We have reached the point where highly connected cyber-physical systems are the norm, and the lines between information technology (IT) and operational technology (OT) are blurred. These systems are connected to and managed from the cloud to fine-tune performance, provide data analytics, and ensure the integrity of critical infrastructure across all sectors. Attacking OT systems presents a major threat not only to business disruption, but also to national economy and security. Identity and access management can play an essential role into strengthening the security posture of critical infrastructure.
The threat landscape
According to Interpol's Internet Organised Crime Threat Assessment report, critical infrastructure is highly targeted by ransomware gangs that are after what is called the Big Game Hunting. Critical infrastructure and OT systems are perceived as high-value targets by ransomware groups as well as nation-state actors with geopolitical motives.
As criminals are embracing business models becoming Ransomware as a Service (RaaS) organizations, it is important to understand their “modus operanti.” For example, an important finding from the Conti leak was the common reliance of ransomware threat actors on Active Directory for lateral movement within the network using privileged credentials. This should be a focus area for organizations to improve their defensive tactics, such as ensuring secure credentials and removing unnecessary privileged accounts.
Although the attack against Colonial Pipeline deservedly gained news attention, ransomware attacks have increasingly disrupted the sectors of food, healthcare and transportation.
Attacks against the food sector
In September 2021, the FBI’s Cyber Division released a summary of five major attacks against the industry in the prior year, including JBS, a global food processor and meat supplier that paid an $11 million ransom to REvil. In the same month, BlackMatter attacked NEW Cooperative, an Iowa-based food distributor. NEW Cooperative refused to pay the $5.9 million ransom fee and opted to take their systems offline. This is certainly an option for organizations with well-defined backup and remediation processes.
In August 2021, a ransomware attack on Scripps Health in California resulted in over $113 million in losses. This included $91.6 million in lost revenue over the four-week recovery period. In October 2021, CISA, the FBI, and the Department of Health and Human Services (HHS) issued a joint alert on ransomware activity targeting the healthcare and public health sector. The alert detailed cyber threats which can lead to ransomware, data theft and disruption of healthcare services. However, and despite receiving notable attention, only 56% of healthcare companies have formal ransomware response plans, reports the Thales 2022 Data Threats Report.
According to a Check Point study, the industry experienced a 186% increase in weekly ransomware attacks between June 2020 and June 2021. In November 2021, the Transportation Safety Authority (TSA) and Department of Homeland Security (DHS) issued two security directives for the rail transportation sector to implement an array of countermeasures to prevent disruption.
The vulnerability landscape
According to a report from Claroty’s Team82, during 2021 researchers discovered 1,439 new vulnerabilities, up by 110% from the previous year. 66% of these vulnerabilities affect the OT domain, while the rest 34% affect IoT, IT and IoMT (Internet of Medical Things).
The disclosed vulnerabilities affect mostly products fitting within Operations Management – Level 3 of the Purdue Model. The software components at this level include the servers and databases at the core of the production workflow that feed data collected from field devices to higher-level business systems, or those operating in the cloud.
Team82’s data shows that 63% of the vulnerabilities disclosed may be exploited remotely through a network attack vector, while 31% of the vulnerabilities can be exploited locally. To exploit these vulnerabilities, an attacker would need a separate vector for network access to exploit these flaws, such as credentials compromised during phishing attacks.
Access management is an essential mitigation strategy
When it comes to strengthening the OT security posture, network segmentation is the top step, and should be a top consideration for all critical infrastructure organizations. Nearly all forms of malware, including ransomware, rely on network connectivity to move laterally throughout the network, and to identify and compromise other systems. Network segmentation is a fundamental tactic that can inhibit the spread of malware or any unauthorized traffic within the internal network. Typically, network segments or zones have security checks to move between zones, allowing legitimate users and traffic through to appropriate destinations, while containing threats to a small, potentially safe, area within the larger network.
If segmentation is an effective way to stop malware propagation, then the ultimate in segmentation is microsegmentation, which is gaining traction as a strategy to stop the spread of malware completely. Based on the concept of Zero Trust, the goal is to assume that no traffic can move throughout the network except that which is explicitly allowed by defined network and access security policies.
This is where a comprehensive identity and access management policy becomes essential. An identity-based Zero Trust security can effectively reduce the attack surface that is exposed to potential intruders. This is also indicated in the Thales 2022 Data Threat Report, where 34% of survey respondents said that Zero Trust is shaping their security strategies by a great extent. Identity and access management is effectively reducing the number of OT systems and services that are accessible from any other device or user on the network.
In addition, access security policies can greatly reduce the possibility of human error. Opting for a modern authentication solution that simplifies remote access to critical systems and steps up authentication based on assessed risk level reduces complexity and associated attack surfaces.
I recently discussed this topic in more detail on the Thales Security Sessions Podcast, with host Neira Jones, and Sid Shaffer, VP and Chief Delivery Officer at ITEGRITI. Listen to the full episode entitled "The Convergence of IT/OT" online now.