A new development in malware threats is ransomware that threatens OT security and aims to disrupt OT systems. For example, recently we wrote about the Snake file encrypting ransomware, which was similar to the preceding Megacortex malware. Both threats include code that specifically attempts to kill software processes that manage OT networks, and has the explicit goal of causing process disruption.
In the past, direct attempts to target machinery, or industrial processes, have been advanced threats (Stuxnet, Duqu, Flame) attributed to nation state attacks. Now, we’re seeing simple, crude examples of ransomware that could have a significant impact on OT networks.
Ransomware Disrupts Natural Gas Compression Facility
A case in point example is a cyberattack against a natural gas compression facility, that occurred this month. The method of entry was spear phishing, to obtain access to the IT network. Then, due to inadequate segregation between the networks, the attackers managed to pivot into the OT network. Once that happened, the attackers deployed a strain of ransomware on both networks, causing the operator to lose visibility into their OT network.
While there was no impact to the control of operations, the victim had to temporarily suspend operations, resulting in loss of production and revenue.
How to Reduce Risk to OT Ransomware
Asset owners can reduce their risk to this type of attack by:
- Prioritizing robust segmentation between IT and OT networks with firewall rules that consider the requirements of each zone
- Training users to identify possible spear phishing messages, not click them, and report them to cybersecurity staff
- Training users not to visit malicious websites
- Checking that public services are configured properly
- Using a tool that provides visibility into networks and systems and identifies unpatched services, making it easy for administrators to shut down avenues that provide an initial foothold into a network
- Requiring multi-factor authentication for remote access to networks
- Subscribing to a service that provides ongoing threat intelligence updates
New Wave of OT Security Threat Requires Defense in Depth Countermeasures
The availability and use of unsophisticated ransomware targeting ICS environments represents a new wave of OT security threats, and operators should adjust their defenses to protect against it. Cybersecurity best practices such as strong segmentation, user training, proactive cyber hygiene programs, multi-factor authentication and continuously updated threat intelligence are the keys to avoiding control system disruption.