Skip to content

How You Should Prevent Ransomware Attacks On Your Industrial Networks

This Week, Ransomware Slams Westrock & Other industrial Organizations

Earlier this week, the operations at $17 billion packaging firm WestRock were disrupted by a ransomware attack that impacted both its IT and OT (operational technology) networks. Two days later, a massive $27 billion chain operator Dairy Farm Group was also attacked by ransomware, with the attackers demanding a $30 million ransom. Those are just a sample of successful ransomware attacks from this week alone.

Since the outbreaks of Wannacry & NotPetya ransomware attacks in 2017, we’ve been witnessing daily occurrences of attacks affecting OT networks that originated in the IT side. The U.S. National Security Agency (NSA) also highlighted this issue for this very simple reason. It works.

Ransomware Works

That’s the simplest way to explain why incidents of ransomware attacks have sharply increased over the last year — with no end in sight. The number of ransomware attacks has jumped by 350 percent since 2018, the average ransom payment increased by more than 100 percent this year, downtime is up by 200 percent and the average cost per incident is on the rise, according to a recent report from PurpleSec.

Threat actor groups with names such as Ryuk, Egregor, Conti, Ragnar Locker, and many others are ruthless, well-funded and are willing to target anyone; from COVID-19 vaccine manufacturers, automotive manufacturers, critical infrastructure, governments and hospitals to get their payday. In fact, the first ransomware related death happened this past September, when a German hospital was infected with ransomware and couldn’t treat patients during the Covid-19 outbreak.

As part of SCADAfence’s mission to protect the lives and safety of civilians, we’ve put together this guide to help you prevent ransomware in your industrial organization.

The Ransomware Encryption Process

Let’s go back to the beginning, and discuss how these attacks encrypt systems in the first place.

From the previous ransomware attacks we’ve researched, we learned that from the minute the attackers get initial access, they can encrypt the entire network in a matter of hours. In other cases attackers would spend more time in assessing which assets they want to encrypt and they’d make sure they get to key servers such as storage and application servers.

Most of the recent ransomware attacks you’re reading about in the news try to terminate antivirus processes to make sure that their encryption process will go uninterrupted. Recent ransomware variants such as SNAKE, DoppelPaymer and LockerGoga even went further by terminating OT related processes like Siemens SIMATIC WinCC, Beckhoff TwinCAT, Kepware KEPServerEX, and the OPC communications protocol. This made sure the industrial process was interrupted, and this increased the chances that the victims paid the ransom. These types of ransomware attacks were seen in the recent attacks of Honda and ExecuPharm.

OT Security Challenges with Ransomware

Diagram #1 – An OT Security Challenge: Industrial Components Exposed to Encryption

From what we’ve seen, ransomware generally encrypts Windows and Linux machines. We still haven’t seen any PLCs being encrypted. However, many industrial services are run on Windows / Linux machines – such as Historians, HMIs, Storage, Application Servers, Management Portals and OPC Client/Servers.

In many cases, ransomware operations would not stop in the IT network, and will also attack OT segments. More encrypted devices means a higher monetary ransom demand from the attackers.

Organizations must be able to monitor & detect threats across the IT/OT boundary in order to effectively identify risks before reaching process-critical end-points.

Ransomware Prevention in Industrial Networks

Diagram #2 – Ransomware Prevention: How You Can Prevent Ransomware Attacks On Your Industrial Networks 

 

Some of the tools and techniques that ransomware operators are using are on the same level that nation-state threat actors are using on targeted espionage campaigns.

