated backup vault for data assets: database snapshots, configuration files, project files, authenticated versions of application, OS, firmware, etc. Maintain multiple copies of your backup data
• Integrate your backup storage and backup software, and make sure to implementing immutable file storage
• Minimize and monitor network sharing protocols, e.g. CIFS and NFS
• Implement multi-factor authentication (MFA) for administrative accounts, and ensure the separation of administrative roles
• Install robust multi-person authorization workflows
• Transition to API back up (if possible)
• Validate and monitor your provisioning tools
• Validate files and binary large objects (BLOB)

Radiflow solutions for mitigating ransomware attacks

Radiflow’s approach to securing OT operations consists of detection/alerting on anomalies and network behaviors that may be a sign of a breach attempt, as well as ongoing risk assessment & monitoring toward continuous optimization of the overall network security system.

Universally endorsed by today’s industry thought leaders Radiflow’s risk-based approach to securing IT-OT networks takes an important step beyond mere threat detection by accounting for the entire array of factors that make up the risk the IT-OT network faces:

• Differentiation between business processes (operational units) by function and criticality, and assigning security requirements for each business unit accordingly
• Accounting for the impact of an attack (safety hazard, financial loss, damage to reputation, regulatory non-compliance or other) on a specific business processes
• Using threat intelligence to determine the likelihood of attacks based on geo-location and industrial sector
• Using virtual ICS breach attack simulation to assess exposure of production system to ransomware attack
• Defining system assets that a loss scenario of ransomware is applicable

By factoring in the complex array of each organization’s unique risk factors, users can manage their cyber-security budget by risk and control ROI, rather than trying to “cover all bases”, leading to a higher ROI on their IT-OT security expenditure.

As to protecting OT networks from the specific threat of ransomware, Radiflow iSID and CIARA solutions, separately and in tandem, provide a comprehensive double line of defense:

iSID: Industrial Threat Detection & Monitoring

iSID provides detection of breach attempt indications typical to ransomware attacks:

• Discovery of backup data conduits and detection of changes and anomalies in backup services traffic
• Detection of anomalies in usage of network sharing protocols, e.g. CIFS, NFS
• Detection of usage of network admin tools like Powershell
• Detection and alert upon usage of remote services and protocols like VNC, TeamViewer, RDP, etc.

CIARA: Industrial Risk Assessment & Management

CIARA helps users configure the security requirements and prioritize mitigation measures for different operational zones, including the backup zone and other zones pertinent to ransomware attacks:

• Simulation of ransomware attacks as part of CIARA’s breach-and-attack (OT-BAS) simulation engine
• Assigning the appropriate security assurance level (SAL) for the data assets/zones (for data assets, a security requirement (SR) for multi-factor authentication (MFA) should be applied under the assigned SAL)
• Configuration of the security assurance level will include a role-based access control, accounts in charge of modifying backup job definitions (for changing or deleting backup jobs)
• CIARA provides risk analysis for the impact of loss scenarios caused by ransomware attacks such as DoS, availability and integrity of data
• Designating data asset repositories (e.g. EWS, Historian, FTP server) as high impact
• Setting up RTO/RPO (Recovery Time/Point Objective) for the OT network, as part of defining loss scenarios

Conclusion

Ransomware attacks are here to stay, and will just get increasingly malicious and sophisticated in time. To protect your network from ransomware attacks, you need to implement technologies and processes that can detect and alert on early signs of an attack, prioritize and optimize mitigation measures and enable successful recovery.

In addition, through obtaining visibility into your risk factors and the security needs of each and every operational zone (especially the backup zone, critical to recovering from ransomware attacks), you will be able to focus your cyber-security budget on the mitigations that minimize overall risk, thus increasing the value and ROI of your entire IT-OT cyber-security operation.