As COVID-19 forces organizations to rethink how they work, chief information security officers (CISOs) who are responsible for the resilience of critical systems have an even greater dilemma. How do you keep critical systems running 24/7 when employees are strongly encouraged to work from home and ever so dependent on secure connectivity to function normally? CISOs may need to open up systems that are traditionally closed to the outside world to allow for remote management. They must balance safety, productivity and cybersecurity risk.
Even the slightest oversight can cause harm to employees or the public.
The large number of open connections back to the enterprise or operational technology (OT) environments introduces cyber risks. Some executive leaders may not prioritize cyber security as they scramble to keep their businesses running; not realizing that threat activities carry on – and are sometimes even heightened – during times of crisis. In Singapore for example, online home-based learning was promptly disrupted when hackers hijacked the platform to show obscene images to students. This is just one example of how cyberattacks can wreak havoc and create more chaos in times of uncertainty. Now imagine if these threat actors were to successfully target the OT systems of essential services like energy grids, water supply, transport and manufacturing. The fallout would be much more catastrophic.
In this article, we will discuss ransomware seen during this pandemic and how to stay ahead.
A New Era for Ransomware: Disrupting OT
Among the most notorious ransomware, Notpetya crippled sectors such as energy, oil and gas, logistics, pharmaceutical, and manufacturing in 2017. Ultimately, there was more than $10 billion dollars in damages. What made Notpetya different from the typical cyber attacks in the past decade was that it affected the physical assets in industrial and critical infrastructure systems.
We continue to see ransomware incidents in Asia impacting OT. The spread of Snake ransomware in January 2020 continues to gain attention because it is extremely difficult to recover from without paying the attackers. What makes Snake so formidable is that it employs obfuscation, and then kills processes specific to industrial software found in OT networks before file encryption begins. This method is not typically used in ransomware. The impact is significant because it disrupts operation by hindering engineers from accessing vital production-related processes.
To make matters worse, highly skilled threat actors are employingsecond stage techniques to increase the severity of attacks. For example, a cybercriminal may first gain privileged access to a network by exploiting vulnerabilities or via credential theft. This allows the criminal to then study and learn the environment before deploying ransomware directly to key critical assets. With increasing remote access, organizations with industrial control systems (ICS) networks must be even more vigilant.
Planning for a Post-pandemic Recovery
To maintain resilience during COVID-19, we encourage organizations to include both IT and OT teams in cybersecurity planning. Here are recommendations to strengthen an organization’s security posture with the sudden increase of employees working from home:
- Increase visibility into the OT environment by using passive traffic monitoring to identify and baseline critical assets and operational states
- Bolster detection capabilities with anomaly detection technology in IT and OT environments
- Apply a health-check to network infrastructure and ensure correct network segregation and firewall policies are in place
- Ensure all devices and services are patched. It is also important to shorten the patch cycles, especially for those patches that protect remote infrastructure. Where appropriate, use virtual patching to complement existing patching processes until a permanent patch can be conducted
- Deploy a resilient backup policy which will support quick access to impacted files
- Perform asset hardening to disable services used by ransomware for propagation
Asia is the first region to be affected by COVID-19 but the good news is that we are also most likely to be the first to emerge from it. The pandemic has brought wave after wave of challenges for businesses and we will probably continue to feel its repercussions for a long time. However, it is vital for businesses to prioritise cybersecurity and mitigate damage from cybercrime in order to recover and succeed in the post-pandemic era.