Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The challenge of 2021 for security professionals is undoubtedly ransomware. It has, of course, been around for some years – but really gaining notoriety when the WannaCry and NotPetya attacks affected the NHS in the UK and the global shipping giant Maersk.
More recent attacks have cemented this malware genre at the high end of the risk spectrum; with recent examples being the Colonial Pipeline attack in May that led to fuel shortages and impacted US gas prices, the subsequent JBS Foods outbreak that caused food supply chain disruption, the continued attacks on healthcare in Ireland and New Zealand and even an attack on the insurance giant AXA SA.
The problem with ransomware is the level of disruption it causes. When you’re faced with encrypted and inaccessible data it doesn’t just mean that you can’t open files; on some systems the loss of that data stops many more important things from working. If, for example, it’s a domain controller or database the IT team will try to contain the spread of the infection by turning systems off, quarantining systems or even disconnecting the Internet.
This means that parts of the business that are otherwise unaffected can also lose the ability to operate. We saw this with Colonial. The billing system was affected by ransomware, but the pipeline systems were impacted (and deliberately isolated) by the response to it.
Additionally, the recovery process itself might not go entirely to plan. Colonial paid the ransom but found the decryption tool was too slow, so they had to revert to backups anyway. In the case of a food distribution business, getting data back and systems running again may not be quite as time dependant, but the concentration of food producers could quickly create a single point of failure. In healthcare the stakes are even higher, where interruption to IT medical systems can have immediate and fatal implications. Sadly, it’s for this reason that cynical ransomware attacks on healthcare systems are so prevalent. The implications of ignoring the threat are too high; and criminal groups know that.
Everyone is concerned about ransomware and they are right to be; but in the critical infrastructure sector the problem of loss of data and availability of systems is acutely felt, and not just by the company. Depending on the victim it can affect every one of us.
The problems come when the services and supply chains affected are time critical or they have the potential to impact our wellbeing. Petrol supplies can run low or be rerouted before there are major issues, food supply chains likewise, but in sectors like healthcare substitution is more difficult. Yes, you can postpone operations or treatment but that may lead to life threatening consequences.
If water supplies are disrupted, the power goes out, gas supplies are cut, or telecoms are down the effects are much more immediate and widespread. If people can’t heat their homes, cook food, or access clean water – these things impact our wellbeing and quickly take their toll. The threat of ransomware attacks in these types of business are of most concern because of their potential to have major ramifications for our society, much more severe than even the worst scenarios we have seen so far in 2021.
Initially the threat models that were contemplated and planned for in these sectors were intrusion by skilled and malicious hackers intent on disrupting service delivery – someone who would gain access and subvert systems to disable pumps, alter flows, disable control systems or destroy machinery.
The concerns were that the attacks would be focussed on the industrial controls systems (ICS) themselves or SCADA equipment. Defending against ransomware in the wider IT environment as it spread across the more traditional (and less important) platforms, and progressively turn systems into an encrypted logjam, was a priority.
It was these more sector focussed attacks on ICS/OT/SCADA that were front of mind when initiatives like the NIS directive was instituted by the EU back in 2016 and when the US National Protection and Programs Directorate (NPPD) was set up in 2007 (and its successor CISA in 2018).
More recently, the NCSC in the UK has published guidance on mitigating ransomware, ACSC in Australia likewise and the Whitehouse issued a “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems” on 28 July 2021 (read it here) which followed hot on the heels of “Executive Order on Improving the Nation’s Cybersecurity” in May (read that here).
In Australia things are moving quickly. A new Critical Infrastructure Bill (CIB) seeks to (i) expand the sector beyond traditional utilities and, (ii) in consultation with participants, agree a regime of enhanced cyber security safeguards for the sector. Following the Colonial and JBS attacks, Australia has seen the risks of cyber attack on infrastructure targets as so urgent they have sought to accelerate legislation by splitting the CIB. Part 1 of the CIB, currently before Parliament, seeks to quickly give the government last resort powers to “step in” to assist an organisation during a cyber attack. Part 2 of the Bill which includes the definition of protective risk management programs, yet to be agreed to by each industry, will then follow.
As its variants continue to yield worsening consequences for victims, ransomware sits menacingly between specialist SCADA and OT controls systems and the wider IT network security environment. The implications of an attack, therefore, can be highly disruptive either in the IT or OT environments and even worse if it impacts the provision of critical services to customers.
The recent events confirm, absolutely, that critical infrastructure providers need to avoid ransomware at all costs. This means that while they can contemplate specific detection systems and malware controls, they also need to focus on the basics of cyber security protection across both the OT and IT environments. Defending risk vectors with acknowledged security controls that can measure and report effectiveness levels to cyber risk management teams is vital.
The aforementioned guidance from Australia’s ACSC sums up the best approach concisely:
“Investing in preventative cyber security measures, such as keeping regular offline backups of business-critical data and patching known security vulnerabilities, is more cost effective than the comparative costs incurred when attempting to recover from a ransomware incident.”
Ransomware Readiness means having controls to:
Prevention is obviously vital, but Containment is especially critical for CI organisations where the knock-on effects, regulatory pressures, and affected parties can quickly become overwhelming.
A commercial business might have no qualms about closing off parts of its systems and slowing its ability to take orders for a few days. A power company, however, cannot shut off electricity supplies in the same way.
From what we’ve discussed, the logic is simply:
For boards and senior managers of CI organisations it is important to have confidence that security controls are in place and operating effectively.
There are numerous Information Security Management Systems standards and frameworks that operate effectively across the sector. What is most important in the CI sector, however, is that operations and senior management teams can quickly gain visibility of the state of their security control effectiveness, on-demand, from a baseline set of quantitative KPIs. If shortcomings are identified in any of the controls they can then be quickly mitigated and the risk of a security breach effectively managed.
If the best policy is to prevent impacts – through stopping initial infection, containing the spread and recovering data – these controls must be managed just like safety critical systems are in OT environments. This is where risk management comes in: you might have controls, but you can’t wait until they fail to be alerted to their potential for failure. If there are vulnerability gaps, they need to be quickly identified, and mitigated and corrective actions taken. Accurate reports need to clearly evidence the state of security maturity.
Lack of understanding and adequate oversight are arguably two of the biggest challenges when it comes to effective security management. The presence of basic security controls, like patching, must be confirmed and their effectiveness measured so that any deficiencies can be quickly identified and fixed. Failure to mitigate these weaknesses are the gaps that attackers search for; and so systematic risk assessments can improve your intel and reduce the risk of ransomware attack.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.