The Colonial Pipeline cyber attack could have had much more severe consequences had the ransomware spread to the operational technology. Experts argue that business interruption has now evolved into business disruption, and there is no way that the industry can deter threat actors.
It would be unfair to point fingers at businesses that get attacked with ransomware. Even though they could have done a better job at protecting themselves from possible attacks, we deal with criminal enterprises that now invest millions they get as ransom into their affiliates and ransomware developers. Here’s what we learned during the cybersecurity firm’s Flore Albo LLC organized webinar on ransomware and the threat to operational technology.
The Colonial Pipeline incident could have been much worse
Firstly, it is vital to highlight the difference between information technology (IT) and operational technology (OT). According to COO of PAS and expert in OT cybersecurity Mark Carrigan, OT is where the physical world meets the digital world.
“When it comes to manufacturing, there’s some device out there in the field that’s getting a signal, that signal goes back to a special computer that processes information, sends a signal back out to take physical action to enable production. That could be putting a part on a car, opening a valve to create more steam so I can create more electricity. Today, modern production, especially in critical infrastructure and many other industries, relies upon OT,” he said.
OT are computers, too, but they have very different characteristics from traditional IT. One of the main differences is age. Critical infrastructure companies, such as refineries or power plants, can have 10-15 or even 30 years old OT.
“Why are they so old? Number one – it is very expensive to change them out. The programming and the engineering that goes into them is very delicate, and migrating it to a new system is not an easy task,” Carrigan said.
And even if the system is upgraded, the basic design of new industrial control systems is usually “insecure by design.” Things such as zero-trust can’t be applied in the OT world, Carrigan explained.
Because of the age of these systems and their differences, often there are severe compatibility issues, trying to apply either good practices or good technology to these OT devices.
“In many cases, IT technology that you applied to the OT world can break it. It can cause malfunctioning, and it can cause it to go offline. The other big issue is reliability, especially in safety-critical processes, whether offshore production of oil or a power plant, where these things have to be available 24/7. I can’t take them offline on a Saturday to implement a patch. I can’t take that system down because of the impact on production,” Carrigan explained.
There might be products from hundreds of different vendors, and thousands of different codes only add to the challenge.
“I promise you – our adversaries in this space are learning about these software applications, buying them, understanding which ones are being used frequently, and exploiting that to gain access,” Carrigan said.
In the case of Colonial Pipeline, the ransomware got in through the traditional IT. The operator shut down their control systems very early, preventing malware from spreading into the OT system.
“The issue there could have been, they may not have been down for about five days, they could have been down for weeks or even months, depending upon the status of their backups of other things that are in the OT world,” Carrigan explained.
Vulnerable back-up systems
Ransomware is now an existential threat to business, Anthony Belfiore, Chief Security Officer of insurer Aon, said. When he used to work for JP Morgan Chase, the bank was being hit by the government of Iran with targeted DDoS (distributed denial of service) attacks for six months straight. But, as Belfiore said, it was not an existential threat. It was just annoying.
“The game has changed. The business interruption has evolved into business destruction, and cyber insurance has to evolve with that. It has to become business-resilience insurance,” he said.
Given the seeming inevitability of cyberattacks, a growing number of organizations are turning to cyber insurance, with estimates that protections are in place worth over $1 billion.
Having a backup might help restore your business better after you’ve been hit. But it is no silver bullet. Belfiore said that most companies don’t have an effective backup for older infrastructure.
“We prioritize based on tearing, criticality, business need or process, we link critical business process to critical application to underlying infrastructures, and we are very surgical on what we back up and how we do it because there are big costs associated with it,” he said.
Even if you have a backup, but it is online, it is a potential risk.
“Cold storages are much more secure than hot storages. Having things online has a price to pay. If it has an IP and I can interact with it, I can also mess with it,” he said.
Cat and mouse game
Steve Katz, former CISO of Citi Group and a 40-year industry veteran, said that ransomware increased profitability over time. Criminals used to demand hundreds of thousands of dollars as ransom but now having your files decrypted costs way more, up to a whopping $70M.
Ransomware developers are not stupid people, he argued. They are well-funded and run their business model to get a piece of the price just by renting ransomware to other criminals.
“The only way we can get ahead of it is stopping at its source. I think today you are looking at a very interesting geopolitical framework for the development of ransomware,” he said. As long as there are countries where cybercriminals reign freely, “we have a big problem.”
“It has to be addressed at the highest levels of government. I think we are seeing a little bit more of that today,” Katz said.
The money they get from their victims makes ransomware gangs stronger, more trained, and in great demand in the market as other criminals are eager to rent their product.
“Ransomware is a wonderful asymmetric way to deal with geopolitical issues,” he added.
Carrigan agreed that this is a geopolitical game. “We can’t necessarily apply US laws and everything else, but ultimately, this is a good business. And until the business is interrupted, we are going to continue dealing with this problem.”
Companies, he argued, have a duty to protect critical infrastructure, but it would not be fair to point fingers and blame them in case of an attack.
“Don’t forget, when this happened to a company, when this happened to Colonial, they were victims of a crime. This was a criminal enterprise extorting, and we can’t forget that they are victims of a crime by a well-funded group getting after them. Sometimes, we get a little eager in the media and other circles trying to play the “gotcha game”: oh, look at that little thing, that’s what caused it. It could have been prevented. There are 50,000 other things that could have been exploited as well. It’s a bit of a cat and mouse game in that regard,” he said.
There’s nothing industry can do to deter this and pursue threat actors, and the government needs to take a more active approach.
“I believe it is the responsibility of the operators of critical infrastructure to play defense, but it’s the government’s responsibility to play offense,” he said.
More great CyberNews stories:
Subscribe to our newsletter