Hype And Recovery

A woman died in Germany concurrently with a ransomware attack on a hospital, and the media was flooded with articles about ransomware causing its first death. Wired’s article this week, The Untold Story of a Cyber Attack, a Hospital and a Dying Womancleared this up while still pushing the fear. 

The delay was of no relevance to the final outcome,” Hartmann says. “The medical condition was the sole cause of the death, and this is entirely independent from the cyberattack.” He likens it to hitting a dead body while driving: while you might be breaking the speed limit, you’re not responsible for the death.

Hopefully, this will cause a purge of the related slide in ICS security presentations.

Still ransomware is real, and it has and will continue to get on ICS. Like spearphishing, you can reduce the likelihood, but you are not going to reduce it to zero. Good ICS security practices should prevent it, and we will see much lower infection rates in ICS than on the enterprise networks. So if you are responsible for your organization’s ICS security, here is what you should be doing.

Use The Ransomware Threat To Ensure You Have Confidence In ICS Recovery

For a community that preaches availability is the most important ICS goal in the C-I-A triad, it is surprising that recovery capabilities are so often lacking. This is primarily due to a reliance on redundancy that has served the ICS community well to date. The ICS doesn’t go down because there are redundant servers, networks, power, control centers, … 

This redundancy is highly effective against most causes of ICS outages, but it is ineffective against a cyber attack. The same attack that took out the primary will usually work on the secondary or standby cyber asset. And they are all networked together. 

Convincing asset owners that they need to plan for the case where all computers are lost can be difficult. It’s never happened before to them. Ransomware solves this problem. Ransomware is a real threat with high awareness now. Use it to run a tabletop incident response exercise where ransomware has impacted all your Windows computers. Can you meet your recovery time objective (RTO)? Do you even have a real RTO for the ICS’s purpose?

There isn’t necessarily a need to recover all of the computers to meet the RTO. Creative thinking and advance planning will identify alternatives to achieve the ICS’s purpose. For example, you may only need to recover a server and two workstations to be able to monitor and control the critical functions for a short time. Or you could run certain parts of the system manually, and the RTO could be getting the right people to the right places. The key is to have thought this out and tested it prior to it happening.

Ransomware is the most credible threat a generic company with an ICS has had to date. It will be a career limiting decision to say we don’t need to be able to respond to ransomware reaching our ICS.

Look At Supporting Systems Impact On The ICS Related Mission

While ransomware has infected ICS, the more common case is ransomware has caused ICS and the underlying process to shut down because necessary supporting systems are unavailable. For example, a factory may be unable to continue to produce goods because the shipping related systems are down. The factory can only pile up so much product. Or the scheduling system is down. Or the recipe system is down.

Most of these systems are on the Enterprise with minimal segmentation or protection from the general Enterprise network user or cyber asset. So the chances of ransomware on the Enterprise affecting these systems is high. Asset owners should be looking at two things:

  1. Should they be isolating or otherwise providing increased protection to prevent the spread of ransomware from the Enterprise to these supporting systems? And
  2. Do they have a RTO and can they meet it for these supporting systems?

Often the RTO for these supporting systems is longer than the ICS. The company may be able to continue to produce the product and service for a while based on last known information.

In summary, use ransomware as a vivid and hard to deny example of why you need a tested, high confidence recovery plan.