Article

Ten key questions and actions to tackle ransomware in critical infrastructure

Critical infrastructure assets are high value targets for state-based cyber espionage and asymmetric warfare, and increasingly, active ransomware criminal groups. Aided by rapid digitisation, 2020 was characterised by a significant increase in cyber-criminal activity, in particular ransomware attacks. But can ransomware groups disrupt electricity supply and other essential services in their escalating quest to earn larger rewards?

Let's consider what we know :

  • As far back as 2015, a highly sophisticated group showed the world that cyber attackers could cause a real-life disruption of electricity supply to citizens, businesses and infrastructure alike—by effectively taking down parts of Ukraine’s power grid. (1)
  • A year later, a related group launched and tested malware specifically designed to take over industrial control systems in even more critical components of an electric grid, which could have shut down power in entire regions in Ukraine if the group decided to do so. (2)
  • Several ransomware groups claim to have access to critical infrastructure including a nuclear power plant.
  • In 2021, ransomware groups targeted multiple industrial facilities including water treatment plants, factories, and even a nationally strategic pipeline operator in the US. The pipeline attack resulted in fuel shortages across a wide region for gas stations, airports, the military, and even home heating. (3)

The capability for severe and widespread disruption is quite clear. Indeed, all our essential services are increasingly at risk, as a successful cyber attack on critical infrastructure can : 

  • disrupt operations and the supply of electricity, oil, gas, water, waste management, and transport
  • further threaten the safety of workers and citizens as dependent services, including emergency services and health facilities, suffer shortages or are compromised as collateral damage
  • impact revenue, result in reputational damage, and lead to litigation or regulatory consequences to the service outage
  • bring an economy to a standstill in a serious and sustained scenario, due to the domino effects described earlier, and the possibility of public disturbance and civil unrest
  • be leveraged to weaken a country’s government and essential services in preparation for a conventional military attack by another nation-state.

 

The ransomware landscape

The wide-ranging downstream impacts of the pipeline operator ransomware attack in the US in May 2021 were not a first. A year earlier, the largest domestic energy provider in Taiwan suffered a ransomware incident that caused disruptions at many of the nation’s petrol stations, part of a string of targeted attacks on critical infrastructure. Ransomware groups have now set the world’s critical infrastructure firmly in their sights and embarked on what is termed ‘big game hunting’ campaigns, which explains a reported 500% rise in attacks on industrial organisations from 2018 to 2020. (4) Meanwhile, we are also seeing the rise of ransomware programs which include functions targeting industrial control systems specifically.

 

Why are ransomware attacks so successful?

By denying access to core systems, ransomware can cause an organisation to run its operations in a highly degraded state. In addition to the growing sophistication of ransomware groups, changing expectations have increased the risk to critical infrastructure. To meet stakeholders’ demands for simplicity, efficiency and value while meeting budget constraints, organisations increasingly embrace digitisation, including converging IT with Operational Technology (OT) and leveraging cloud and Industrial Internet of Things (IIoT) technologies. In addition, the pandemic forced many organisations to quickly enable remote access for their OT personnel. These changes result in OT environments being more exposed to increasingly potent cyber threats.

 

Ten questions to move forward

Critical infrastructure organisations need to create transparency around key cyber risks such as ransomware, so that leadership, Boards and the C-suite can better monitor and address them—and maintain safety and reliability while modernising their operations. The following ten key questions should help you kickstart or re-evaluate your efforts to protect critical operational processes and systems against the threat of ransomware:
 

1. Has your organisation identified the most critical business processes that depend on technology?

What are they? Who owns them? This analysis needs to be narrowed down to those core processes that simply can't operate effectively without the technology.
 

2. For these critical business processes, is there a comprehensive 'tree of dependencies' that covers technology systems, suppliers, and people?

It is vital to understand this mapping as it allows an organisation to pinpoint the components that have the potential to cause system failures or to introduce ransomware. And start assessing the resulting failure scenarios.
 

