How to Secure Industrial Networks Against Ransomware in 2023

Since the outbreaks of Wannacry & NotPetya ransomware attacks in 2017, we’ve been witnessing daily occurrences of attacks affecting OT networks that originated on the IT side. The U.S. National Security Agency (NSA) also highlighted this issue for this very simple reason. It works.

A report from Cybersecurity Ventures estimates that there was one ransomware attack every 11 seconds in 2021, resulting in almost $20 billion in damages. These extortion schemes often target individuals or businesses that are most likely to pay the demanded sum to recover their data.

The number of ransomware attacks has jumped by 97 percent in the last 2 years, the average ransom payment increased by more than 6,000 percent in the last 6 years, downtime is up by 200 percent and the average cost per incident is on the rise.

Threat actor groups with names such as Ryuk, Egregor, Conti, Ragnar Locker, and many others are ruthless, well-funded, and are willing to target anyone; from COVID-19 vaccine manufacturers, automotive manufacturers, critical infrastructure, governments, and hospitals to get their payday. In fact, the first ransomware-related death happened this past September, when a German hospital was infected with ransomware and couldn’t treat patients during the Covid-19 outbreak.

Ransomware is a sophisticated type of malware that can infect a computer and subsequently hold sensitive data or personally identifiable information (PII) hostage until a fee, or “ransom” is paid. Cybercriminals often use a binary encryption key to restrict data access to extort money from victims.

Ransomware attacks can be especially dangerous for businesses, hospitals, schools, or other organizations that rely on that information to function daily. In most cases, failure to pay the ransom can lead to permanent loss or exposure of confidential data.

Some of the most common ways people get infected by ransomware are:

• Phishing emails

• Visiting corrupted websites (drive-by downloading)

• Downloading infected file extensions or malicious attachments

• System and network vulnerabilities

• Remote desktop protocol (RDP) attacks

Ransomware attacks can affect anyone, from individual users to large corporations. This type of malware can lock up individual files, like documents or images, to entire databases, leading to huge data breaches or exposure of sensitive, personal information.

There are four main categories of ransomware:

• Encryption – Encryption is the most common type of ransomware, which encrypts data and makes it impossible to unlock without a decryption key.

• Lockers – Lockers restrict the use of your computer, making it impossible to work or use basic functions until the ransom is paid.

• Scareware – Scareware attempts to scare users into buying unnecessary software. In some cases, pop-ups will flood the screen, forcing the user to pay to remove them.

• Doxware/Leakware – Doxware or leakware will threaten to leak personal or company information unless the fine is paid.

From what we’ve seen, ransomware generally encrypts Windows and Linux machines. We still haven’t seen any PLCs being encrypted. However, many industrial services are run on Windows / Linux machines – such as historians, HMIs, storage, application servers, management portals, and OPC client/servers.

In many cases, ransomware operations would not stop in the IT network, and will also attack OT segments. More encrypted devices mean a higher monetary ransom demand from the attackers.

Organizations must be able to monitor & detect threats across the IT/OT boundary to effectively identify risks before reaching process-critical endpoints.

We recommend that organizations practice these common security procedures to minimize the impact and their risk of ransomware infection.

Backing up your data to an external hard drive or cloud server is one of the easiest risk mitigation practices. In the case of a ransomware attack, the user can wipe the computer clean and reinstall the backup files. Ideally, organizations should be backing up their most important data at least once per day.

A popular approach to follow is the 3-2-1 rule. Try to keep 3 separate copies of your data on 2 different storage types with 1 copy offline. You can also add another step to the process by adding one more copy on an immutable (can’t be altered), indelible (can’t be deleted) cloud storage server.

Implementing new security measures should be a never-ending task. As ransomware tactics continue to evolve, companies need to run regular cybersecurity tests and OT security assessments to adapt to changing environments. Companies should continually:

• Reevaluate user privileges and access points

• Identify new system vulnerabilities

• Create new security protocols

Sandbox testing is a common strategy to test malicious code against current software in an isolated environment to determine if security protocols are sufficient.

If possible, replace RDP with a remote access solution that requires two-factor authentication, many VPNs now support that. This will require attackers to be verified by, for example, a code sent via SMS.

If you choose to still use RDP, make sure its Windows Update is enabled and is working.

Educate the organization’s employees about phishing attacks. Employees should be suspicious of emails that don’t seem right and not click on suspicious links.

Install an anti-phishing solution.

Software Vulnerabilities of Internet-Facing Servers

Scan your organization’s IP range from outside the network. Verify that all exposed IP/ports are what you expect them to be.

Make sure that automatic security updates are enabled for your exposed services. If one of your services (such as web servers, for example) does not have that feature, consider changing it to a similar one that has this feature.

Enable firewalls on all of your workstations and servers. Make sure that Windows Update is enabled. This will ensure that your machines will be patched for the latest vulnerabilities and will also be less prone to lateral movement techniques. Microsoft constantly updates their security policies and their firewall rules. One good example is that they disabled the remote creation of processes using the task scheduler ‘at’ command.

Whitelisting determines which applications can be downloaded and executed on a network. Any unauthorized program or website that is not whitelisted will be restricted or blocked in the case an employee or user accidentally downloads an infected program or visits a corrupted site. Using whitelisting software like Windows AppLocker, you can also “blacklist” or block specific programs and websites.

Endpoint protection works. Beyond blocking classic hackers’ techniques, some also have defenses against ransomware and will protect your assets from encryption.

Ideally, you would want to minimize the risk of your industrial network being impacted when suffering a ransomware attack.

To the possible extent, separate the IT network from the OT network segment. Monitor and limit the access between the segments.

Use firewall and different management servers to the OT and IT networks (Windows domains, etc). By doing so, compromising the IT domain will not compromise the OT domain.

A constant network monitoring platform (we happen to know a really good one), will help you identify threats while analyzing network traffic and will help you see the bigger picture of what’s happening in your network.

Another way to protect your network and systems is limiting user access and permissions to only the data they need to work. This idea of “least privilege” limits who can access essential data. By doing so, you can prevent ransomware from spreading between systems within a company. Even with access, users may encounter limited functions or resources, as defined in a role-based access control (RBAC) policy.

Least privilege typically involves a zero-trust model that assumes any internal or external users cannot be trusted, which means that they will require identity verification at every level of access. Verification usually requires at least two-factor (2FA) or multi-factor authentication (MFA) to prevent access to target data should a breach occur.