2021 is undoubtedly ‘the year of ransomware’. The Colonial Pipeline attack highlighted the scale of this cyber risk for utilities and the infrastructure industries. All it took was a single password breach for criminals to demand, and receive, a $4m ransom. Although the ransom might sound costly, the wider damage to revenue and reputation caused to a giant like Colonial Pipeline was likely much higher. Even more recently the Kaseya case has highlighted the exposure that businesses can have through their supply chains and service providers. One recent report was that this had infected over one million endpoints, with a ransom set at $70m.
A cause for alarm
Colonial Pipeline was fortunate to have the potential ‘quick fix’ option of paying the ransom. That might not be a choice for long if laws banning the payment of ransoms start to be passed. In Australia, there have been calls for mandatory notifications of ransomware attacks. The US SEC and OFAC are looking at banning ransom payments altogether. In a possible glimpse of the future, even when some ransoms are paid, the decryption process can be so slow that companies may have to rely on backups and their own safeguards to return to BAU anyway.
Cyber insurance helps businesses manage two of their biggest risks – getting back up and running quickly and reducing disruption. Insurers, however, are demanding demonstrable controls and even co-insurance of cyber risk for some, so it’s likely that premiums will increase even further for organizations that are less well defended. So getting your cyber risk management capabilities in place may be more important than you think.
A closer look at the challenges
The energy, oil and gas sectors face some specific challenges. First, they have extensive and often remote networks to defend; IT assets at drilling platforms or production facilities, often interconnected by both public and private infrastructure, back to HQ. It is not uncommon for cybersecurity efforts to be less rigorous at some of these remote sites. We have seen how important multi-factor authentication can be for remote IT facilities. Any relaxation of security could be seen by an attacker as an opportunity to access assets otherwise protected back in HQ. As with environmental and other risks in the energy, oil and gas sectors letting your guard down can result in an incident that requires large amounts of effort to clean up.
The variety of devices and systems in use also pose challenges. There are endless entry points for attackers, and the encryption of even one part of the system by ransomware could cause chaos. Colonial’s weak link was its billing system, rather than the technology that controlled the pipeline itself, but the interconnectivity of the systems meant that the pipeline network had to be isolated to limit the damage.
In an ideal world, organizations wouldn’t be attacked in the first place. However, if paying ransoms is outlawed or too costly, and insurance becomes less of an option, the industry is going to need to improve its own cyber risk management capabilities.
Anti-virus software and network defenses, alongside the rise of endpoint detection and response, can certainly help businesses manage attacks. But these solutions rely on detecting the attack as malicious in the first place. What if your endpoint solution misses the attack without warning? Do you have visibility to know what’s happening? Are there other controls in place that can mitigate the threat? More attention must be given to preventing or at least limiting successful ransomware attacks before they do serious damage.
There are three elements to focus on. The first two are the prevention of any initial infection and containment or limitation of the spread if one does occur. This then needs to be coupled to the third element, recovery, which allows systems and data to be restored. The principles of effective risk management apply – triage the risks and manage them accordingly.
There are some key safeguards organizations can adopt to support each of these elements:
- Application execution – ensuring only approved software can run on a computer system, securing systems by limiting what they can execute
- Application patching – applications must be regularly updated to prevent intruders using known vulnerabilities in software
- Macro security – checking that macro and document settings are correctly configured and to prevent the activation of malicious code
- Harden user applications and browsers – use effective security policies to limit user access to active content and web code
- Firewalls/network gateways – and even physical on-site security – limit user access outbound and remote connections inbound
- Staff awareness – while not a technical control, building a better understanding by staff about cyber security, the threats and mitigation strategies that can minimize cyber attacks, is vital
- Restrict administrative privileges – limit admin privileges by allowing only those staff needing system access to do so for specified purposes and controlling what those admins can access
- Operating system patching – fully patched operating systems will significantly reduce the likelihood of malware or ransomware spreading across the network from system to system
- Multi-factor authentication – used to manage user access to high sensitivity accounts and systems (including remote users)
- Anti-virus – install anti-virus software and keep it updated
- Daily backups – secure data and system backups off site and test your recovery processes
- Incident management – in planning for a worst case scenario make sure everyone is well versed in the incident management playbook
Monitor your controls closely; if one aspect of the chain of control stops working, IT teams need to know quickly so they can respond. A ‘cyber culture’ and making cybersecurity a board level issue will improve overall corporate preparedness.
The board should receive reports that have clear visibility of these controls, or KPIs, of the security posture of their environment. These KPIs can then be used as part of a continuous cyber security improvement program. Being able to monitor your readiness and assess your risk of attack provides an early warning system and confirmation that your cyber security risk management processes are in hand.
The energy, oil and gas sectors face many challenges and there is no easy fix for cybersecurity risk management. A big ransomware attack could disrupt supplies and impact broader operations for a long time, as Maersk found to their cost.
The best way to protect an organization is with strong cyber defenses and controls, backed up by regular checks to make sure they are working. If one control fails to identify the attack, not all is lost, as other subsequent controls are available to limit its access and impact. That way the risk of a successful attack is minimized and hopefully you’ll be on the front foot in an attack well before any disruption to your systems and operations.
Piers Wilson is Head of Product Management at Huntsman Security, a cyber security specialist focused on supporting its customers’ cyber resilience with real-time security threat detection, verification and resolution products. Its overarching aim is to simplify the security operations process for its customers and so limit their time at risk. Huntsman Security’s SIEM & Security Analytics, Scorecard and Auditor solutions are deployed in mission-critical security environments in the national intelligence, border protection and critical infrastructure sectors globally.
For further information please visit: www.huntsmansecurity.com