Recent high-profile attacks on industrial control systems (ICS) such as US-based fuel transport Colonial Pipeline and Solar Winds expose vulnerabilities within critical infrastructures, which could lead to widespread disruptions.
Computer-controlled systems such as ICS are used in key sectors, including power and water utilities and manufacturing, to automate or remotely control production handling and distribution.
No longer ‘air gapped’, modern ICS installations interface with multiple networks and devices, which opens up a variety of vulnerabilities. The Solar Winds attack, for instance, affected 25% of North American utility companies. Analyst firm Gartner warns that weaponised computer systems could cause injury or death by 2025 and will cost businesses US$50 million to recover from such attacks.
The rising wave of attacks — Colonial Pipeline, JBS and the Kaseya software supply chain cases — are painful lessons that highlight the threats of ransomware attacks that threaten to shut down business processes for weeks completely.
Peerapong Jongvibool, Senior Director, Southeast Asia and Hong Kong at Fortinet, who passionately advocates a holistic and integrated network security posture among the region’s enterprises and SMEs, provided an in-depth picture during a recent in-depth Disruptive Asia interview.
“Our 2021 report on the State of Operational Technology and Cybersecurity shows that the majority of organisations have been largely unsuccessful at preventing cybercriminals from exploiting their systems, with only 8% stating that they have had no intrusions over the past 12 months.”
“Among those surveyed, we also found that 90% have experienced at least one intrusion in the past year, 72% have experienced three or more intrusions in the past year, and 26% have experienced six or more intrusions in the past year.”
Peerapong said the study also confirmed the devastating impact of these cyber intrusions, which are summarised below:
“Our research results show that operational outage which affected productivity has had the highest impact on organisations at 51%,” he commented. “This was followed by brand awareness degradation at 40%, and impact on revenue at 37%.”
The regional impact of ransomware on OT can go beyond operational downtime and revenue loss.
In September 2020, Pakistan’s largest power supply company suffered a Netwalker ransomware cyberattack, which impacted roads, rail and subway systems, including traffic lights, rail switching, and subway power lines.
Peerapong pointed out that: “This targeted attack demonstrates how critical infrastructure ecosystems are vulnerable to malicious cyberattacks, and how outages can disrupt essential services and even endanger people’s lives.”
With the increasing number of ransomware attacks on essential services, he stressed that organisations must take all the necessary steps to protect IT systems.
“A successful cyberattack on critical infrastructure can disrupt operations and the supply of electricity, oil, gas, water and waste management,” Peerapong added. “When essential services such as transportation, communication facilities, hospitals, and emergency services dependent on this critical infrastructure are compromised, the safety of workers and citizens are under threat.”
Furthermore, analysts have noted that service outages due to cyberattacks can lead to litigation, steep fines and regulatory issues, and loss of consumer trust and reputational damage, which can lead to serious financial consequences.
“Without measures to mitigate the impact of cyberattacks, the damages can spill over to linked industries, and eventually, to the nation’s economy and the society at large,” he said.
What’s behind the rise?
Advanced ransomware attacks can take just a few seconds to compromise endpoints and cause damage to a company’s systems and infrastructure. Ransomware attacks have increased in volume, morphing and evolving through the years.
According to a recent Global Threat Landscape Report from FortiGuard Labs, ransomware attacks increased sevenfold in the concluding half of 2020 and became even more disruptive.
Peerapong highlights that tactics from threat actors continue to shift, and defenders need to continue to get the “basics” of defensive strategies correct and continuously evaluate their organisation’s security policies to ensure they still provide adequate responses against today’s ransomware threat actors. CISOs are now faced with a harsh reality: it is less a matter of IF but when they will be attacked.
Specific to the critical infrastructure industry, as IT and OT systems converge, ransomware attack trends have targeted new data and technology types.
“Field devices and sensors have become new targets, resulting in malicious actors shifting their focus from corporate networks to the OT edge,” said Peerapong. “Consequently, power grids, transportation management infrastructures, medical systems and other critical resources are under threat more than ever before.”
“Beyond compromised sensitive data and information, cybersecurity threats on applications and Industrial Internet of Things (IIoT) devices connected to the OT edge can bring serious damage to people’s health and physical safety, which demonstrates the severity of the impact of attacks on these networks.”
The consequences of these attacks can range from disruption of public services such as transportation, hospitals, and emergency medical responses, business impact including information and revenue loss, and damage to physical assets. Moreover, critical infrastructure failures are of national interest and could possibly impact a country’s prosperity, public safety and national defence.
‘Golden age of ransomware’
“We are living in the golden era of ransomware and seeing a cybercrime landscape in which many bad actors operate as large, distributed businesses, complete with call centres to handle ransom payments,” Peerapong continued. “Many of these cyber criminals now target large corporations and industries or high-profile individuals to get the best payouts — a strategy known as “Big Game Hunting” (BGH).”
He gave Sodinokibi (aka REvil) as an example of a large and lucrative cybercriminal operation that uses the Ransomware as a Service (RaaS) business model and recruits affiliates to distribute their ransomware.
“Their exploits include stealing nearly a terabyte of data from a large law firm and demanding a ransom in exchange for not publishing their data. The stakes continue to climb and the criticality of attacks has been accelerating, as shown in the recent US Colonial Pipeline ransomware attack, which was initiated by the cybercriminal group DarkSide.”
“In today’s modern world, the cyber threat landscape continues to grow more complex and sophisticated. Attempted attacks and data breaches are inevitable, and no organisation wants to be in a situation wherein they had to choose between paying a ransom and losing important data,” Peerapong said.
He noted that small and medium businesses (SMBs) are particularly vulnerable to ransomware attacks. “Primarily, they might not have the internal resources, knowledge, or security budget to help prevent ransomware and deal with the ramifications of a cyberattack.”
