Ransomware in OT – keep your eyes on the ball!

11 - Jan 2023

OT vulnerabilities are here to stay. The security policies we thrive to implement are those which allow us to learn how to live with them and manage them, without putting (too many) limitations on our productions. One of the rising threats in the past few years is OT ransomware attacks. Just last week, CMMC, the Canadian Copper Mountain Mining Corporation, disclosed that it shut off their manufacturing operations in the mills due to a ransomware attack. We all remember the Colonial Pipeline attack that also left its mark on the market. That’s why it’s very surprising to learn, that these two ransomware attacks and others similar to them, were not even OT or ICS related, meaning they did not specifically target the control systems or the manufacturing environment at all. In fact, there was no evidence in real time that the attack ever “crossed the line” and impacted the OT systems. Most of these attacks are IT related and as Dale Peterson indicated recently, “General purpose ransomware that finds its way into an OT environment is not an ICS-OT directed attack”.

If that is indeed the case, then why did these organizations shut down their OT operations at all and suffer the losses of downtime and reputation loss?

No alt text provided for this image

Decisions in the dark

There could be many reasons for this, and some rumors have already spread across the industry (for example, lacking access to the billing platform). while those may be partially correct, I would like to point out a simpler explanation, which is management confidence. From management point of view, the risk of operating major facilities under a notion of a compromised environment is something that they find difficulty to live with, even if the attack is IT based, not OT. I would make the case that even if the CISO himself recommends continuing operations, leadership would cancel that ruling, preferring to withstand the consequences of shutdown, rather taking responsibility of continued manufacturing under a compromised environment. Once a network is compromised, management is not going to play chicken with the attackers. Unless.. is there an alternative? How would management react if they had unbiased visibility that could give them the sense of trust they need?

 Level 0 monitoring

The OT architecture includes a space which represents the physical process, not only in its high-resolution process-oriented content, but also by the data collection agent it uses. The electrical signals emitted by sensors and actuators provide unparalleled trusted visibility into the machine state, because they are not IP based (in most cases) and because they are not part of the suspiciously compromised network. If we can provide management the assurance that any deviation from normal production parameters, regardless of the attack sophistication, will immediately be identified and reported, they might reconsider to continue operations and avoid the downtime.

As Joe Weiss PE CISM CRISC ISA Fellow wisely noted recently in his blog – “neither IT malware nor ransomware could reach the sensor monitoring or the process. This means that the mill may NOT have needed to be shut down if the process sensors indicated the process was not affected. As any IP network can be hacked, monitoring the physics of the sensors off-line is arguably the only approach to justify continued operation during a ransomware or other IT cyberattack.”

Cybersecurity is a battlefield full of distractions. In the kingdom of the unknown, the basic thing is to try to keep your eyes on the ball at all times. If the ball in OT is the machines and production, we should all try to keep our eyes directly at them at all times.

SIGA has the technology to do exactly that.

Author: Ilan Sosnovitch, Channel Partner Manager , SIGA