Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Intelligent Utility
Christina Hoefer
Christina Hoefer
·Posted in Intelligent Utility
Thu, Feb 9

How to Defend OT Environments Against Shifting Ransomware Adversaries

Co-authored by Daniel dos Santos

Recent ransomware attacks by LockBit demonstrate how the boundaries between IT and OT environments continue to dissolve, but the bigger picture is that boundaries between ransomware families, nation state actors and hacktivists are increasingly intersecting as OT environment are targeted in attacks. In the last few weeks, the ransomware gang attacked the Housing Authority of the City of Los Angeles, executed a ransomware attack on the Port of Lisbon, and even an attack on Toronto’s Hospital for Sick Children.

Ransomware families like LockBit continue to attack with impunity, though often with a slightly different approach for critical infrastructure targets: instead of encrypting data and holding it hostage, these organizations threaten to leak it unless their demands are met.

For these threat actors, the change in operating procedures is an effort to stay under the radar. The Colonial Pipeline attack received global attention, increasing awareness of such attacks. This new methodology focuses on exfiltration and extortion instead of encryption but still puts critical infrastructure operators at heightened risk for disruption.

 

Multi-Phase Attacks

The ransomware attackers do not want the data for themselves. If their demands are not met, they will either publish that information or sell it to other hackers or hacking organizations, who will then continue the attack.

OT attacks by these other hackers likely involve data such as process diagrams and engineering documentation or process values. An attacker can use that data to cause physical disruption instead of only financial gain. The hackers going after this information are often nation-state actors, but  hacktivists targeting OT are on the rise.

Sophisticated malware developed by state-sponsored actors to cause physical disruption, such as Stuxnet, Industroyer and Triton, is typically developed after a lengthy period of reconnaissance and intelligence gathering. This step may be facilitated by these leaks if the necessary data has already been exfiltrated by a ransomware group. Likewise, less sophisticated threat actors – such as hacktivists –   may be able to pursue similar targets by capitalizing on these sort of leaks.

Technology components attacked include PLCs, SCADA systems, engineering workstations and data historians that run Windows and are often connected to enterprise networks. Those networks have other types of valuable data, such as password sheets, network diagrams and sensitive business information.

 

Determining Motivation

To stop these types of attacks, we must first understand the hackers’ incentive. Many companies have implemented backups to restore systems that have been encrypted by ransomware attacks, so attackers are also using this new approach to ensure their financial success. Beyond financial gain, threat actors may want to cause physical disruption, commit corporate espionage, steal intellectual property, or “send a message” based on their political motivations.

Cybersecurity solutions today not only exist to protect an organization from nation-state actors and

threat actors with those agendas, but also against hacktivists and anyone seeking media presence or seeking to make a statement for their cause.  For instance, environmental hacktivists have targeted mining and oil companies in Central and South America last year. Their modus operandi at the time was to exfiltrate sensitive emails to argue for their case, but they could also start going after OT assets in these organizations in 2023 leveraging data made available by previous attackers.

The types of attackers that use each data type are probably different, so their motivations often quickly emerge. Determining these motivations may help determine a proper risk management strategy. In the case of data exfiltration most responses will be too late. These types of attacks need a proactive risk reduction and mitigation strategy, so the attack won’t succeed in the first place or is automatically stopped as soon as possible. Whereas the response to basic encryption attacks could be to improve backup and restore procedure to be able to restore operations as quickly as possible.

 

Preparation and Response

It is imperative that asset owners and critical infrastructure operators protect against these data exfiltration and multi-phase types of attacks. However, that can be difficult as the threat landscape continues to shift. Operational technology offers unique challenges, such as proprietary protocols and many systems that were created before the idea of connected networks, which are only now being exploited by threat actors.

To properly prepare, organizational technology leaders must agree on a singular mindset and outline similar language, priorities, and KPIs. There also needs to be increased collaboration between stakeholders with different backgrounds, such as IT and OT teams.

These challenges have only grown in recent years due to the cyber skills shortage. As a result, ransomware threat actors can exfiltrate data without triggering incident response measures. Many organizations do not realize until after an attack – sometimes months after – that they’ve become victims. That is, of course, if an incident is ever found.

So how do you stay safe?

Many leading critical infrastructure operators have started to maintain asset inventories of all devices, including specialized OT and IoT assets. This provides insights into the asset baselines, their risks and compliance status. But that isn’t enough to stop or even detect the newest cyberattacks. Actions need to be taken to remediate and mitigate the risks. This can be particularly challenging in OT environments where patching or adding extra segmentation often must be postponed until safety and productions conditions allow it.

To keep pace with emerging cyber risks, critical infrastructure organizations have started to continuously monitor their OT assets and network communications to identify any changes in behavior before it leads to an incident. Organizations that struggle to set up OT security practices can leverage external security services for analysis and threat hunting. With the specifics of OT, it proves helpful to have experts that can operate as an extension of your OT and security team to monitor this critical area. When issues rise to a certain level, the threat hunting experts can bring them to your attention along with recommended containment and remediation guidance.

Organizations should also look to conduct human-led threat-hunting exercises to help further reduce cyber risk. Knowing what to look for and understanding the motivations can greatly reduce the chance of success for threat actors.

 

The Road Forward

These types of data exfiltration OT attacks grew in 2022 and will continue this year. Now is the time to address this change and ensure your data remains safe.

Awareness of your organization’s operations and systems is more important than ever, which means taking a proactive approach to asset inventory, continuous monitoring and defense and improving collaboration between IT and OT teams.

Companies with the resources and SOC/incident response teams should proactively monitor their security perimeter and look into data leakages cases. They should know what is happening in the cyber world and look beyond their environment. Knowing these threats can allow organization to prioritize security resources, work in concert with others facing the same threats, and ensure the ongoing protection of their data.

4 replies