Industrial ransomware attacks are increasing—here’s what experts advise

Watch your back. Industrial ransomware attacks are on the rise.

A report from security firm Dragos last month found that Q3 attacks on the industrial sector in North America rose to 36% from 26% the previous quarter, indicating that hackers are increasingly aiming at the region (attacks worldwide remained flat). Gangs like Ragnar Locker, Cl0p Leaks, Karakurt, and LockBit 3.0 have been aiming at manufacturers and infrastructural systems.

“The threat level genuinely has increased astonishingly much in the last 18 months,” Xage Security CEO Duncan Greatwood told IT Brew.

The attacks have come as industrial concerns move operations to the cloud and IT/OT convergence increases. As operations are pushed into information technology spaces, the attack surfaces increase in number, opening up the possibility for real damage and chaos, making convergence a double-edged sword.

“Because of the need for that data to flow in and out, the periphery is getting kind of like Swiss cheese,” Greatwood said.

Remote access. Part of the problem when it comes to ransomware is IT/OT convergence, said Forrester analyst Brian Wrozek. As industrial IT services move to the cloud, the ability for threat actors to access the systems is increasing. The move has made it so that where adversaries used to have to physically access OT systems, they can now do it remotely—a major change. And to get online, OT systems are relying increasingly on off-the-shelf computer systems rather than specially made computers.

“A lot of what drove the automation and power plants and all that was isolated from the internet and isolated from the company network,” Wrozek said, adding, “now, just like other companies, they are starting to connect those systems to other computer systems into the internet.”

There have been a number of OT ransomware attacks, according to Greatwood, but they have largely gone unreported in the media. Most operators will address the problem privately, but that may be changing due to federal efforts to urge infrastructural systems to report hacks. Still, successful ransomware attacks on OT systems remain rare.

But the ramifications of a successful attack could be far-reaching.

“The risks of a bad or even medium-sized attack and the risk of a really major attack or ransomware attack in operational networks are definitely massive consequences,” Greatwood said. “One of the effects of having a lack of protection is that what might otherwise be a small attack that could be easily contained to a relatively small area might end up infecting a really massive spectrum of operational systems.”

Fighting back. Industrial IT teams focused on creating a strategy to push back on ransomware attacks should turn to communication, coordination, and cooperation, Dragos’s director of intelligence content Tom Winston said. There’s a difference between what OT engineers do and what enterprise IT administrators and engineers and analysts do, but that shouldn’t mean the two aren’t in constant contact—the key is “asset visibility.”

“It’s really understanding where your assets are, how they’re connected, and then taking your in-depth mitigation approaches at the IP level to stop as much ransomware as possible,” Winston said.

Winston told IT Brew that while there has been an increase in attacks on OT, the actual risk remains negligible. Safety instrument systems in OT environments make it incredibly difficult for hackers to actually control physical infrastructure and technology. Rather, the ransomware threat to industrial technology is the same as it is to other systems: the damage that can be done by exposing information to the world.

Figuring out what attackers want—and even if they’re aiming at OT in the first place—is essential to dealing with the attack.

“The real question becomes, with ransomware: Is the adversary targeting the operational technology?” Winston said. “Or are they stumbling upon it?”—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @EoinHiggins_ on Twitter.