Ransomware in critical infrastructure
Ten questions and actions to tackle this major threat
In this report, Deloitte highlights ten key questions and actions to help you kickstart or re-evaluate your efforts to protect critical infrastructure against ransomware.
Critical infrastructure assets are high value targets for state-based cyber espionage and asymmetric warfare, and increasingly, active ransomware criminal groups. Aided by rapid digitisation, 2020 was characterised by a significant increase in cyber-criminal activity, in particular ransomware attacks. Research indicates a seven-fold rise in ransomware attacks over the first half of 2020.
In September 2020, Pakistan’s largest power supply company suffered a Netwalker ransomware cyber attack. The immediate impact was a disruption of K-Electric’s online services, but power outages briefly followed while the company scrambled to fire up its backup generators. The electricity supply disruption caused an immediate domino effect in the country’s largest city, affecting the country’s largest city’s hospitals, water treatment plants and transport infrastructure. Road, rail and subway systems, including traffic lights, rail switching, and subway power lines all suffered outages. This targeted attack demonstrates how critical infrastructure ecosystems are vulnerable to malicious cyber disruptions, which can wreak havoc on essential services and even cost lives.
Indeed, all our essential services are increasingly at risk, as a successful cyber attack on critical infrastructure can:
- disrupt operations and the supply of electricity, oil, gas, water, waste management, and transport
- further threaten the safety of workers and citizens as dependent services, including emergency services and health facilities, suffer shortages or are compromised as collateral damage
- impact revenue, result in reputational damage, and lead to litigation or regulatory consequences to the service outage
- bring an economy to a standstill in a serious and sustained scenario, due to the domino effects described earlier, and the possibility of public disturbance and civil unrest
- be leveraged to weaken a country’s government and essential services in preparation for a conventional military attack by another nation-state.
Why are ransomware attacks so successful?
By denying access to core systems, ransomware can cause an organisation to run its operations in a highly degraded state. In addition to the growing sophistication of ransomware groups, changing expectations have increased the risk to critical infrastructure. To meet stakeholders’ demands for simplicity, efficiency and value while meeting budget constraints, organisations increasingly embrace digitisation, including converging IT with Operational Technology (OT) and leveraging cloud and Industrial Internet of Things (IIoT) technologies. In addition, the pandemic forced many organisations to quickly enable remote access for their OT personnel. These changes result in OT environments being more exposed to increasingly sophisticated cyber threats.
Ten questions to move forward
Critical infrastructure organisations need to create transparency around key cyber risks such as ransomware, so that leadership, Boards and the C-suite can better monitor and address them—and maintain safety and reliability while modernising their operations. The following ten key questions should help you kickstart or re-evaluate your efforts to protect critical operational processes and systems against the threat of ransomware:
1. Has your organisation identified the most critical business processes that depend on technology?
What are they? Who owns them? This analysis needs to be narrowed down to those core processes that simply can't operate effectively without the technology.
2. For these critical business processes, is there a comprehensive 'tree of dependencies' that covers technology systems, suppliers, and people?
It is vital to understand this mapping as it allows an organisation to pinpoint the components that have the potential to cause system failures or to introduce ransomware. And start assessing the resulting failure scenarios.
3. Do we have individual cyber risk assessments on these critical business processes and their dependencies?
This will give visibility of the specific vulnerabilities and risks that are outside risk appetite parameters.
4. Is there a framework of non-negotiable cyber controls for technology that underpins critical business processes?
We know from good practice frameworks, such as the Australian Cyber Security Centre's Essential Eight, and other research that many cyber incidents tend to exploit a small number of cyber hygiene issues and control weaknesses. In regulated sectors, non-negotiable controls will also directly stem from mandatory standards, guidelines, or maturity models.
5. Is cyber risk owned by your organisation’s business leaders and do they operate together, collaboratively, and effectively?
This is frequently an issue in organisations where ineffective cyber risk management leads to serious vulnerabilities remaining unresolved. This happens when formal decisions around accepting risk or funding remediation are isolated, uncoordinated, or simply not made—and so not acted on.
6. Is your organisation proactively managing the risk of key suppliers involved in critical processes and systems?
Suppliers can inadvertently introduce ransomware and other malware in core OT systems. Many operate with outdated contracts that lack accountability or clarity around responsibilities for cyber security controls. Identifying such suppliers, assessing their cyber security controls, and monitoring their effectiveness are all key ways to avoid opening up further attack vectors and risks to critical systems.
7. How are legacy critical systems being protected?
Unsupported software and devices from legacy industrial control systems are vulnerable to common malware, let alone targeted attacks. Many legacy employees with the system ‘know how’ may have already left the organisation. In some cases, the incident recovery team has to rebuild using year-old backup data. Organisations need to decide how to protect legacy systems and be prepared to rebuild industrial processes from scratch—including these systems.
8. Is there excessive reliance or complacency around 'air gaps'?
‘Air gaps’ usually fail and lead to false confidence about the protection level of industrial control systems, which are at the heart of OT. Organisations cannot afford to rely on this concept. While network segmentation controls can and should be reinforced, it is equally important to monitor connections, detect unexpected behaviours, and be able to respond quickly with tried and tested containment measures and recovery processes.
9. How resilient is your workforce to cyber risk?
Most cyber incidents involve human failure, including in well- disciplined industrial environments. Leading organisations are therefore identifying their high-risk workers and making targeted interventions to improve awareness and resiliency. It is important to help workers understand how to avoid introducing risks, as well as to identify and report suspicious system behaviours.
10. Has sufficient crisis management and recovery testing been done for a ransomware attack on a critical system?
It is still common for organisations that attempt a system restoration from backups to discover it is much harder than expected (or that the backups are inoperative or also infected with ransomware). Organisations need to thoroughly practice response processes—including rebuilding systems from scratch—with their management teams, suppliers, and other third parties. In this way, they can remediate technical issues, identify what information is needed and who is responsible to respond effectively, align leadership and develop muscle memory around decision-making, and clarify how to communicate with regulators, customers, and the media.