Representative End User Clients
Representative Automation Clients
Representative Software Clients
Overview
Ransomware attacks have become very common in recent years. With malware kits being readily available for download, they are relatively easy to launch and present an opportunity for considerable monetary gain. Any system that is connected to the Internet – directly or indirectly – is potentially vulnerable. This Insight examines the risk of ransomware attacks on Operations Technology (OT) systems. The nature of the risk is different than for typical business systems because of the different potential consequences.
Identifying and addressing these risks was the subject of a workshop conducted as part of the 26th annual ARC Forum in Orlando. Speakers Michael Fabian of Synopsys Software Integrity Group and Klint Walker of the Cybersecurity and Infrastructure Security Agency offered specific guidance on how to address these risks, and panelists Sandra Parker of Dow, Glenn Aydell of BASF, and Torey Smith of Hemlock Semiconductor shared their perspectives.
The Current Situation
Compromises of computer and network systems have been with us for some time. Reporting on successful and unsuccessful attacks has increased as awareness of the potential consequences has grown. These attacks come in many forms, but one of the more prevalent is the ransomware attack. Ransomware is defined as a type of malicious 
software designed to block access to a computer system until a sum of money is paid. Such attacks are essentially a form of extortion, with the goal being to obtain money from the owners of the target system.
The number of ransomware attack reports has increased in recent years. While this may be due in part to increased awareness of this type of attack, it is reasonable to assume that the actual number of such attacks has also increased. This is not surprising because such attacks represent a popular means of monetizing the use of malicious software. Also, sophisticated knowledge and expertise are not required because it is easy to locate and download ransomware kits from the Internet.
Based on reported incidents and other anecdotal evidence it should be apparent that the threat posed by ransomware is real. Given that such attacks are relatively easy to launch it is unlikely that this threat will wane in the foreseeable future. Moreover, threats of this type cannot be limited to specific sectors or industries.
Not Just IT Anymore
People often assume that ransomware attacks only target companies in sectors such as financial services and healthcare, where there is a significant incentive to pay for access to their sensitive data. It is also tempting to assume that these attacks do not present a serious threat to OT systems since they may not be the repository of such sensitive or proprietary business information.
These are dangerous assumptions because ransomware can be used to prevent access to any information that is essential to conducting normal business. It is simply a matter of directing the malicious software to a different target. This is an example of IT and OT systems being vulnerable to a common threat.
Interconnectivity
In many cases, vulnerability increases simply because of increased interconnectivity. It is now quite common – if not prevalent – to have direct connections between OT and IT systems. This in turn has had the unintended consequence of increasing the attack surface of the connected OT systems.
Common Technology
The risk to OT systems is also increased because they are typically built using commercial-off-the-shelf (COTS) technologies, such as operating systems, databases and networks. This trend has been prevalent for decades and is irreversible.
Risk-based Response
Just as with any other aspect of cybersecurity, mitigation of the ransomware threat is an important imperative. Unfortunately, there are no single or specific actions that protect systems against this threat. This can only be accomplished using a comprehensive risk assessment. It is essential to understand all aspects of the risk, including threat, vulnerability, and consequence. Each may be addressed to some degree using specific responses.
Potential Consequences
Perhaps the most important component of risk for the asset owner is consequence. Consequences can only be identified and assessed by the asset owner, because only they have the necessary understanding of the full impact of a cybersecurity incident. Although the details of the various consequences are very specific to the situation, there are several general categories.
- Inability to operate – For most ransomware incidents, the consequences can be characterized as an inability to continue normal operations. If essential data is encrypted in a manner that prevents access, then it is impossible to conduct business using that information. Moreover, even if the ransom is paid and the data is decrypted, there can be no assurance that the data hasn’t been altered by the adversary. Thus, the owner loses confidence in the integrity of the information.
- Loss of intellectual property – Another possible consequence is a loss of any intellectual property contained in the ransomed information. Of course, this type of loss does not require encryption and ransom demands. The adversary simply must copy the information after gaining illicit access. There are various types of intellectual property that may be at risk in OT systems.
In some cases, the control strategy at the base of the automation programming may be considered sensitive and proprietary if the way the process is automated is viewed as providing a competitive advantage.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Availability, Cybersecurity, Integrity, Ransomware, Reliability, ARC Advisory Group.