Recent shutdowns of the Colonial Pipeline and JBS meat packing plants are only the latest evidence of a continuing trend. Ransomware is responsible for all OT shut-downs due to cyber attacks since at least the beginning of 2020. Today’s most sophisticated ransomware groups use the tools and techniques that only a few years ago were the sole domain of nation state adversaries: command and control centers, manual remote operation, stealing credentials, lateral movement, data theft and eventually encryption and extortion.
There was a day when owners and operators recognized the power of nation-state attacks but thought to themselves, “yes, but I’m not that important – why would a nation state ever target me?” The answer is now clear: profits.
Multi-million-dollar ransoms are paid routinely by ransomware victims to criminals who use nation-state tools and techniques. Which businesses are today’s targets? Everyone with money.
Abundance of Caution
With rare exceptions, OT shutdowns are not the result of attackers targeting physical operations. Instead, these shutdowns are due, either to crippled IT systems that are essential to operations, or to the victim enterprise not being sufficiently confident of the strength of their IT/OT protections. Without such confidence, owners and operators must shut down their pipelines and manufacturing systems to prevent the potential for unacceptable physical consequences. Public disclosures of these shutdowns generally use keywords such as “pre-emptive” or “abundance of caution.”
Trends: Offensive & Defensive
Not long ago, the single most common cyber threat to physical operations was accidental shutdowns due to credit-card-stealing malware that was carried into a site on USB drives or was downloaded into an industrial network directly from the Internet. Today, firewall rules, anti-virus systems, awareness programs and removable media controls have dramatically reduced the frequency of such incidents. In the last 18 months, there were no reports of ransomware using this attack vector.
Instead, ransomware gangs have upped their game. Most ransomware incidents that have OT consequences use remote control in IT networks. The gangs sometimes use stolen remote access credentials to log into IT networks directly. More commonly, they seed remote-control tools into Internet-exposed IT networks with email phishing attacks or drive-by downloads. Those remote-control tools connect back to a command-and-control center on the Internet, and the attackers operate the attack tools manually. They use the tools to move laterally through IT networks until they find high-value targets, and then they steal data and trigger encryption.
Are You at Risk?
The straightforward way to determine if your site is at risk of this kind of OT shutdown is to carry out a desktop drill. Assemble the IT, legal, engineering and operations teams for the drill. Tell IT that ransomware has been discovered on their network. How do they identify what machines are affected? Can they determine which credentials have been stolen and which of these have been used? Can they tell if those credentials might allow the attack to propagate through IT/OT protections? What happens then?
If the result of the drill is an operations shutdown, or a multi-site shutdown, is that acceptable?
How To Win
Most industrial enterprises regard production shutdowns due to ransomware as unacceptable. The key to preventing ransomware from propagating from IT into OT networks is robust network segmentation:
- Look hard at your physical operations. What dependencies are there on IT systems? Should those IT systems really become OT systems, and be moved into your OT networks? Or should the data coming out of those IT systems be transmitted pre-emptively into OT networks and cached there – for example, one or two weeks of production orders, quality inspection orders and contract commitments. To survive an IT breach, an OT network must contain all the systems and data that are needed for the network to run independently while IT is down.
- Look hard at our IT/OT network connections. Corporate firewalls are breached routinely by targeted attacks, and IT/OT firewalls are no more effective than corporate firewalls. While there is a role for firewalls in both IT and OT networks, to develop the confidence that we need to keep operations running through an IT breach, we need something stronger than a firewall at the IT/OT interface. Secure sites use Unidirectional Security Gateways.
Watefall’s Unidirectional Gateways are simple. Unlike firewalls, the gateway hardware is physically able to send information in only one direction, from protected OT networks out to IT networks. And unlike firewalls, the gateways do not forward network traffic. Instead Unidirectional Gateways make copies of servers. The most common servers copied to IT networks are OT relational databases, historian databases and OPC servers. IT users then access the IT replica systems simply, normally and bi-directionally.
Note: Firewall practitioners should not be surprised to learn that they can use anti-virus systems and truly secure remote access with unidirectionally protected OT networks. After all, Waterfall’s Unidirectional Gateways are used routinely for pipelines, power plants, manufacturing facilities and many other industrial sites all over the world. All the usual business needs have unidirectional solutions.
Don’t Mitigate, Eliminate
Waterfall’s Unidirectional Gateways do not mitigate the risk of targeted attacks, the gateways eliminate these risks. Mitigations are defined as attempts to reduce the likelihood or consequences of cyber attacks. Waterfall’s Unidirectional Gateways physically and unhackably prevent attack information from entering protected OT networks. When there is no way for online attack information to enter OT networks, there is no risk of online attacks moving through IT into OT networks. The risk no longer exists.
Eliminating risk with unhackable safeguards is an approach to risk management that is unique to OT systems. For example, Security PHA Review explains how to eliminate OT cyber risks to safety systems with unhackable physical protections. Consequence-Driven, Cyber-Informed Engineering explains how to eliminate OT cyber risks to physical equipment with unhackable digital protections. Secure Operations Technology (SEC-OT) explains how to eliminate OT cyber risks to continuous operations with unhackable unidirectional and other physical protections. Eliminating OT cyber risk in these ways is both more robust that cybersecurity mitigations, and lets us reduce the cost and complexity of OT cybersecurity programs as well.
Ahead Of the Trend
The ransomware trend shows every indication of worsening in the years ahead. Profitability is driving steadily increased sophistication in criminal tools and techniques. Trying to mitigate these risks with firewalls and intrusion detection systems is a cat-and-mouse game – every year, the mitigations get a little cleverer, but so do the attacks.
To get ahead of ransomware risks to OT networks, don’t mitigate cyber risks, eliminate them with Waterfall’s Unidirectional Security Gateways.
To learn more about Waterfall’s unidirectional protections, or to explore how your OT network designs can benefit from eliminating the risk of targeted attacks, please contact Waterfall for a free consultation with a unidirectional solutions architect.
Dig Deeper – Download the “Firewalls VS Unidirectional Gateways” ebook here