Confronting the ransomware threat: strategies to safeguard your facility

Keeping ransomware attackers at bay is somewhat analogous to avoiding getting eaten in the jungle, notes Yogesh Shivhare, senior analyst at research firm IDC Canada. 

“If you’re in the jungle and a lion is chasing you, you don’t have to outrun the lion – all you have to do is outrun the other people,” says Shivhare. “The key point is that you have to make your organization a little more difficult to attack than others.”

Ransomware-as-a-Service (RaaS), as it is sometimes called, is now a well-established criminal undertaking where “bad actors” invest in technical resources and then seek out targets that will provide the best return. Recent incidents range from a high-profile attack on Canadian manufacturing giant Magna to smaller-scale attacks on SMEs. “This is one very organized industry,” says Shivhare. “Now the tools are so readily available that anybody can attack anybody.” 

Manufacturing appears to be a particularly lucrative hunting ground – an IDC survey found it was the most frequently attacked industry in Canada in 2020, and that manufacturers are attacked at twice the national average. 

“There are a couple of elements in manufacturing that make it a very good target for attackers,” says Daniel Clayton, vice-president, global security operations and services at cybersecurity firm Bitdefender. “They have to deal with not only the downtime from the incident, but with the knock-on impact on the supply chain. Furthermore, the interconnected nature of manufacturing supply chains means that you’ve got a lot of industrial devices and networking devices that are exposed to the internet.” 

Manufacturers are noted sometimes for having weaker defences. “There is a view that manufacturing organizations are not always very mature from a security perspective,” says Clayton. “In cases where this is true, there are likely to be old operating systems in the environment, and unpatched systems.”

The pandemic has increased this threat. “A lot of organizations had to adopt remote work but were not ready for it,” says Shivhare, noting that implementing such programs normally takes six to 12 months. “That opened up a lot of vulnerabilities.”

Pinpointing the vulnerabilities

Today’s hackers have upped the ante. No longer content to encrypt a company’s data and then demand a hefty ransom to unlock it, they combine this threat with double extortion, where they threaten to expose data, often publishing samples online to prove their point. 

Typical incidents occur in two phases. The attacker first gains access and then trolls the host network to locate critical data, assess its sensitivity, disable backup and security systems, and estimate what the victim will be willing to pay. This is frequently automated with software tools that have become readily available on the dark web. 

Technology can help reduce these risks. Endpoint Detection and Response (EDR) solutions, for example, use analytics to establish profiles of security incidents over time to speed threat verification and elimination from environments and improve defences. 

“We manage over half a billion endpoints globally, which means that we have eyes all over the world,” says Clayton. “We see attacks as they happen and we can very quickly develop signatures that will block those attacks and protect our customer base.”

Many defensive strategies, especially older ones, are focused on preventing attacks at the perimeter, but today’s attackers are often able to circumvent those defences. Often, they do so by exploiting what is too often the weakest link – unwary employees. 

“Phishing is the tried-and-true method, and the number one attack vector,” says Kevin Magee, chief security officer at Microsoft Canada. Fake ads for unbelievable discounts, free software or posts about a favourite sports team are common bait. 

Bitdefender combines security analytics with cyberthreat-hunting to scour customer networks for signs of intruder-like activity. “What our analysts are able to do is develop a very detailed picture of the way a device in that environment normally operates,” says Clayton. “If a user credential, or system, is not operating in the way it normally does, we can identify it and if necessary, shut it down.”

Clayton warns, however, that companies should focus on security best practices like multi-factor authentication, reduced access rights to sensitive data, hardening of systems to ensure that all versions and patches are up to date to protect their credentials, their networks and their businesses. Much of this is aimed at blocking intruders from moving laterally within the network once they have gained access. 

These measures are detailed and time consuming. “In a manufacturing environment, there are so many computing devices that keeping everything updated and patched is really difficult,” says Kurt Baumgartner, principal security researcher at global cybersecurity firm Kaspersky. Baumgartner also recommends segmenting the manufacturing network, with its many sensitive devices, from the rest of the corporate network. 

“In a manufacturing environment, there are so many computing devices that keeping everything updated and patched is really difficult,” says Baumgartner.

The rise of IoT, edge computing and robotics has increased the scope of these chores dramatically. “If you’re the security professional, you might be managing 20 to 30-year-old equipment that’s now connected to the Internet but was never designed to,” says Magee. “But you also might be managing some cutting-edge operational technology that is brand-new and still evolving.”

The rapid evolution of Industry 4.0 technology has increased the urgency of breaking down the divisions between plant engineering and IT. “The CIO has never been trained to secure OT (operational technology) edge computing resources,” says Magee. “I would love to see a plant engineer or plant manager brought onto the security team to give that perspective.”

“I also think we’re not training technical managers to lead technical teams that cross over into electrical and mechanical engineering,” adds Magee. “I think we as an industry really need to do more in the coming years to close those gaps.”

Another important requirement is planning what to do in case of attack. Companies are now augmenting their disaster recovery plans to include ransomware incidents. Added measures might include establishing relationships with specialty firms that handle negotiation with and payment to attackers. While ransomware is an unsavoury topic for many executives, this is not a conversation that should be taking place when the clock is ticking.

Future outlook

Announcements by U.S. President Biden and other leaders have raised hopes that cyber criminals will ultimately be tracked down and put out of business. “I’ve seen some positive things,” says Baumgartner. “It was good to see the FBI claw back millions of dollars in Bitcoin from one of the ransomware operators after it was paid out. That was incredible.”

But Baumgartner is guarded in his optimism. “At this point, the ransomware operators have stolen enough money to not only grow their own organizations but to continue doing so for years,” says Baumgartner. “This is a problem that’s going to get worse before it gets better.”

“One of the reasons why ransomware is so popular and still growing is that in a large part, it’s successful,” says Jean-Philippe Racicot, manager, strategic threat assessments, CSE (Canadian Centre for Cyber Security). 

CSE hopes to make Canada a tougher hunting ground. “It’s not like we’re going to completely eradicate cyber criminals from across the world,” says Racicot, “but if you take simple effective actions to make yourself a harder target, they’re typically going to go elsewhere.”