Is ransomware a distraction to a bigger problem?
Author: Mel Griffiths Is ransomware a distraction to a bigger problem? Ransomware and other ‘visible’ cybersecurity breaches are not always the end game for attackers – they can also be a distraction tactic from more serious objectives, such as operational technology (OT) breaches. As business leaders become fixated on the immediate ransomware problem, could the real danger lie elsewhere in the operational network? What better way to embed yourself and ‘cover your tracks’ to avoid detection whilst your target is concentrating on another critical issue. Experienced hackers often use a multitude of methods and pathways to secure their real objective. The fact that you can get into a system and encrypt the whole set of files to create a ransomware attack, means that the target is breached. Is part of your network not encrypted? People must question why and investigate further, rather than assume unaffected areas of the network are still secure. Due to the evolution of these systems, the operational technology environment can be highly vulnerable. You may hear “If it’s not broke don’t fix it” or “these are air gapped systems”, which for a time was bearable. With the broadening of digital transformation and the ability to carry significant vulnerabilities on small hosts – think USB and smartphones amongst others – then those paradigms have been broken down. Usually there has been a lot of focused work done on the information technology side but if cyber criminals are looking for a way to get into a company’s systems, they are going to attack the softest target and that is rapidly becoming most easily through OT type systems. An alarming report was released by Gartner recently, warning that by 2025 cyber attackers could be weaponising OT to harm or kill people. The Gartner report also noted that organisations need to have segmented networks for IT and OT, highlighted by the attack on the Colonial Pipeline in the US. Put that in the context of critical infrastructure. If cyber criminals have knowledge of architectural designs and infrastructure build outs, that is highly advantageous for attacks that want to shut down a regions power plant or its water supply. The difference between IT and OT security OT is an area often poorly understood by business leaders and effective protection of safety-critical systems requires an enhanced and somewhat different skillset than that of an IT only focused professional. Everybody has different capabilities, so it does not make sense to assume that somebody with IT experience is automatically able to transition into understanding an operational technology environment and vice versa. My experience working in organisations dealing with safety-critical systems taught me that the engineering principles of safety-critical operational technology systems are very different to those of IT systems alone. On the flipside, experienced OT people don’t automatically understand the complex vagaries of IT cyber security, because protection from a cyber security attack is not an on or off, or a clear physical event its amorphous. Neither is more important than the other, but they require different skill sets to ultimately complement each other. Data theft, of course, is a real concern for businesses. But if there is a connection between IT and OT systems, there could be a far more serious issue – criminals are inside their infrastructure. Not every attack is going to be visible but that doesn’t mean you are not being attacked, it just means that you are not picking them up. If criminals are already in the systems and doing as they please, they are not then going to put up a flag, deploy ransomware and say, hey, I’m stealing your IP or mapping your infrastructure. They are just going to keep going. Ransomware is the latest attack in a long line of cyberattacks. It is real and people are being locked down, and criminals are making hundreds of millions of dollars out of it. Whether it is state-based actors or industrial espionage, it has evolved into a commercial industry far removed from when I started in the industry more than 30 years ago, when it was just people hacking into stuff because they could. But ransomware can also be put in place to divert attention while other activity is taking place and the likelihood of someone discovering that activity is quite low, because the business has been subject to a ransomware attack and it’s an emergency. Three simple steps to planning cyber security Step 1: Visualise the crown jewels The number one item that businesses have to outline first is their vision for what they want to protect, the most important aspects of the organisation. It might be protecting a huge database of clients, or safeguarding a fleet of remote-operated vehicles, or defending a manufacturing process. No cyber security professional can tell a business leader or manager what their risk appetite is or what aspects of their organisation are most important to them. Of course, they can offer advice and suggestions but only the business leaders can answer the question of their risk appetite. If an item breaks and you have no revenue for your business, you might have a very low threshold on security risk for that area. But that’s your vision to share, not mine to guess. A vision of the valuables that need protecting must include critical OT infrastructure that keeps workers safe and businesses moving. A clear and honest picture allows us to develop the right protections. Step 2: Get a grip on reality Many people want to adopt the vision as the plan, but they first need to understand where they are starting from and the behaviours of the environment they are working in. And you need to be honest about it. It’s not just about doing a penetration test to check where the exploitable vulnerabilities are. By understanding the behaviours in the current environment, business leaders can plan a roadmap to that vision. Cyber security is a journey but if you don’t really know where you are starting from, it’s impossible to determine if you are on the right path. Recognise the behaviours in the organisation’s environment, appreciate the types of people working in the environment, and understand the systems critical to the organisation. Once you are honest about that, then you can start down the right path. Step 3: Think before you act Don’t just go and buy a product because somebody says, ‘this is the best product to buy’. Know where that product fits in the vision and the reality of where you are going, as established in the first two steps. When you put a product in place, understand how it is actually going to help you on that path to the vision. If you’re not making those forward steps, that’s okay. Go back, readjust, and go forward again. That is the systematic way to approach cyber security. But take action now, don’t get bogged down in ‘planning’. Too many people have said, ‘we understand the benefits and you’ve shown us the vulnerabilities, but we’re just building our plan, we’ll talk to you in a couple of years. That is a statement that declares ‘it’s really important to build a plan, which it is, but meanwhile I don’t really care what’s happening in my system.’ Two years is an eternity in cyber security. And it’s a milestone that may never come around if you don’t take action to protect yourself now.