Ransomware Crisis: 11 Actions to Secure Critical Infrastructure

Why Securing our Critical Infrastructure Matters

Operational Technology (OT) remains a key, but vulnerable technology for organizations with critical infrastructure. The U.S. Government has defined critical infrastructure as those “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

OT systems are crucial components in producing and delivering many of the resources that we rely on daily, such as clean water, fuel and electricity. Other Industrial Control Systems (ICS) provide necessary services such as traffic light systems, automotive plants and waste management facilities. Despite the societal importance and reliability of these systems, OT infrastructure remains insecure and vulnerable to cyberattacks that can cause physical harm to the public or interrupt the delivery of critical services.

Organizations operating critical infrastructure can mitigate the impact of security incidents and increase the resiliency of their OT infrastructure by following some key components of basic cybersecurity hygiene.

The Colonial Pipeline Ransomware Attack

Colonial Pipeline is a fuel pipeline company located just north of Atlanta, Georgia responsible for providing approximately 45 percent of the gasoline supply to the east coast of the United States.

On May 9, 2021, Colonial Pipeline released a statement acknowledging that they were a victim of data theft and ransomware attacks affecting their IT environment. Multiple news outlets reported that on May 7, the hacker group being called “Darkside” infiltrated the Colonial Pipeline network and stole over 100 Gigabytes of proprietary data.

Upon confirming the May 7 incident was a ransomware attack, Colonial Pipeline immediately shut down a portion of its systems and remained offline until May 12 to both contain the attack and to protect the safety and security of its pipelines and the safety of the general public. Colonial Pipeline has engaged law enforcement including the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a statement on May 11 indicating that at this point in time, there is no evidence showing any lateral movement to Colonial Pipeline OT network.

The impact of this incident and other recent attacks with elevated impact, has elicited action from the Biden administration to produce an executive order issued May 12 to improve the nation’s cybersecurity.

In addition to the operational cost associated with a pipeline shutdown, according to Bloomberg, Colonial also paid the hackers nearly $5 million in ransom within hours of the attack in order to restore its disabled computer network.

The question ICS / OT asset owners need to be asking today is what actions can be taken immediately in the short term, to mitigate cybersecurity risks to their critical infrastructure while long-term protective controls can be implemented (or assessed) for effectiveness. Here are some key short and long-term steps that critical infrastructure controls systems operators can take to mitigate the impact of a cyberattack:

Short-Term Steps Organizations Can Take

1.  Broadly assess the potential cybersecurity risks which jeopardize operational resiliency and affect ongoing business operations.
2.  Implement a robust network segmentation to minimize the impact of a cybersecurity attack on an organization’s critical infrastructure.
3.  Ensure a backup and recovery program is implemented, evaluated, and isolated from the production network.
4.  Secure remote access gateways and publicly available services. Validate that critical infrastructure assets are not exposed to the public internet. Ensure that all remote access and external access requires multi-factor authentication.
5.  Update Incident Response Plans, Business Continuity Plans, and Disaster Recovery Plans for all environments and ensure playbooks address potential impacts to critical infrastructure.
6.  Validate full coverage of security monitoring via Endpoint Detection / Response (EDR) products on endpoints and passive monitoring on the network with Network Detection / Response (NDR).

Strategic, Long-Term Steps Organizations Can Take

7.  Identify and backup critical project files to offline storage.
8.  Test and simulate your incident response plan via tabletop exercises and determine your organization’s response to ransomware operators.
9.  Implement manual override controls and alarms which permit operators to detect and override any unsafe commands sent to sensors or actuators.
10.  Invest in asset management to identify and validate the existing IT and OT technology devices throughout the organization.
11.  Develop threat hunting capabilities to proactively search for potential security incidents within the OT environment.

It is an unfortunate reality that ransomware attacks and cybersecurity incidents impacting critical infrastructure appear to be on the rise. Therefore, it is imperative that organizations start reviewing and testing their response capabilities and procedures before an incident occurs. We will continue to monitor the defenses listed above and continue to provide guidance to bolster the strategic approach organizations can take to improve their cybersecurity posture and ransomware detection and prevention capabilities.

Claire Gotham, Derek Dunkel-JahanTigh, Wesley Lee and Dhara Parikh also contributed to this post. To learn more about our ransomware advisory and recovery capabilities, contact us.

David Taylor

Managing Director
Security and Privacy

Justin Turner

Director
Security and Privacy

Dulce Prado

Senior Consultant
Security and Privacy

Subscribe to Topics

Protiviti is a Security Customer Champion award finalist in the @msftsecurity Excellence Awards. We are honored to join a group of industry leaders that demonstrated success across the security landscape over the past 12 months. https://ow.ly/yaHQ50R4won #MSPartner #MISA

Is your organization prepared to keep up with the ever-changing #DataPrivacy and protection regulatory landscape? Our latest insights paper can catch you up to speed: https://ow.ly/pept50QXRZS #ProtivitiTech

Mark your calendars for Protiviti’s 2024 Data Privacy and Protection webinar series. On April 25, learn how to enhance #ConsumerTrust through the user experience. On May 2, navigate the complexities of #DataGovernance in a global context. Register today! https://ow.ly/qF6a50QXOnr

Protiviti helped a #Manufacturing client realize enhanced data quality and a robust data governance program after upgrading to #SAP s/4 HANA, positioning the client for global transformation and continued success. https://ow.ly/T99450QXOGY #ProtivitiTech

Particle Physicist Dr. Harry Cliff joins The Post-Quantum Podcast to explain how #QuantumComputers can simulate particle interactions, how they can handle mind-boggling amounts of data, and his new book, Space Oddities. Listen now! https://ow.ly/i1vw50QXQng #ProtivitiTech

Load More