 


Diagram #3 – Tactics, Techniques & Procedures most commonly used in Ransomware Attacks

 

We recommend that organizations practice these common security procedures to minimize their risk of ransomware infection on each step of the kill chain:

 

Initial Access:

  1. RDP
    1. If possible, replace RDP with a remote access solution that requires two-factor authentication, many VPNs now support that. This will require attackers to be verified by, for example, a code sent via SMS.
    2. If you choose to still use RDP, make sure its Windows Update is enabled and is working.
  2. Email Phishing
    1. Educate the organization’s employees about phishing attacks. Employees should be suspicious of emails that don’t seem right and not click on suspicious links.
    2. Install an Anti-Phishing solution.
  3. Software vulnerabilities of internet-facing servers
    1. Scan your organization’s IP range from outside the network. Verify that all exposed IP/ports are what you expect them to be.
    2. Make sure that automatic security updates are enabled for your exposed services. If one of your services (such as web servers, for example) does not have that feature, consider changing it to a similar one that has this feature.

 

Lateral Movement:

  1. Firewalls & Windows Update – Enable firewalls on all of your workstations and servers.
    Make sure that Windows Update is enabled. This will ensure that your machines will be patched for the latest vulnerabilities and will also be less prone to lateral movement techniques. Microsoft constantly updates their security policies and their firewall rules.
    One good example is that they disabled the remote creation of processes using the Task Scheduler ‘at’ command.
  2. Endpoint Protection

Endpoint protection works. Beyond blocking classic hackers’ techniques, some also have defenses against ransomware and will protect your assets from encryption.

  1. Network Segmentation
    Ideally, you would want to minimize the risk of your industrial network being impacted when suffering a ransomware attack.
    1. To the possible extent, separate the IT network from the OT network segment. Monitor and limit the access between the segments.
    2. Use different management servers to the OT and IT networks (Windows Domains, etc). By doing so, compromising the IT domain will not compromise the OT domain.
  2. Constant Network Monitoring
    A constant network monitoring platform (we happen to know a really good one), will help you identify threats while analyzing network traffic and will help you see the bigger picture of what’s happening in your network.
  3. Data Exfiltration
    Monitor your network for unusual outbound traffic. Everyday user activity should not generate uplink activity higher than about 200MB/daily per user.

How SCADAfence Helps You

We provide a comprehensive solution – The SCADAfence’s platform which was built to protect industrial organizations like yours from industrial cyber attacks (including ransomware). It also helps you implement better security practices amongst its built in features. Some of these include:

  • Asset Management
  • Network Maps
  • Traffic Analyzers

These tools will help your organization to implement better network segmentation, to make sure that your firewalls are functioning properly, and that every device in the OT network is communicating only with the ones that they should be communicating with. You will also be able to spot assets that are not where they’re supposed to be, for example, forgotten assets in the DMZ.

The platform, which is also the highest rated OT & IoT security platform, also monitors the network traffic for any threats, including ones that are found in typical ransomware attacks; such as:

  • Security exploits being sent across the network.
  • Lateral movements attempts using latest techniques.
  • Network scanning and network reconnaissance.

In an event of a security breach, SCADAfence’s detailed alerts will help you to contain these threats as quickly as possible. Ultimately, we built this tool to help industrial organizations to understand their attack surface, to implement effective segmentation and constant network monitoring for any malicious or anomalous activity.

 

Video: The Anatomy of a Targeted Ransomware Attack:

We’d like to share with you a true story of a recent incident response to an industrial ransomware cyberattack. SCADAfence’s incident response team assists companies in cyber security emergencies. In this video, we will review a recent incident response activity in which we took part. This research has been published with the goal of assisting organizations to plan for such events and reduce the impact of targeted industrial ransomware in their networks.

For more detailed information on this story, we prepared a full whitepaper here: https://www.scadafence.com/resource/anatomy-of-a-targeted-ransomware-attack/

Additional credits: Yossi Reuven and Michael Yehoshua have also contributed to this comprehensive guide.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.

High Availability and Contingency and Risk Management in Information Security

Risk management quantifies and qualitatively describes the risk of Information Security, allowing companies to prioritize risks according to their severity and thus ensure business continuity. 

Risk management determines the value of an information asset, identifies the applicable threats and vulnerabilities that exist (or could exist), identifies the existing controls and their effects on the identified risks, determines the potential consequences, and finally prioritizes them.

