Driving in winter can be a perilous, high-risk, and minimal risk all at the same time in the colder areas of the world. And when someone buys a car, often they buy one that is not the best suited or engineered for colder conditions, and yet, such a purchase can be both risky, and not risky at the same time, depending on driver skill (also called the driver mod/modification by enthusiasts). For example, front-wheel-drive (FWD) cars are notorious for getting stuck in snowbanks or understeering under a variety of conditions, but they are purchased often because they are cheap or more fuel-efficient.
By Ron Brash, Director of Cybersecurity Insights at Verve Industrial Protection
If you drive regularly, then statistically, you may be more likely to wind up in an accident (insurance claims increase by over 49%). So what are your choices from a preparative standpoint? This article draws analogies between driving safety/risks and ransomware.
- Have mandatory compensating controls such as quality winter tires for snow and ice
- Have mandatory car insurance to recover some losses
- Have secondary measures to reduce the impact of a snowy excursion (candles and an empty tin, matches, blanket, water, snack bars, a flashlight, and an automobile association membership for towing)
And from a driving perspective?
- Keep the car parked, and drive when conditions are clear
- Selectively choose and navigate your route while sticking to cleared/sanded roads
- Drive slower vs. at posted speeds
- Sell the vehicle
Obviously, if you need the car, you should not be reckless and driving at full speed, but the likelihood of winding up in a snowbank or hitting “black ice” is something most logical decision-makers would acknowledge. So – selling the car isn’t an option, but being prepared, driving selectively, and not panicking is likely the best-path forward right? Similarly, it would be nonsensical to sell your business because you cannot terminate the ransomware risks or falsely believe that ransomware will never affect to your organization’s assets & operation.
Unfortunately, ransomware is not seasonal like winter driving, but in the first half of 2020, ransomware accounted for 41% of all cybersecurity insurance claims with no signs of slowing What are we doing wrong?
Well, most organizations are generally poorly prepared from a governance and/or procedure perspective, but they lack adequate implemented cybersecurity basics. There are often relevant technology investments present, but they are not being leveraged sufficiently. There is a purported resources gap of sufficiently minded individuals, and asset owners do not need “experts in everything” – we need largely decent administrators, technicians, and architects.
In short, it’s not necessarily a technology problem, but a combination of incomplete operationalizing of current/commodity investments, and an industry focused on selling you “detection and monitoring” vs. tangibly reducing your residual risks & impacts.
The Realities of Ransomware
Imagine having a warning system that alerts if you are about to slide across the ice and hit a wall? Not really because the value of it is poor (except in aviation where ground avoidance is the primary idea) so – let’s look at the realities of ransomware:
- Has a high chance of occurring in ANY environment, and accidental insiders are everywhere.
- Leverages aging or not net-new vulnerabilities more often than not, and unhardened legacy configurations of commodity systems.
- Small clusters of hosts are easy to manage, widescale outbreaks are hard to manage.
- Likely does not need a kill chain analysis – it needs containment and recovery ASAP.
- Cost equation is in the attacker’s favor: (systems affected) * (burn rate + recovery costs).
- Attackers are usually opportunistic vs. skilled “nation affiliated” (although they exist).
- Time window for security teams detecting the dropper, isolating systems, and preventing a laterally moving infection is very small (less than an hour).
- Paying the ransom is generally illegal, but cheaper than recovering.
And all the above assume the organization is consistent, no scheduled disruptions or periods of high-availability, and not having other fires/incidents to put out. Basically, if you see ransomware, you will end up pulling the “emergency” switch and moving to recovery ASAP (especially so if margins are tight due to 2020 revenue loss). It’s a whack-a-mole game, but cutting ransomware off at the head, fixing the issue, changing credentials, and getting systems back up and running ASAP is critical.
And in industrial control systems (ICS) or Operational Technology (OT) environments are no different in this respect, but the time between just calling it a day to recover safely is nearly instantaneous.
So, what I am trying to say candidly – is that I’ll probably wind up in a snowbank this winter, and you too will likely have ransomware in the future, but it doesn’t need to be scary or expensive. Why? Well just like our car analogy – here is a table to compare a few elements:
Insurance assuming several conditions
Insurance IF due diligence was present
Route being traveled
Network architecture & segmentation
Native OS/product features
Dashboard warning lights
SIEM & alerts
Pre-trip / walkaround
Detailed automatic asset inventory
Winter tires with adequate tread
Perimeter security controls (e.g., firewall)
Assisted driving features
Application whitelisting & policy enforcement
Vulnerability & systems management
Maintenance manual & oil/brake changelog
Policy & Procedures
Road-side survival kit
Secondary lines of communication, call bridges, & incident management infrastructure
Road-side issue handling
Incident isolation & recovery/restoration
Replacement car or reparation strategy
Widescale disaster backup & restoration
|Spare tire and jack
Careful removable media management
It has been trivialized a bit, but it is an apt comparison. And just like with automobiles, there are AFFORDABLE/FEASIBLE activities that can be performed to adjust tolerable levels and reduce/prevent catastrophic failures through avid follow up on maintenance (especially for consumables) and prescriptive procedures. Unfortunately, OT/ICS systems cannot be swapped out like enterprise systems, but OT/ICS systems are often in easily defensible positions easily inventoriable, can leverage much of what is already there, and pragmatic OT-safe solutions that enable action are possible. Really.
Instead of flailing and wasting efforts, I want to reassure you that developing an adequate response AND recovery strategy for ransomware is possible, and it is more feasible than many leaders believe. Fancy detection and threat hunting will not help me as the car is sliding forwards, but other compensating controls already in place can prevent a 100km/h calamity and result in a 30 km/h strike. Let’s start 2021 with the pragmatic application of Protection, Identify & Respond for cybersecurity basics or asset inventory control, and less on Detection-only capabilities; it’s far too easy to raise an alert, but much harder to act upon it.
About the Author
Ron is an experienced technology consultant and seasoned cybersecurity specialist with deep expertise in critical systems, network security, deep packet inspection, data analytics, and secure embedded software development. He leads Verve’s research on vulnerabilities, cyber risk, and reverse engineering network protocols & firmware in OT/critical infrastructure. Ron’s insights and analysis help inform the company’s technology direction and provide valuable guidance in client engagements. He created the watershed S4 ICS detection challenge datasets, advised in aviation, and is globally recognized as a leading speaker for technical topics.
Verve Industrial Protection is an ICS/OT based cybersecurity company that has been providing & implementing solutions for over 25 years in oil & gas, pharma, energy, utilities, and packaged consumer goods. Verve delivers definitive action vendor agnostically beginning with detailed asset inventory-based technologies & cybersecurity for all types of assets (commodity systems, endpoints, network infrastructure, embedded devices, and control systems).
CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.