In addition, for many organisations, the loss of critical business cycles and revenues from grounded systems far outweigh the ransom’s price. To fight ransomware, businesses need a comprehensive solution that is simple, straightforward, and affordable so that they can focus on growing the business while knowing their users and data are protected.
Best ways to stop ransomware
When asked about the best ways to tackle ransomware, Peerapong said: “While each network environment is different, there are steps any organisation can begin to implement today to reduce their risk from ransomware and other advanced threats. A key takeaway is to leverage people, technology, and processes to gather threat intelligence about active attacks on a network quickly and act on it, using automation where possible.”
His takeaways are summarised here:
- Out-of-Band, emergency, patches will happen. Organisations need to have a plan in place through change control processes to ensure they can respond to emergency patches. As attackers only need hours to weaponise vulnerabilities, having an emergency patch process in place is critical.
- Have advanced security installed, such as anti-exploit and endpoint detection and response (EDR) solutions.
- And then store those backups offline — along with any devices and software needed for a network recovery.
- Check and filter out email attachments, websites, and files for malware.
- Discover, execute, and analyse new or unrecognised files, documents, or programs in a safe environment.
- Identify where an infection came from, or how long it has been in an environment.
- Train the people who use your devices and applications. Cybersecurity awareness training is essential.
Peerapong also commented that FortiGuard Labs research showed that most areas worldwide are targets and that no sector is safe from ransomware.
His advice to organisations includes: staying calm and begin executing the incident response (IR) plan or reaching out to the security vendor; then isolate the systems to curb the spread; determine the ransom variant; and take the appropriate steps. “Many of the tactics, techniques, and procedures (TTPs) of each ransomware variant are publicly documented.”
Moreover, Peerapong advises scoping and identifying infected systems and accounts and determine if data was exfiltrated. “Ransomware attacks will not only encrypt your files but also try to exfiltrate data. They will do this to increase the chances of ransom payment by threatening to post things like proprietary or embarrassing data online.”
The next step is to locate and scan backups to determine integrity, as attackers will attempt to wipe a company’s online backups and volume shadow copies to decrease the chances of data recovery, he said. “Reporting the incident is also a vital step in responding to an active ransomware attack. Companies should immediately assess the scope of the incident and report to law enforcement agencies as needed and required.”
“Law enforcement advises against paying ransom,” he added. “However, should the organisation consider this option, they should hire a security company with specialised skills to assist with the process.”
Moving forward, a post-incident review can help IT teams improve the company’s incident response, understand what went right, and document opportunities for improvement.
“Once an attack occurs, panic can spread through the organisation and only create bigger issues. Chief Information Security Officers (CISOs) know that surviving a ransomware attack requires an incident response plan, but there are time constraints when documenting a full plan and the right resources to implement the plan may not be available when needed,” Peerapong said.
Power of collaboration
As cyberattacks have increased in sophistication and reach, Peerapong agreed that collaboration is another key factor to developing a strong security posture. “In addition to working with all internal and external stakeholders, including law enforcement, to ensure the effectiveness of responses, cybersecurity professionals must openly partner with global or regional law enforcement, like SingCERT or MyCERT. Sharing intelligence with law enforcement and other global security organisations is the only way to take down cyber crime groups effectively.”
“Simply defeating a single ransomware incident at one organisation does not reduce the overall impact within an industry or peer group,” he explained. “Cyber criminals have been known to target multiple companies, verticals, systems, networks, and software. To make attacks more difficult and resource-intensive for cyber criminals, public and private entities must collaborate by sharing threat information and attack data. Private-public partnerships also help victims recover their encrypted data, ultimately reducing the risks and costs associated with the attack.”
“When private and public entities work together, they also expand visibility. For example, a bank may suffer a ransomware attack but fail to share information responsibly with law enforcement. Law enforcement working with a credit card company also impacted by the same cybercrime group needs that information to understand the criminal organisation’s full scope. As cybercrime knows no borders, actionable threat intelligence with global visibility helps both the private and public sectors shift from taking a reactive approach to being proactive.”
Governments within the region are starting to recognise the growing malicious attacks on OT systems. In Singapore, the Cyber Security Agency (CSA) launched the OT Cybersecurity Masterplan to create deeper awareness and understanding of the cybersecurity landscape, including the challenges faced by OT stakeholders from the public and private sectors. Recently, the Chair of the Asia Pacific Computer Emergency Response Team (APCERT) and CyberSecurity Malaysia joined 18 other Asia Pacific countries and 31 international teams in an ambitious international cyberattack simulation, where nations worked together to take down a fictional cyber criminal infrastructure.
As cybercriminals get more organised and well-resourced, countries must balance national interests and international collaboration to create a trusted digital space.
With the increasing sophistication of cyberattacks, their impact goes beyond just financial and productivity losses, Peerapong said.
“Instead, threat researchers are increasingly seeing encrypted versions of data being posted online — not just held for ransom — along with the threat that if the ransom is not paid, all the data will be released to the public or sold to a buyer,” he reveals. “As a result, organisations have begun to appear on the Dark Net with a business model centred on negotiating ransoms. While this route may sound like an easy fix, it can actually have long-term negative effects, including the normalisation of criminal behaviour.”“We see an increased focus from governments and businesses to secure OT, in particular the manufacturing sector, Peerapong said in conclusion. “Without an effective OT security plan, enterprises and their integrated ICS/SCADA (supervisory control and data acquisition) systems are vulnerable to cyberattacks that could result in reputational damage, financial loss, and diminished customer confidence as well as threaten the safety of citizens and — in the case of critical infrastructure — national security.”