In this exclusive Q&A, Tony Atkins, Account Manager at Dragos discusses ransomware attacks targeting Critical National Infrastructure (CNI) across the globe in the last year as well as the technologies available to mitigate any future risk.
What does the current state of critical infrastructure security look like within the UK and US?
I have been working in the industrial cybersecurity space for over twelve years, and despite some of the scaremongering headlines we’ve seen recently, I would actually say things have improved.
In the last few years, we have witnessed serious attacks on critical national infrastructure (CNI), including Colonial Pipeline and the attacks on the Ukraine’s power grid. These incidents have raised awareness on the impact of cyberattacks on CNI and have highlighted the increasing risk cyber adversaries pose.
In the mid-2000s, the North American Electric Reliability Corporation (NERC) worked to reduce the risk of compromise to the reliability of bulk electric systems and introduced the Critical Infrastructure Protection (CIP) standard. In 2019, NERC announced the first-ever public CIP fine of $10 million, covering 127 separate violations across an organisation.
By contrast, in the UK the Network and Information Systems (NIS) Directive didn’t become law until 2018, with the aim of improving cyber security and resilience of key systems within operators of essential services, such as the electrical sector.
The US has a 10+ year lead on the UK in this regard. More recently, the Biden Administration’s 100-day plan for power grid cybersecurity advanced further improvements to protect the electric sector. Such initiatives have yet to be seen from the UK government.
Generally, there has been an underinvestment in operational technology security, and U.S. officials have largely pushed organisations to focus on measures to prevent attacks. This approach has left gaps in some organisations’ ability to detect and respond to successful hacks, these same approaches and gaps can be found in some UK organisations.
As we have seen with the rise in ransomware attacks that have impacted operations, often the attacked company cannot detect with confidence if the event has crossed over to the OT environment, so they are left with no alternative but to disconnect it.
The rise in threat actor behaviour and associated incidents has raised awareness of cyberattacks on CNI and made it a priority for executives and management teams. Risk exposure has always driven investment within the CNI sector but has often been difficult to quantify utilising the calculation: Risk = Likelihood x Impact, as the probability of OT cyber security events was historically considered low, however, this is changing as a result of well-publicised attacks on CNI.
The impacts of incidents are also becoming clearer though, as detailed in a recent Ponemon Institute report sponsored by Dragos, in which one-third of respondents admitted that their organisation was hit by ransomware in the past two years. More than half of these organisations said they had paid an average ransom of more than $500,000. Some organisations reported paying more than $2 million.
It is also important to remember that traditionally operational technology (OT) was wrongly perceived to be protected by the same people, processes, and technology as those utilised for IT security. It is now understood that OT cybersecurity requires a different approach and that attacks on OT can have physical consequences.
All these factors have raised awareness of cyberattacks on CNI and made it a priority for executives and management teams, and we are seeing more and more board executives interested in OT security and wanting to understand their risk exposure, however, there is still a lot to be done. I believe that assuming you will be breached and preparing for attacks is key. When organisations increase their visibility into their OT systems, have good OT vulnerability management, and practice incident response for different attack scenarios, they have a much better chance of coming out safely and minimising the business impact. Attacks are inevitable today, so executives need to invest in preparedness along with capabilities to detect and respond.
In your opinion, what are the most vulnerable industries to cyber attacks?
I would say all organisations are at risk of cyberattack today. Whether attackers are successful is related to the security maturity of the organisation. When organisations have good visibility and prepare for attacks, they are better prepared to navigate their way through them successfully. However, when organisations are not prepared, they can stand to lose everything.
Attacks on CNI can have immense impact on society and civilians, from impacting the supply of essential services to even putting people’s lives in danger. This means security of these organisations needs to be of the highest priority.
When considering the security of these environments, security teams must take a consequence-driven approach, understanding what assets are the crown jewels and what operational processes are mission critical to the organisation. From our Threat Operations Centre (TOC) customer engagements over recent years, applying the following recommendations improves an organisation’s industrial control systems (ICS) risk exposure to a cyberattack:
- Increase OT network visibility
- Identify and prioritise crown jewels
- Boost incident response capabilities
- Validate network segmentation
- Separate IT and OT credential management
How can future ransomware attacks be avoided for situations like the Colonial Pipeline?
Pipelines are critical to the entire energy supply chain, ranging from bringing raw crude oil and other products to refineries and plants, to providing final product delivery to end-users and customers. When a pipeline disruption happens, the cascading effects can be witnessed with operational plants curtailing production as feed tank levels drop and finished product tank levels rise to maximum capacity, ultimately resulting in plants shutting down. Terminals supply tanks are drained of their limited resources and are no longer able to meet customer demand. Results can include escalating fuel prices or complete fuel outages, disrupting transportation and societal norms.
