Cyber threats to networks: What every CISO should know

Experts from OT-ISAC, the Cyber Security Agency of Singapore, and Claroty—along with Admiral (Ret.) Michael S. Rogers, Team8 Advisor and the Chairman of Claroty’s Board of Advisors—came together for an engaging conversation on the implications of recent cyberattacks on OT networks and key efforts to improve OT cybersecurity posture against these threats. Part of the OT-ISAC Digital Series, the discussion on “Cyberattack Implications on OT Networks” covered a range of topics, including:

• Trends in ransomware and other attacks that impact OT networks
• The need for public/private sector collaboration
• The role of zero-trust models in tackling supply chain risk
• How to build resilience and its impact on better decision making
• Top technologies that will shape critical infrastructure security

Below are just a few of the key takeaways from the session

Ransomware is a long-term issue, so we need sustainable solutions.

Ransomware has evolved from a nuisance to a serious threat because there is no lack of victims, attackers can reuse techniques with great success, and it’s a direct line to profits. Recently, we’ve seen increased diversity and variety in the nature and objective of attacks. The attacks on Colonial Pipeline and JBS Foods were primarily focused on getting ransom. However, the SolarWinds supply chain attack included the ability to beacon out to command-and-control servers and exfiltrate data from certain victims. And the attack against the Oldsmar water-treatment facility is widely viewed as an attempt to poison the water supply. Ransomware campaigns and the threat actors behind them are large, well-funded, and prolific, making it impossible for individual companies to address this issue on their own. And legislation to make ransomware payments illegal won’t eliminate this rampant and increasingly destructive threat either. Ransomware is here to stay, so we must come up with approaches and solutions we can sustain over time. Which leads to the next two takeaways: the need for collaboration and building resilience.

No one single group has all the answers: collaboration is key.

Many of the critical functions that underpin our way of life are provided by individual companies. Protecting them requires an ecosystem of stakeholders that includes public and private sector entities, working together to address ransomware across its entire lifecycle, from the initial attack to the disruption to the payment system to education and awareness. The private sector brings much of the technology and innovation to strengthen defenses and build resilience. While government has visibility into the cascading effects and interdependencies of such attacks, as well as the means to incentivize behaviors that will help drive the collaboration needed to address ransomware. For example, by changing tax laws, mandating timely reporting, and removing liability concerns for those who report attacks, we can encourage information sharing and change the dynamics. When we can share learnings from each incident quickly and apply those lessons to strength defenses and build resilience, we can prevent adversaries from continuing to use the techniques with success. Tapping into the capabilities and advantages each party in the ecosystem brings and collaborating to create a shared vision and holistic plan, will lead to better outcomes.

Organizations lack visibility and confidence to make the best decisions – we can change this.

There’s a tendency for organizations to make decisions on how to respond to an attack based on what they do not know, versus what they do know. For instance, shutting down operations out of an abundance of caution, but not based on any information to indicate that the OT network has been directly affected. These decisions are often driven by a lack of visibility and understanding of the organization’s level of exposure and limited confidence in their ability to mitigate the impact to the OT network. Most organizations are aware that adequate backup systems and recovery plans are essential for building resilience to ransomware attacks. However, visibility into impacted systems and the other systems that depend on them – financial, billing, OT, and others – is also important to understand exposure so you can make better decisions about what actions to take.

To build confidence in the ability to mitigate the impact to the OT network, panelists recommend the following industrial cybersecurity capabilities:

• Deep visibility into the OT network itself so you have accurate knowledge of your network structure, endpoints, and connectivity paths provides a current inventory so you can patch systems or apply additional verification or other compensating controls on legacy and unsupported systems.
• Continuous network monitoring for unusual activity allows you to see when bad actors enter the network and respond faster to make a bad situation better.
• Secure remote access and operations through multi-factor authentication (MFA), role-based access, and least privilege access, along with strict controls over sessions, provides off-site access to OT environments while minimizing the substantial risks introduced by remote workers.
• Encryption of data at rest and in motion is important for good cyber defense and resilience with respect to ransomware.
• Network segmentation is a critical strategy to impede attackers’ lateral network movement. In today’s hyper-connected world, OT networks are no longer air-gapped and network segmentation compensates for this.
• Convergence of IT and OT under one SOC enables organizations to shift from compliance-based models to threat-based and risk-based frameworks for a holistic approach to resilience and risk management.

For further insights from this fascinating and open discussion, we encourage you to watch the webinar on demand.