145690361 | Solarseven | Dreamstime

Protecting OT data under persistent threat from ransomware

April 29, 2024
These attacks not only threaten the security of sensitive information but also disrupt critical industrial operations, leading to significant financial losses and the damaging of trust among consumers and partners.

A worrying statistic the State of Ransomware in Manufacturing and Production 2023 confirms what IT and cybersecurity professionals already know: Manufacturing, with its wide use of operational technology, is a prime target for cybercriminals. The report reveals a staggering fact: More than half of manufacturing organizations—56%—were hit by ransomware from 2022 to 2023 alone.

Ransomware targeting industrial systems has evolved significantly in the last few years, with cybercriminals shifting from widespread, scattershot attacks to more focused, destructive campaigns against specific industries, with manufacturing at the forefront.

See also: Tailored cybersecurity solutions for U.S. manufacturing

The interconnected nature of modern manufacturing operations, relying heavily on supervisory control and data acquisition (SCADA) and critical industrial control systems (ICS), and the prevalence of legacy systems that are difficult or costly to upgrade make this sector particularly vulnerable.

These ransomware attacks not only threaten the security of sensitive data but also disrupt critical industrial operations, leading to significant financial losses and damaging trust among consumers and partners.

Understanding the threat ransomware poses

The manufacturing sector's reliance on OT alongside information technology (IT) systems increases its exposure to ransomware attacks. Many OT systems weren’t designed with cybersecurity in mind and often run on outdated software that’s difficult to update. This creates an ideal breeding ground for ransomware to take root and spread across both IT and OT networks.

See also: Maximum security? How multifactor authentication is being defeated

Moreover, the adoption of Internet of Things (IoT) devices in manufacturing facilities, intended to boost efficiency and automation, expands the attack surface. Each connected IoT device is a potential entry point for cybercriminals to gain initial access.

SCADA systems, crucial for industrial control systems in manufacturing operations, are often connected to the internet or other networks, making them vulnerable to the same cyber threats that can exploit IoT devices.

According to the Dragos 2023 OT Cybersecurity Year in Review report, several cyber adversary groups targeting industrial OT systems employ living off the land (LOTL) techniques as a means to achieve their objectives within these networks.

See also: Navigating red-alert security challenges in manufacturing

By using native tools already present in the OT environments and exploiting valid or default credentials, they can stay hidden for longer periods. The VOLTZITE threat group, for example, makes heavy use of LOTL techniques in industrial OT networks, enabling them to remain persistent in these environments for considerable periods, impairing detection and incident response efforts.

Adopt a layered security approach to shield data

A layered security approach, also known as defense-in-depth, can help protect data in manufacturing, particularly given the integration of IoT and SCADA systems. Beyond regular software updates where possible, and investing in employee training, this involves multiple security measures to protect the different aspects of the manufacturing network and its data including:

Zero-trust architecture

Adopting a zero-trust architecture is crucial for securing ICS and OT environments, especially in the presence of legacy, out-of-support components that cannot be easily updated or patched.

This approach ensures that no entity, whether inside the industrial network or outside, is trusted by default. Continuous verification of all access requests to OT assets, such as programmable logic controllers (PLCs), SCADA systems, and human-machine interfaces (HMIs), is required.

By implementing zero-trust, manufacturers and critical infrastructure operators can dramatically enhance their security posture, ensuring that each component of their industrial processes is secured against potential breaches, which could lead to severe operational disruptions or safety incidents.

See also: In reader survey, wide majority worries about OT vulnerabilities

This zero-trust approach becomes even more critical due to the presence of legacy systems that may have known vulnerabilities but cannot be easily updated, making them prime targets for cyber threats.

Network segmentation and the use of virtual local area networks (VLANs) play a crucial role in isolating different segments of the OT network, much like the subdivision of a submarine hull into watertight compartments for protection.

This isolation strategy helps limit the potential spread of threats and contain any potential breaches within a specific compartment or segment, mitigating the risk posed by both external threats and internally lurking threats, such as malicious insiders or compromised user accounts.

By segmenting the network into watertight compartments, a breach in one segment can be prevented from cascading and impacting other segments, thus minimizing the overall impact on industrial operations.

Air-gapped backups for industrial data

Data backups serve as a critical safeguard for industrial environments, ensuring that essential operational data, configuration files, and regulatory data such as video surveillance footage can be restored quickly in the event of a cyberattack or system failure.

Regular backups, preferably continuous, should be performed, keeping copies of all important industrial data, system configurations, logs, and regulatory data both on-site and off-site. However, backups alone are not sufficient.

See also: Air gapping OT assets may be the only sure way to shield critical infrastructure

As ransomware attacks become more sophisticated, with 94% of victims reportedly having their backups targeted by attackers, according to Sophos, manufacturers and critical infrastructure operators must implement robust, air-gapped backup strategies.

Air-gapped backups are physically and logically isolated from the industrial control network to prevent ransomware malware from compromising the backup systems.

Immutable cloud storage is ideal, with solutions such as AWS Object Lock providing strong immutability guarantees and being in separate physical locations with distinct administrative permissions and users.

Never trust backups blindly; periodic restoration trials are also essential to confirm the completeness and functionality of the backups.

Leveraging AI for industrial cybersecurity

As manufacturers and critical infrastructure operators strive to combat the rapid proliferation and mutations of cyber threats targeting industrial control systems, leveraging the power of artificial intelligence and machine learning has become essential.

The relevance of traditional signature-based defenses has diminished in the ransomware space, particularly against zero-day attacks. Modern cybersecurity platforms now employ AI and ML to monitor behavior across both OT networks and IT infrastructure.

These technologies enable the detection of anomalies, identification of potential threats, and real-time responses, providing a proactive defense against ransomware, malware, and other cyberattacks.

See also: Why IoT device manufacturers need to prioritize cyber resilience

By leveraging hybrid-cloud solutions that apply AI to behavioral audit logs, manufacturers and critical infrastructure operators can enhance their cybersecurity posture and protect their industrial operations from potential disruptions or safety incidents.

Additionally, the implementation of behavioral anomaly detection further enhances the ability to identify subtle irregularities that may indicate a threat. Given the imminent risk of AI-based threats, there is a compelling need for AI-based defensive capabilities to stay ahead of sophisticated cyber adversaries.

See also: Effective cybersecurity depends on an effective IT/OT partnership

As cyber threats evolve, the defensive strategies of manufacturing companies must mutate as well. The growing menace of ransomware demands more than data protection—it requires a commitment to maintaining operational continuity and safeguarding the integrity of supply chains.

Manufacturers need to adopt a proactive and layered approach to cybersecurity if they hope to keep their business in business in 2024 and beyond.

About the Author

Aron Brand

Aron Brand, chief technology officer at CTERA Networks, has more than 22 years of experience in designing and implementing distributed software systems. Prior to joining the founding team of CTERA, he was chief architect of SofaWare Technologies, where he led the design of security software and appliances for the service provider and enterprise markets.