In the aftermath of the Colonial and JBS SA ransomware attacks: how to protect yourself while optimizing your ROI on Risk Reduction

Background

In the recent weeks we have witnessed two large-scale ransomware attacks that have demonstrated the direct real-world effects of cyberattacks on industrial operations. First, the Colonial pipeline attack, which halted pipeline operations for long enough to (slightly, thankfully) affect oil prices in the US; and then the attack on the JBS beef supplier that forced JBS to shut down all of its beef plants in the U.S.

Both attacks involved ransomware, and are allegedly attributed to state-sponsored hacker groups. In both cases ransom money was paid to the attackers in order to resume operations quickly. Luckily, a large amount of the ransom paid by Colonial was recovered by law enforcement.

The most disturbing similarity between the two attacks, as well as many other recent attacks, is that both companies didn’t install adequate protections against ransomware, even though the writing was prominently inscribed on the wall.

[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]

You know what you need to do, don’t you?

The measures that need to be taken to prevent Ransomware attacks are known and documented. The very basics include:

• Perform an asset discovery toward mapping all assets and the vulnerabilities introduced by each.
• Create network segmentation, not just between IT and OT but also between other sensitive business units.
• Install solutions for network resilience, such as backup and recovery, redundancy and fallback server, record configuration snapshots, and more.

These tried-and-true methods, and many others, will definitely reduce your network risk and improve your resilience posture not only against the same exact malware used for the Colonial and JBS attacks, but for all types of cyber attacks.

BUT, which mitigations do I need on top of these basic best practices?

The problem is deciding which mitigations should be installed. A decision based on intuition, familiarity with your industrial network or just plain rule-of-thumb will probably not maximize your ROI on Risk Reduction. Simply put – and this should be the most important takeaway from this post – it’s impossible for a CISO to accurately determine network risk and even more so, the effect of different hardening measures on reducing susceptibility to an attack. You just can’t eyeball risk anymore. And not installing the most effective mix of mitigation measures means that you’ve just spent money on either preventing the wrong threats or ineffectively preventing the threats you’re facing.

Breach and Attack Simulation (BAS) and risk assessment

Each industrial network is different, from the devices and protocols used to the industry it operates in. What’s right for an oil pipeline or beef processing plant may not be suitable for a building BMS system or a water supply network; moreover, OT networks in different locales face different threats.

In fact, you’ll need to analyze hundreds of threat intelligence (e.g. MITRE ATT&CK) and other data points for attackers in different industries, attack techniques and the effect of different mitigation measures on each, for every business unit in your organization to produce an optimized risk mitigation plan. You’ll also have your budgetary constraints to consider as well as your long- and short-term risk management goals (e.g. protecting high-risk operations vs. demonstrating compliance vs. reducing overall risk).

CIARA displays a clear list of most relevant attack group and attack tactics for the specific system under consideration (SuC)

Risk assessment in action

Analyzing the network’s threat and mitigation environment is exactly what risk assessment systems are supposed to do, and what CIARA, Radiflow’s risk assessment and management platform actually does.

CIARA employs an extensive proprietary algorithm to perform breach and attack simulations (BAS), based on each and every network and device’s properties and vulnerabilities, as derived from Radiflow’s non-intrusive self-learned network image/model. CIARA is 100% compliant with IEC 62443, thus assuring the user organization’s compliance with the standard.

Prioritized mitigations in CIARA, listed by state, zone, fundamental requirement (per IEC62443) and cost

CIARA’s simulations account for:

• The probability of an attack on each and every network zone, using multiple threat intelligence sources for attack groups and attack tactics
• The attackers and the adversary tactics and techniques for the locale and industrial sector of the user’s ICS network
• The potential impact, both financial and otherwise, incurred as a consequence of an attack, to each business unit
• The ability of different mitigation measures to prevent an attack

The outcome of numerous simulation instances is a clear, optimized mitigation plan that ensures the most OT security for each dollar spent. CIARA’s network hardening roadmap prioritizes the mitigations you need to install on the network based on your security preferences (for example, reducing overall risk vs. hardening a single critical business unit) and quarterly budget constraints. CIARA even provides a project planner for long term quarterly budget planning.

Conclusion

The conventional wisdom in OT security is that if you haven’t been attacked yet, you will be at some point. It’s just a matter of time. The Colonial and JBS attacks should serve as a reminder for industrial organizations to plan ahead and start the process of assessing their network risk and optimizing their ICS security – before they’re attacked.