It’s okay to get attacked, it’s not okay to not have a plan for when it happens. Industrial networks are far more connected than they ever have been and we haven’t historically invested in their cybersecurity as much. As a community we have a long road ahead of us. We must focus not just on protecting our infrastructure but also on assuming those protections will sometimes fail. And we must educate our peers, policymakers, and local communities. Monitoring the crown jewels of an organisation should be a top priority. Security teams should also know what the most relevant logs are, where they are kept, and how long they are available – a must-have when responding to attacks. Experts also advise installing network monitoring across internal OT networks for visibility into IT/OT connections.
Regarding Dragos’ announcement that it is further expanding in the UK – how will the company deliver ICS/OT cybersecurity solutions across the region?
Foundational to our expansion in the UK is our mission of safeguarding civilisation.
We have come to the market with the leading OT/ICS cybersecurity platform and our practitioner-led approach. We plan to grow our connections with the community through sharing and education. For example, sharing our lessons learnt from customer engagements throughout the preparedness cycle – Plan, Organise & Equip, Train, Exercise and Evaluate/Improve. This will all be made available through our blogs, webinars, events, white papers, and Year in Review reports.
We also want to educate organisations on the threat landscape, so they understand the attacks they are facing and have the insight needed to defend against them. As part of this, we need to educate around threat actor tactics, techniques, and procedures (TTP) so they can anticipate the next moves attackers may make, while understanding the threats and vulnerabilities that are most relevant within industrial environments.
We want to help to upskill the UK OT cyber community, whilst encouraging organisations to adopt best practice so that OT cyber security is a cultural business norm and enabler for safe and secure operations – akin to how the operational safety culture has developed over the last 20 years or so.
Our recent Ponemon Institute report also highlighted that forty percent of organisations listed training for OT and ICS cybersecurity skills among their top three investment priorities for ICS and OT cybersecurity in 2021. We have recently launched the Dragos Academy to strengthen the industrial community’s cybersecurity skills and help close the IT-OT skills gap.
With COVID driving working from home (WFH), the increase in hyper connectivity and the drive to support digital transformation within industrial organisations, we want to help ensure that these changes drive operational excellence, but do not compromise security, particularly at a time when the threat landscape and number of threat actor groups specifically targeting ICS/OT is increasing.
We also want to engage and collaborate with our existing and new eco-system partners to ensure holistic OT security approaches are implemented within industrial organisations. Our Ponemon report also highlighted the cultural divide between IT and OT teams, which blocks 65% of organisations from having a unified cybersecurity strategy.
We will also be bringing on-board new local talent to help support and develop our product and service offerings.
In terms of protecting CNI from more ransomware attacks, what do you predict for 2022?
In a Ponemon Institute report sponsored by Dragos, one-third of organisations reported that their organisation was hit by ransomware in the past two years, and more than half of these organisations said they had paid an average ransom of more than $500,000. Some organisations reported paying more than $2 million. These costs don’t include the opportunity costs of lost production. It is far cheaper to prevent an attack than it is to recover from one. Organisations therefore need to be equipped with the right resources, skills, and technology to be able to protect their industrial infrastructure effectively.
Many companies have underinvested in operational technology security, leaving gaps in some businesses’ ability to detect and respond to successful hacks. Further, action needs to come from the top down. Boards of directors and government’s policy groups need to start putting pressure on the operators – whether they’re state operators, quasi-state operations, or completely private operations – to do something. This has already started in the United States, as President Biden has ordered CISA and NIST to develop cybersecurity performance goals for critical infrastructure.
In the meantime, it’s vital that organisations running industrial systems understand their networks, the potential security vulnerabilities they might contain, and who has authorisation to access what. This is key to prevent attackers from gaining access to the network in the first place or detecting unauthorised access as quickly as possible.
Recommended best practices include:
- Review existing segmentation and preventative controls that may have atrophied over time; achieving ICS network monitoring and visibility will allow consistent validation of the preventive controls and make them more robust.
- Incorporate network monitoring across the internal OT networks to provide continual visibility into these cross IT/OT connections. Ingress/Egress monitoring is important, but due to the nature of ICS, it is vital to achieve “East-West” traffic analysis.
- Identify shared systems or infrastructure on the IT side that could allow an adversarial group to pivot and deploy ransomware to the OT side. This includes shared active directory between IT/OT or potentially insecure protocols, such as SMB, FTP, RDP, VNC, with direct IT/OT access.
- Review data flows of critical business system applications reliant on OT communications and document them. This may include historians, SAP, or other enterprise resource planning (ERP) systems. Ensure they are understood, risk assessed and included in both the business continuity and disaster recovery plans.
- Engage firms with OT/ICS incident response experience if internal resources are not trained or readily available. Ensure that incident response plans are current, and conduct tabletop exercises (TTX) to rehearse those plans that include both IT and OT staff.
- Ensure backups are being performed across critical OT systems, such as data historians, SCADA servers, and their databases. This also includes PLC/RTU project files, which may be absent from conventional backup systems. Periodically test the backups and ensure there is an offline copy in the event that an online system becomes encrypted from ransomware.