Protecting an industrial organization from external (or even internal) threats is business-critical. This is true in regards to IT systems as well as operational technology (OT) environments.
As cyberattacks continue to increase in frequency and severity each year, businesses must have the right risk mitigation plans in place. Data breaches cost organizations, on average, 4.88 million USD per year in losses, with 35% of those attacks being linked to ransomware. And because of the unique vulnerabilities of OT in critical infrastructure, these statistics mean that a successful ransomware attack wouldn’t only disrupt essential services, but it could also cause environmental damage or endanger lives.
If you don’t have the necessary security in place, a simple administrative mistake can cost the organization significantly. However, there are well-established strategies that your company can put in place now to lower its risk profile and significantly improve its chances of recovering successfully from a ransomware attack.
It’s incredibly important to ensure that every individual who accesses your company is adequately protected. This is especially true for organizations with remote teams or those operating industrial facilities with various levels of access control.
Personal laptops, smartphones and tablets are all potential entry points for attackers if they aren’t adequately secured. In OT environments, these risks can extend to specialized engineering equipment used to monitor and manage programmable logic controllers (PLCs) or human-machine interface (HMI). This is why it's crucial for organizations to adopt a proactive approach for managing and monitoring all of their network connections.
The first step to take in this area is to document all of the different formats employees use to stay connected. Once you’ve created this map, you may implement appropriate policies or protocols for how each of these formats is used.
One way to address this issue is with endpoint detection and response (EDR) platforms. EDR tools have become increasingly relevant in converged IT and OT environments. These can be used to monitor and categorize all connections on your network while also allowing you to enforce strict security protocols and access limitations based on the device being used or the location requesting the access.
While it might not be the first thing on your cybersecurity list, training employees on security best practices can go a long way to helping reduce your organization’s risk exposure.
When implementing a regular cybersecurity training routine, teach the workforce about practical ways they can protect themselves and the company from falling victim to an attack. This can be as simple as using stronger passwords, never posting login credentials on their desk where they are visible, or ensuring they always lock their computers when taking breaks.
Ensure that you establish clear guidelines that should be followed by both new and existing employees, and make them a core element of your employee handbooks. This not only includes training on best security practices, but also on the safe and ethical use of AI tools and services to comply with various industry standards.
Even if you invest in a number of proactive security measures, it’s still important to plan for the worst-case scenario. If your data becomes compromised due to a ransomware attack or any other form of data breach, you’ll want to have backups you can rely on to help recover your systems as quickly as possible.
To achieve this, you’ll want to maintain a consistent schedule for creating backups on a regular basis. For traditional IT environments, this means managing all your critical business data, which is often spread across various systems and databases. In OT settings, you’ll want to include your PLC programs, HMI configurations, system images of control servers and any engineering workstation data.
By taking this step ahead of time, in the event of a ransomware attack, you will have a functional version of your most critical data and systems, potentially preventing extended periods of downtime that could lead to significant financial losses.
As you design your disaster recovery plan, ensure that you have clear instructions on where these backup files can be located and the priority each system requires during recovery.
When an organization is hit by ransomware, the malware can spread just like a wildfire across any connected systems to affected areas of a network. One of the most impactful ways to reduce your company’s risk exposure when this happens is by strategically isolating your IT and OT systems.
If you have these areas of your organization's infrastructure too closely connected, they essentially become one large target with minimal entry points for an attacker to compromise. Take, for example, the A.P. Moller-Maersk attack by NotPetya. In this attack, a single infection in one of the company’s IT systems was able to rapidly spread across the organization’s global physical operations. Terminals were then paralyzed during the attack, which put all critical logistics-related protocols to a standstill.
Another, more recent attack was successfully launched against the Colonial Pipeline. During the attack, hackers gained access to the organization’s network through a compromised password on an employee’s VPN account. This granted access to launch the ransomware, which originally only infected their IT billing systems. However, by moving laterally across the network, the malware forced the hand of their teams to shut down the entire fuel pipeline for several days. This led to a major fuel crisis and a significant impact on local economies.
While avoiding these types of crises takes more than just one or two changes to security protocols, segmenting IT and OT systems with a demilitarized zone (DMZ) between them helps to create the quarantine zones necessary to avoid a single breach from crippling all systems.
It’s also essential to manage individual user access across each of these systems. Ensure that you restrict access to sensitive areas of your network to only a select group of employees who actually require access. This means implementing the “principle of least privilege,” where anyone in your business, regardless of their title, has only the access they need to do their job effectively, never more than necessary.
This simple rule is a powerful security control, and it's doubly important when you're deciding who gets the keys to your most critical industrial systems.
One of the challenges businesses face is determining whether the systems and security policies they have in place will actually prove effective when the time comes to protect the business from a real attack. Penetration testing services can be a great way to validate your disaster planning efforts without putting your organization at risk.
Working with outside penetration testing teams gives you a proactive way to pinpoint potential weaknesses in your systems “before” they have a chance to escalate into real security problems for your business. Penetration testers conduct simulated attacks in the same way that a real cybercriminal would, often helping to find flaws in systems that aren’t always easy to spot.
For example, using a specialized OT penetration testing service, you can successfully assess the integrity of each of your industrial control systems. These contracted services can try to exploit vulnerabilities in older hardware, look for misconfigurations in system networks or try to bypass unpatched HMI software. If vulnerabilities are found, identifying and fixing them before they lead to a real attack can be invaluable.
Extracting insights from these teams after their simulated attacks can help you to prioritize your risk mitigation resources in the right areas while also ensuring that you’re maintaining strict data security and compliance practices.
Helping to keep your organization protected from modern-day cyberattacks, especially ransomware, requires a forward-thinking security and planning approach.
By following the strategies discussed and training employees on safer business practices, you’ll be able to successfully reduce your organization's risk profile while creating a more resilient cybersecurity culture.
Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive regular emails with links to thought leadership, research and other insights from the OT cybersecurity community.