How to Build Your Game Plan to Win the Fight Against Utility Ransomware
At this year’s DISTRIBUTECH International, I presented alongside Michael Meason, senior manager of information and security at Western Farmers Electric Cooperative, to share our insights and experience implementing cybersecurity systems for utilities. Here are some of the key takeaways from our presentation, “Practical Considerations to Combat Rising Ransomware.”
By Mike Prescher, Lead Network Architect, Black & Veatch
If you’re a football fan like me, it’s a common belief that “Defense wins championships.” The idea is that a strong defense stops the offense from getting into scoring position, reducing their opponent’s probability of reaching the end zone to put points on the board. We often apply this strategy and perspective to critical infrastructure cyber war. By focusing on defense, utilities stand a much better chance of coming out on top of a cyber confrontation. In a Cyber Attack for Ransom (CAFR), utilities with a strong defensive strategy and a well-trained workforce are better equipped to properly identify their high-consequence systems, set up a strong defensive perimeter and short-circuit the attack. The desired result that is no ransom is paid, and operations continue uninterrupted.
According to Dragos’, ICS/OT Cybersecurity Year in Review 2022, the firm tracked 605 ransomware attacks across energy, automotive, agriculture, water, mining and metals industries in 2022. This was an increase of 87% from 2021. The report went on to state that 21 of these attacks came from the oil and gas sector, along with seven from engineering utilities.
A utility cannot rely on governance, compliance and cybersecurity hygiene alone (i.e., firewalls, network access control, application white-listing, anti-virus, access management, etc.). There are more measures to ensure your utility is prepared to prevent and defend against a CAFR. Your best ally against an attack is a practical, practiced and intentionally uncomplex response plan ready to go with pre-defined, pre-approved triggers for when to enact it.
A “think like an adversary” approach is a mindset championed by Idaho National Laboratory’s (INL) Consequence-driven Cyber-Informed Engineering (CCE) methodology. According to INL, it’s good practice when planning your cybersecurity strategy to assume bad actors already have surveilled your utility and they are preparing for a cyber-physical attack. INL advocates for understanding and ranking systems and processes by criticality or impact. This ensures the highest consequence elements receive the required monitoring, protection and applied training your team needs to take specific courses of action once certain criteria are met. This is your advantage over an attacker who may understand your system’s technology better, but not how the system functions within your own environment. Only a utility’s operational team truly understands how its systems are designed to act and support the overall operation.
Here are three main principles to help guide a cyber defense strategy to survive a contested environment.
1. DETECT: How are you going to spot an intruder?
“The last thing an attacker does is deploy ransomware,” Meason says. It may take weeks or months of preparation and reconnaissance to learn a system’s technology and architecture before an attacker proceeds with his or her final action on objectives. “An attacker gains access, achieves a perimeter breach, and probably makes a lateral move across the system and then ultimately encrypts files at a time of their choosing. The last thing they do is ransomware,” Meason emphasizes.
Your ability to detect the first instances of a system compromise increases your chances of preventing an attack from spreading and being held hostage to an adversary’s ransom and a ticking clock. A ticking clock can wreak havoc on an operational team’s psychological state and adversely impact response time and decision-making. The earlier you detect an intrusion in the attack scenario, the better you can predict the attack trajectory and defend your most critical assets and keep them operational.
Establishing an operational baseline and defining what “good” looks like is key to detecting when systems are not measuring up to the required performance level, which should trigger a heightened awareness amongst a utility’s operational team to begin enacting a defense strategy. This is when pre-defining which critical systems to safeguard from attack comes into play and why it’s so important to engineer your network in ways that enable your ability to segment and protect.
2. SEGMENT: Shrink Your Attack Surface
When you recognize an anomaly in your system, you need to act fast. To prevent a breach from reaching a stage where paying the ransom is your only option, you should have a predetermined set of criteria that would direct a utility’s defense team to segment in such a way that high-consequence systems and processes can remain operational. This is working in a contested environment, enabled by shrinking the attack surface as quickly as possible.
Designing and engineering the network to rapidly isolate high-impact, high-consequence grid operations is essential. A packet-based transport network with built-in redundancy, proper internet protocol (IP) to address schemes and management, routing protocol selection, and configuration are practical design considerations that would enable operational technology (OT) and information technology (IT) teams to segment network operations and keep critical assets up and running.
3. Restore: Stay Operational and Minimize Impact on Service
Quick restoration takes procedures and practices to make sure a team is ready and able to restore an affected system. Just like football, the more you sweat in practice the less you bleed in battle. The goal is to practice backup and restoration procedures to minimize the impact of a compromised system. There also are specific architecture elements to apply in your network design to improve protections for the recovery systems themselves and enhance your ability to bring off-line or near-line recovery response into play.
Remember: An attacker likely knows your system’s technology, but you have intimate knowledge of how your system uses this technology and how your system is set up to respond. Use this “perfect knowledge” to your advantage by setting up pre-defined, pre-approved, and tested restoration and response methods that your team is well-trained to implement when the time comes. These methods and procedures can take your restoration from days down to hours and from hours down to minutes.
Contact us today for help following the methodology and developing a disciplined approach to securing your systems.