3. Do we have individual cyber risk assessments on these critical business processes and their dependencies?

This will give visibility of the specific vulnerabilities and risks that are outside risk appetite parameters.
 

4. Is there a framework of non-negotiable cyber controls for technology that underpins critical business processes?

We know from good practice frameworks, such as the Australian Cyber Security Centre's Essential Eight, and other research, that many cyber incidents tend to exploit a small number of cyber hygiene issues and control weaknesses. In regulated sectors, non-negotiable controls will also directly stem from mandatory standards, guidelines, or maturity models.
 

5. Is cyber risk owned by your organisation’s business leaders and do they operate together, collaboratively, and effectively?

This is frequently an issue in organisations where ineffective cyber risk management leads to serious vulnerabilities remaining unresolved. This happens when formal decisions around accepting risk or funding remediation are isolated, uncoordinated, or simply not made—and so not acted on.
 

6. Is your organisation proactively managing the risk of key suppliers involved in critical processes and systems?

Suppliers can inadvertently introduce ransomware and other malware in core OT systems. Many operate with outdated contracts that lack accountability or clarity around responsibilities for cyber security controls. Identifying such suppliers, assessing their cyber security controls, and monitoring their effectiveness are all key ways to avoid opening up further attack vectors and risks to critical systems.
 

7. How are legacy critical systems being protected?

Unsupported software and devices from legacy industrial control systems are vulnerable to common malware, let alone targeted attacks. Many legacy employees with the system ‘know how’ may have already left the organisation. In some cases, the incident recovery team has to rebuild using year-old backup data. Organisations need to decide how to protect legacy systems and be prepared to rebuild industrial processes from scratch—including these systems.
 

8. Is there excessive reliance or complacency around 'air gaps'?

‘Air gaps’ usually fail and lead to false confidence about the protection level of industrial control systems, which are at the heart of OT. Organisations cannot afford to rely on this concept. While network segmentation controls can and should be reinforced, it is equally important to monitor connections, detect unexpected behaviours, and be able to respond quickly with tried and tested containment measures and recovery processes.
 

9. How resilient is your workforce to cyber risk?

Most cyber incidents involve human failure, including in well-disciplined industrial environments. Leading organisations are therefore identifying their high-risk workers and making targeted interventions to improve awareness and resiliency. It is important to help workers understand how to avoid introducing risks, as well as to identify and report suspicious system behaviours.
 

10. Has sufficient crisis management and recovery testing been done for a ransomware attack on a critical system?

It is still common for organisations that attempt a system restoration from backups to discover it is much harder than expected (or that the backups are inoperative or also infected with ransomware). Organisations need to thoroughly practice response processes—including rebuilding systems from scratch—with their management teams, suppliers, and other third parties. In this way, they can remediate technical issues, identify what information is needed and who is responsible to respond effectively, align leadership and develop muscle memory around decision-making, and clarify how to communicate with regulators, customers, and the media.

 

Read our full report for more insights.

 

(1) Kim Zetter, Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid,” Wired, March 3, 2016.

(2) Andy Greenberg, “’Crash Override': The Malware That Took Down a Power Grid,” Wired, June 12, 2017.

(3) Charlie Osborne, “Colonial Pipeline attack: Everything you need to know,” ZDNet, May 13, 2021.

(4) Dragos and IBM Security X-Force, Ransomware in ICS Environments, December 2020.

Did you know?

  • It takes 201 days on average to identify a cyber breach, giving attackers on average more than six months to prepare and launch their ransomware attack
  • It can take less than 45 minutes to ransom an entire network for a large, distributed global organisations
  • 50% of ransomware attacks leverage the supply chain, i.e. vendors or contractors
  • 31% of ransomware victims experience destructive outcomes
  • More than 50% of ransomware attacks on industrial organisations may affect OT networks directly or indirectly, while some ransomware programs can now disrupt ICS specifically

Source: Deloitte analysis; news reports.

Did you find this useful?