Snake Hits Honda

Sophisticated, targeted ransomware is the new normal

Honda shut down a number of manufacturing facilities on Monday June 8, 2020, with most, but not all facilities back up again Tuesday. The (unconfirmed) cause appears to be an infestation by the “Snake” ransomware, identified by Dragos as targeting industrial control systems. The ransomware is reported to have been modified to target Honda specifically.

What does this mean for industrial cybersecurity? Today’s targeted ransomware attacks are using tools and techniques that five years ago were the sole domain of nation-state actors. Back then, and even today, I heard/hear a lot of people saying “Yes, but why would a nation-state target us?” Surprise – last decade’s nation-state attack techniques are today’s new normal – the pervasive Internet-based threat environment we all live in. I predict that today’s nation-state attack technologies and techniques will be the new normal threat environment for industrial security sites in no more than another half decade.

Ransomware is evolving constantly, because it has proved to be very lucrative. Modern ransomware is professionally written and professionally executed – just like today’s nation-state attacks. The bad news: while it is reasonable to expect our governments and militaries to protect us from the most sophisticated physical assaults by nation-states, the same is not true in the cyber domain. Government programs are too slow to catch these attacks – for details see my last article in Threatpost.

The good news: industrial sites can themselves deploy simple, practical defences to defeat even sophisticated, network-based, nation-state assaults. The technology is called a Unidirectional Security Gateway. The methodology is called Secure Operations Technology (SEC-OT). With SEC-OT-class protections in place, private industry can routinely defeat fast-moving cyber assaults, even assaults of nation-state-grade sophistication. And we can then call on our governments to help us address residual risks – sophisticated conspiracies and other slow-moving risks that governments are much better than private industry at addressing.

The time has come to look ahead to the future of industrial security – what are today’s “nobody would ever do that to me” class of threat are tomorrow’s pervasive targeted ransomware. We should not be using the “whack-a-mole” model for cybersecurity – madly trying to address new threats as they pop up. All cyber attacks are information – this is what “cyber” means. This will always be true. If we put robust, physical controls over the movement of information in place, then we defeat online cyber attacks, no matter how sophisticated they are, both today in the future.

For more information on the technologies and methods of the world’s most secure industrial sites, you can request a free copy of my latest book on SEC-OT, courtesy of Waterfall Security Solutions.

Andrew Ginter
Newsletter Signup