After this definition, how is it possible to develop a strategy for risk management within a company? What are the main risks associated with Information Security? Also, find out what High Availability and Contingency has to do with risk management and what are their main differences in keeping your system secure.

Keep reading this article and learn how risk management in information security can contribute to your business continuity.

How does Information Security Risk Management work?

Risk management in information security is the process associated with the use of information technology. It involves identifying, assessing, and addressing risks to the confidentiality, integrity, and availability of a company’s assets.

The ultimate goal of this process is to address risks according to a company’s risk tolerance. Companies should not expect to eliminate all risks. Instead, they should seek to identify and achieve an acceptable level of risk for business continuity.

How to develop an Information Security Risk Management strategy?

Managing risks is an ongoing task, and your success will depend on how they are assessed, plans are communicated, and functions are maintained. Identifying the people, processes, and technologies required to help you deal with the steps below will develop a solid foundation for a risk management strategy and program in your company, which can be developed over time.

Identification

This stage is the process of identifying your digital assets that can include a wide variety of information: confidential company information, such as product development and trade secrets; Personal data that can expose employees to cybersecurity risks, such as identity theft regulations. Another example is those companies that handle credit card transactions and need PCI-DSS compliance.

Assessment

This is the process of combining the information you have gathered about assets, vulnerabilities, and controls to define risks. There are many structures and approaches to this.

Treatment

Once a risk has been assessed and analyzed, the company will need to select the risk treatment options. In this scenario, companies can accept the risk or prevent it.

Communication

Regardless of how risk is handled, the decision needs to be communicated within the company. Stakeholders need to understand the costs of whether or not to address risk and the reason behind such a decision. Responsibility and accountability need to be clearly defined and associated with individuals and teams in the company to ensure that the right people are engaged at the right times in the process.

Main risks associated with Information Security

Security risks are inevitable, so the ability to understand and manage risks for systems and data is essential to a company’s success. 

If you are able to address the risks below and respond effectively to security incidents, you can find out how to better resist cyber threats and reduce potential risks in the future.

Privilege Abuse

In most technology environments, the principle of least privilege is not valid. There are many reasons why privileges greater than necessary have been granted to a user.

Granting excessive permissions is problematic for two reasons: approximately 80% of attacks on corporate data are actually performed by active or dismissed employees. Privileges excessively granted or not revoked at the right time make it simple for someone to perform malicious actions.

Third-party Access

A number of third parties, including suppliers, contractors, consultants, and service providers have access to network resources, which allows them to modify, replace, or impact your company’s operational service. This access is considered privileged and needs to be even more protected than the access by an employee.

Companies apply efforts to protect their networks, but forget about third-party access security controls. These controls can protect third-party access to privileged credentials, as well as strengthen security aspects that are normally exploited by attackers to gain access to the corporate network.

Insider Threats

When it comes to data breaches, employees themselves can be one of the biggest risks to an organization. These threats can be: accidental, when personnel is only poorly trained; negligent, when employees try to bypass implemented policies; or malicious (the most dangerous), when an employee is motivated by financial gains, espionage, or revenge.

HA (High Availability) and DR (Disaster Recovery / Contingency) as metrics for Risk Management

Any good system these days must be built to expect the unexpected. No system is perfect and, at some point, something will happen that will cause a system to malfunction (a fire, a hurricane, an earthquake, human error – the list goes on). Since systems can fail in different ways, they need to be designed with the expectation that a failure will occur.

Thus, there are two related, but generally confusing, topics that work on the system architecture that mitigate failures: high availability (HA) and disaster recovery (DR).

High availability simply eliminates single points of failure, and disaster recovery is the process of putting a system back into an operational state when it goes down. In essence, disaster recovery is triggered when high availability fails.

Fundamentally, high availability and disaster recovery have the same goal: to keep systems up and running in an operational state. The main difference is that high availability is designed to deal with problems when a system is running, while disaster recovery must deal with problems after a system failure.

Regardless of a system’s high availability, any system in production, no matter how trivial, needs to have some kind of disaster recovery plan in place. And this should be included in your information security risk management strategy.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.