Our news feeds are often filled with stories of ransomware affecting industrial organisations in the energy, manufacturing and transport sectors. When these ransomware strikes happen, the first question cyber security specialists ask themselves is “Is the Operational Technology (OT) affected?”. Reports often indicate that it is not, but the supply chain is affected and contingency measures put in place.
These events continue to highlight the dependencies and interconnection between IT and OT in an organisation’s integrated value chain and the impact the loss of critical systems can have to the company, their customers and wider society who dependent on its services.
Perception changes overnight if you get hit by a ransomware attack, you need to be able to detect, respond and recover quickly and efficiently. If it was your business - how long will it take for you to be fully operational?
Ransomware is a very real and destructive threat to organisations. More than some executives may realise. A ransomware attack is estimated to occur every 11 seconds. The changing business landscape and even the services you provide can change the profile you have to cyber attackers at any given time. Are you paying as much attention as they are?
We have seen several companies going through mergers and acquisitions who become victims of cyber-crime. Sometimes detected and averted, and sometimes not. These are key times when the value of a company or its reputation are very important and, so it seems, a good time to hold it to ransom. Ransomware may even be deployed as a distraction for other malicious activity.
For industrial organisations it’s one of the things that can keep executives up at night, for the impact it could have on operations, and the rising chance of being collateral damage. WannaCry (2017) and NotPetya (2016) ransomware attacks are examples which saw many organisations and people affected, some organisations are still dealing the impact of these today.
The significant impact on the Colonial fuel pipeline, and downstream services, shows the scale of impact targeted ransomware can have and the level of crisis management that is required. Business continuity planning needs to take into account the full spectrum of disruption. In this case multiple states of emergency were declared to allow trucks, rail and shipping tankers to transport fuel to keep critical services operational. It doesn’t take long for an OT impact to be felt or to affect people’s daily lives.
During ransomware attacks, systems are turning off at a rapid rate, and mostly out of your control. Systems can be crippled in less than an hour. Disconnecting networks and shutting down systems, as a precaution, is a very common response as it stops the malware spreading further. As is keeping systems offline, or in a safe state, until it is known they are not affected. They stay off during the time it takes to investigate the malware, what it is and where it has spread across IT and OT networks; until systems are safe to run again. This slows processes down and has a direct impact on production and therefore to your customers. Stopping production is not as simple as just turning it off.
During ransomware and other cyber-attacks businesses often choose to run their plants in manual or island mode. It is then necessary to mobilise people to operate equipment from all over the site, plant or vessel, away from the comfort of the control room.
Downtime is to be avoided, not only for cost. For industrial processes, rapidly shutting down operations can be expensive, in some cases, the loss of product is significant. Restarting industrial systems is not easy, for some plants restarting production can take months. Some of the implications of system outages are not fully understood. Often dependencies with IT systems have not yet been realised. Even if you can cut the OT from the IT during the incident there can be a degradation of the OT performance over time.
It is important to know that ransom payments fund, and contribute to, criminal activity and is considered as money laundering. Law enforcement should be contacted, and negotiations should be avoided. Headlines also inform us that many companies do pay the cyber ransom demand, often millions. This may mean systems can be restored but is not a guarantee. The Sophos ‘State of Ransomware 2022’ report showed that 46% of the organisations reporting ransomware attacks paid the ransom, with only 4% getting back all of the data. And if you get the keys, the decryption process itself can be extremely time consuming and end in frustration. More companies are paying the ransom which inevitably means new targets are hunted, or other cyber criminals attack you again. Additionally, you may lose out twice - firstly by an event resulting in significant damages, and then discovering your insurance policy won’t pay out.
When a cyber-attack strikes, it can take days to understand the extent of the damage, weeks to verify the systems affected and clean them up, and months to perform remedial work and get all systems back online. Rarely is it sustainable to run systems in manual for long periods. The impact can be widespread. We find organisations are often unprepared for the complexity and resources required to recover their business.
Organisations continue to understand the importance of OT to their business. And which IT systems they rely on most.
We have seen organisations in crisis, realising that without OT systems functioning for 24 hours, their physical assets are at risk of irreparable damage. Equipment replacement costs can be many millions and taking years, product losses in the tens of millions with wider impact on critical supply chains. There are also situations where OT outages may lead to culling of animals or local environments put at risk.
We have also seen that for many industrial ransomware incidents the issues affecting the production environments are the OTs dependency on the currently unavailable IT systems. Some of these are not recognised immediately. Some IT systems suddenly become critical. You may be able to manufacture your product but if you can’t access logistics and billing systems, do you know who ordered what and where to ship it to?
In conclusion, the relationship between IT and OT systems is becoming increasingly interdependent, and the loss of critical systems can have significant impacts on not only the company but also customers and society as a whole. Organisations must be prepared to deal with complexities and resources required for recovery and avoid paying the ransom as a solution. The attack paths and security risks of a cyber incident are often already known to businesses, the cost of neglecting to address them can run into the hundreds of millions of pounds. The cost of being prepared pales in comparison. Can you afford not to be prepared?