Guarding against ransomware within OT environments in 2024

In a study conducted by Forrester Consulting on behalf of Tenable, it was revealed that securing operational technology (OT) presents a notable challenge in India. Sixty-seven percent of respondents in India expressed concerns about vulnerabilities in operational technology software within their organizations.

Indeed, ransomware struck 56% of manufacturing companies surveyed between January and March 2023. Similar attacks are occurring with great frequency, underscoring, the results in immediate and substantial financial damage. As we approach 2024, Chief Financial Officers (CFOs) and Chief Information Security Officers (CISOs) must evaluate the risk implications to the business. They must weigh these risks against the cost of the necessary security mechanisms required to protect the business.

Increased investments into OT security

Investing in OT yields great benefits, with each dollar spent in OT security providing more value than a dollar invested in Information Technology (IT) security. A comprehensive cybersecurity program, embracing risk exposure in OT will ensure that risks that have long been invisible or ignored will be surfaced and addressed.

Establishing a comprehensive and efficient security system begins with manufacturers precisely cataloging all assets and comprehending their composition, leaving no space for potential blind spots. This necessitates an investment in a comprehensive security solution that encompasses IT, OT, and IoT environments. The return on investment is contingent upon organizations being able to perceive what attackers see, and identify inter-relationships between devices, protocols, vulnerabilities, misconfigurations, users, and crucial business assets.

Threats to OT environments can manifest through unauthorized access, tampering, malware, exploitation of firmware or software vulnerabilities, and social engineering attacks.

Implementing a holistic security program requires technical controls, policies, and procedures to minimize the risk of a successful cyberattack. The initial step involves continuously assessing the security posture and foundational capabilities, achievable through investments in exposure management platforms that provide a contextual understanding of cyber risk.

Also required is an efficient and standardized way to understand risk in an all-encompassing way -- that is full visibility into the entire organization. There are intricate relationships between the plant (OT) and the business (IT) and these relationships must be understood and measured from the top down. For example, an allowed IT to OT connection may have connections to the cloud on the IT side, exposing a path to compromise that cannot be understood without full visibility. Most organizations lack such universal visibility. This lack of visibility results in the inability to see the full risk exposure from a multidimensional perspective.

Pivot from old-school cyber security approach

Securing OT poses unique challenges, primarily because extracting precise vulnerability and device configuration data is often hampered by passive-only monitoring techniques. The use of enhanced techniques, such as querying assets, is often disallowed due to the perception that this will cause operational difficulties in the environment.

A comprehensive cyber security approach necessitates monitoring of the OT environment, starting with the crucial element of visibility. Operators must attain complete visibility into all IT and OT devices, including details such as model, family, type, firmware version, operating system version, hardware version, and serial number. The query mechanism can help to do this.

What query means is that the device is “asked” to reveal the details of its configuration, code, firmware version and more. This is done using vendor-specific read-only commands so as not to impact the operational state of the device. Through the use of query, the necessary level of detail to fully understand the environment is obtained as full visibility is garnered. Combining passive monitoring with query enables operators to monitor, manage, and secure their entire infrastructure proactively.

Preventive approach to cyber security

Embracing a preventive exposure management strategy empowers manufacturers to proactively outpace ransomware actors by pinpointing all entry points and potential vulnerabilities where unauthorized access or exploitation may occur.

The integration of Industry 4.0 technologies has blended modern and legacy systems, and Exposure Management emerges as the tool for manufacturers to see through the eyes of potential attackers. It facilitates effective communication of risks to relevant stakeholders, prioritizes actionable steps, and fosters collaboration between IT and OT security. By facilitating the identification of potential attack paths, exposure management ensures that risk is minimized.

Crucially, exposure management enables early threat warnings, insider threat discovery, and malware detection. Establishing connections between assets and users and categorizing risk levels enables operators to identify anomalies in traffic patterns, effectively recognizing and mitigating lurking threats in their environment. This proactive approach significantly reduces the risk of downtime due to Distributed Denial of Service (DDoS) attacks, a preference among ransomware actors.

Anticipating the landscape in 2024, the surge in ransomware attacks on manufacturing environments is expected to continue due to the profitability of such nefarious activities. With the widespread adoption of Industry 4.0 technologies, manufacturers prioritize operational continuity and efficiency, recognizing the substantial financial consequences of production disruptions. Without robust cybersecurity controls, it becomes a matter of when, not if, manufacturers will fall victim to attacks.

By making strategic investments, organizations can concentrate on securing the network and controlling physical processes, enabling the proactive detection of threats and real-time responses to cybersecurity incidents. This forward-looking approach is crucial to maintaining a step ahead of ransomware actors.

-- Dick Bussiere, Technical Director, APJ, Tenable.