How do we begin to safeguard against the ransomware threat to ICS systems?
1. Monitoring and DetectionLeverage detection technologies on your network. Use data analytics to look for anomalous activity, such as spikes in internal network activity, strange API requests from clients, and bizarre outputs from ICS sensors and other controllers. Also look for discrepancies between ICS device behavior and control system logs; after all, this was how the cyberweapon Stuxnet remained hidden on Iranian centrifuge controllers for years. Outside of your known and scheduled monitoring protocols, randomly run analytics on certain devices, or randomly monitor certain system segments. (As hackers remain semi-unpredictable on the offensive end, you should the same on the defensive.) And don’t neglect the human side: focus on preventing insider threats through user activity monitoring. As you receive threat intelligence, have that directly inform your monitoring processes and protocols.
2. Strong Security StandardsEnsure compliance with all industry and regulatory standards, such as NIST SP800-82. Check guidance from peer organizations, and read up on current ICS security literature, as well. As part of this standardization of security, secure system endpoints and ensure robust IT security protocols are in place, such as perimeter firewalls, email filtering and intrusion detection systems. Encrypt and restrict access to all documents about your system’s inner workings. Limit privileged system access as much as possible and cut off Internet access from internal control panels. Implement strict bring-your-own-device (BYOD) policies that reflect the sensitivity of your ICS environment. Conduct independent security tests of all devices and modules attached to the industrial control system, looking for default passwords, misconfigured encryption settings, and the like. Probe for vulnerabilities in your supply chain by which risk may transfer from another organization to yours. (Are contractors somehow exposing info about your systems?) And make sure to quickly patch systems as security updates are released; as the ransomware campaigns of the last few years have shown, many “new” forms of ransomware are in fact just slightly modified versions of old ones.
3. Continuity PlanningBuild an extensive continuity plan – that is, assess the risk ransomware poses to your organization and understand how critical and business operations will continue in the face of an attack. For instance, build redundancies into your networks and securely segment them from one another, back up all data offsite (and heavily encrypt it), and have protocols in place to negotiate with attackers. Flush out chains of communication to notify clients and other relevant parties in the event ransomware hits your system, and factor their needs into your continuity plans. Coordination and communication are key to a timely and effective response in which you not only want to mitigate risk and “end” the attack but also resume critical operations ASAP.
4. Remembering the HumanIt’s worth nothing, however, that technical flaws aren’t the only way to break into industrial control systems. Many of the aforementioned attacks (as with most cyberattacks) were executed through spearphishing campaigns and other forms of social engineering. For this reason, we cannot forget the human when preparing for ransomware attacks against ICS systems. Train your employees – all of your employees – on safe and secure cyber behavior. Frame issues in relevant ways to increase understanding, maximize retention, and change the notion that security is inconvenient. Ensure that regular re-training and re-testing programs are in place. Focus on simulations and other forms of gamification, which are especially important when dealing with systems whose downtime has direct effects on other organizations, public health, or national security. Build a strong security culture, and positively reinforce good security behavior. Most importantly, remember that cybersecurity is inherently dynamic, so don’t think that these steps will be perfect or that they won’t need to be adjusted over time. Constantly watching for new threat vectors, adapting your education programs, and changing your security policies are just some of the key components of a robust, in-depth defense posture. Be ready for change whenever it hits – in ransomware form or not.