Minimize the Impact of a Ransomware Attack

This is our monthly blog detailing best practices for OT cybersecurity for under-resourced organizations by Dragos OT-CERT (Operational Technology – Cyber Emergency Readiness Team), which provides free resources to help small and medium businesses (SMBs) create or enhance their OT cybersecurity program.

The Category and Practice from the OT-CERT OT Cybersecurity Fundamentals Self-Assessment Survey is noted for each best practice. Hopefully, you filled out the survey and identified your gaps – these best practices can be implemented to begin to address those gaps. If not, there’s no time like the present – join OT-CERT and get started today!

Larger Organizations Take Note

If you have been increasing your security posture and reduced risk of a significant cyber-attack in your enterprise, including your OT environment, that’s excellent news! However, does your risk assessment include the possibility of a cyber-attack on one of your critical suppliers, and the impact that would have on your company’s operations? Could you still produce your product or provide services to your customers? Read on to ensure that you are quantifying the likelihood and impact of that risk correctly in light of the current threat environment. And strengthen your supply chain security risk posture by promoting OT-CERT to your suppliers!

Should you pay the ransom if your OT environment is brought down by a ransomware attack?

Categories

Best Practices

Operational Resiliency

Cybersecurity Incident Response

Cybersecurity Program Management

You should prepare in advance and take all practical measures to prevent a ransomware attack or minimize the impact should you be compromised. However, ransomware risk continues to increase, so it is important to prepare for the worst. That includes discussing this very complex issue with your leadership and legal counsel: if we are hit with ransomware, will we pay the ransom? See below for questions you need to consider before making that final decision.

Dragos OT-CERT Recommendation:
If you are the victim of a ransomware attack, your first objective should be to try to recover without paying the ransom. However, cyber attacks in OT environments are much more difficult to recover from than in IT due to the complexity of the OT environment. We suggest that you hold a tabletop exercise with your organization’s leadership and legal counsel to discuss the issues below so they are prepared ahead of an actual event. These issues are not straightforward and require careful thought, investigation, and consideration from many of your leaders.

What are the current legal and regulatory issues you need to consider? These are dynamic issues, so it is important that your legal / compliance leader obtains up-to-date information and identifies sources of expertise for quick contact in the event of an actual attack. One specific source to check is the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), regarding sanctions risks associated with ransomware payments and the proactive steps companies can take to mitigate such risks.

Would we contact law enforcement, and if so, who? Law enforcement can provide expertise to assist you in incident response efforts and provide up-to-date information on legal and regulatory requirements. Your legal and leadership team will need to decide whether they want to make that call. We recommend developing relationships with law enforcement ahead of time – local, state, and federal – so that you can discuss the issue ahead of time, gain their perspective, and hear about how they have worked with other organizations like yours.

Do we know how to purchase cryptocurrency? Your finance and legal leadership will need to investigate this issue.

If we pay the ransom, will they attack us again? Many cyber-criminal enterprises realize that if they attack a victim again after they pay the ransom, word will spread, and future victims will be less likely to pay. Therefore, many threat groups will not attack a victim a second time. However, if you do not remediate the vulnerability or security gap that was exploited, it is possible that a different threat group will discover and exploit the same vulnerability. Therefore, it is important to perform a forensic investigation to fully understand what happened and how to ensure you are protected against a repeat attack.

What should we do in preparation for an event like this? A few things that organizations can do to prepare are as follows:

Make backup copies of your critical configuration files and store a copy offline.
The backups should include key files that you would need to rebuild if you can’t recover your data, such as configuration files and installation files. Consider capturing license files or numbers, product versions, and vendor contact information. Typical ICS/OT specific applications that could be impacted by ransomware may include Human Machine Interface (HMI) applications, Operator Interface Terminals (OIT) applications, alarming applications, reporting applications, historian applications, PLCs, and other ICS device programming applications, network and security device configurations, and similar files for any other critical assets or applications in the environment.
Test those backups periodically to verify that a system can be successfully rebuilt from them.
Document and test emergency operating procedures for maintaining or conducting safe shutdown operations in the event of a ransomware attack.

If you are a small organization and don’t have staff to perform the above tasks, leverage engineering consultants and systems integrators to capture the correct backup files and test the rebuild procedures using the backup files.

Finally, we recommend that you conduct tabletop exercises and design the scenarios to impact ICS/OT specific devices, such as HMIs. This will ensure the operations team thinks through what their operational response would be if they lost the ability to view and control their processes from the HMI. As a result, you should understand what steps those emergency operating procedures should include, document them, and validate them through additional exercises.

It is also important that your tabletop exercise specifically tests whether you know who to call regarding a potential cyber incident – including internal or external IT support – and exercise that call chain.

Stay Up to Date with Resources for SMBs: Join Dragos OT-CERT Today!

Dragos OT-CERT offers FREE resources to help SMBs build their own manufacturing / OT / industrial control systems (ICS) cybersecurity program without hiring any cybersecurity experts. OT-CERT membership is free and globally available to OT asset owners and operators. Resources are oriented toward small and medium businesses and resource-challenged organizations with OT environments that lack in-house security expertise. Members have access to a growing library of resources such as reports, webinars, training, best practice blogs, assessment toolkits, tabletop exercises and more.

Currently available resources include:

OT Cybersecurity Fundamentals Self-Assessment Survey
OT Asset Management Toolkit
Self-Service OT Ransomware Tabletop Exercise Toolkit
Collection Management Framework for incident response
Access to an introductory ICS/OT cybersecurity course

In the coming months, we will provide OT-CERT members with resources for incident response, specifically an incident response plan toolkit and OT backups guidance.

If you haven’t joined Dragos OT-CERT don’t delay! Membership is open to organizations that own or operate a manufacturing / ICS / OT environment. Please join and spread the word to your community and supply chain so we can all work together to raise the security posture of the entire ecosystem – we are only as strong as our weakest link. We look forward to working with you to safeguard civilization!

< class="inline-cta__header heading--5">Apply for Dragos OT-CERT Membership Join Today