In the recent weeks we have witnessed two large-scale ransomware attacks that have demonstrated the direct real-world effects of cyberattacks on industrial operations. First, the Colonial pipeline attack, which halted pipeline operations for long enough to (slightly, thankfully) affect oil prices in the US; and then the attack on the JBS beef supplier that forced JBS to shut down all of its beef plants in the U.S.
Both attacks involved ransomware, and are allegedly attributed to state-sponsored hacker groups. In both cases ransom money was paid to the attackers in order to resume operations quickly. Luckily, a large amount of the ransom paid by Colonial was recovered by law enforcement.
The most disturbing similarity between the two attacks, as well as many other recent attacks, is that both companies didn’t install adequate protections against ransomware, even though the writing was prominently inscribed on the wall.
[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]
The measures that need to be taken to prevent Ransomware attacks are known and documented. The very basics include:
These tried-and-true methods, and many others, will definitely reduce your network risk and improve your resilience posture not only against the same exact malware used for the Colonial and JBS attacks, but for all types of cyber attacks.
The problem is deciding which mitigations should be installed. A decision based on intuition, familiarity with your industrial network or just plain rule-of-thumb will probably not maximize your ROI on Risk Reduction. Simply put – and this should be the most important takeaway from this post – it’s impossible for a CISO to accurately determine network risk and even more so, the effect of different hardening measures on reducing susceptibility to an attack. You just can’t eyeball risk anymore. And not installing the most effective mix of mitigation measures means that you’ve just spent money on either preventing the wrong threats or ineffectively preventing the threats you’re facing.
Each industrial network is different, from the devices and protocols used to the industry it operates in. What’s right for an oil pipeline or beef processing plant may not be suitable for a building BMS system or a water supply network; moreover, OT networks in different locales face different threats.
In fact, you’ll need to analyze hundreds of threat intelligence (e.g. MITRE ATT&CK) and other data points for attackers in different industries, attack techniques and the effect of different mitigation measures on each, for every business unit in your organization to produce an optimized risk mitigation plan. You’ll also have your budgetary constraints to consider as well as your long- and short-term risk management goals (e.g. protecting high-risk operations vs. demonstrating compliance vs. reducing overall risk).
CIARA displays a clear list of most relevant attack group and attack tactics for the specific system under consideration (SuC)
Analyzing the network’s threat and mitigation environment is exactly what risk assessment systems are supposed to do, and what CIARA, Radiflow’s risk assessment and management platform actually does.
CIARA employs an extensive proprietary algorithm to perform breach and attack simulations (BAS), based on each and every network and device’s properties and vulnerabilities, as derived from Radiflow’s non-intrusive self-learned network image/model. CIARA is 100% compliant with IEC 62443, thus assuring the user organization’s compliance with the standard.
Prioritized mitigations in CIARA, listed by state, zone, fundamental requirement (per IEC62443) and cost
CIARA’s simulations account for:
The outcome of numerous simulation instances is a clear, optimized mitigation plan that ensures the most OT security for each dollar spent. CIARA’s network hardening roadmap prioritizes the mitigations you need to install on the network based on your security preferences (for example, reducing overall risk vs. hardening a single critical business unit) and quarterly budget constraints. CIARA even provides a project planner for long term quarterly budget planning.
The conventional wisdom in OT security is that if you haven’t been attacked yet, you will be at some point. It’s just a matter of time. The Colonial and JBS attacks should serve as a reminder for industrial organizations to plan ahead and start the process of assessing their network risk and optimizing their ICS security – before they’re attacked.
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3