Jason Christopher, Dragos Principal Cyber Risk Advisor, joins CyberWire for this podcast that discusses the evolution of ICS/OT ransomware, its impacts on the community, and cybersecurity best practices ICS/OT practitioners can implement to combat it. Listen to the full podcast here: https://dragos.com/resource/ransomware-in-an-industrial-world/

1. I N D U S T R I A L C O N T R O L S Y S T E M S C Y B E R S E C U R I T Y
V I S I B I L I T Y . D E T E C T I O N . R E S P O N S E .
RANSOMWARE IN AN INDUSTRIAL WORLD

2. Principal Cyber Risk Advisor
JASON D. CHRISTOPHER
§ Cyber risk management professional services,
tied to threat intel & Dragos platform
§ Certified SANS Instructor for industrial control
systems security
§ Former CTO for Axio Global, Inc., leading
critical infrastructure protection strategy
§ Federal energy lead for several industry
standards and guidelines, including NERC CIP,
NIST CSF, and the C2M2
§ Led cyber incident & risk management
team for US Department of Energy
§ Security metrics development across
EPRI and other research organizations
§ Began career deploying & securing ICS
§ Frequent speaker at conferences &
client events
§ MS, Electrical Engineering, Cornell
@jdchristopher
linkedin.com/in/jdchristopher

3. 3
Quick ICS Overview
Ransomware… where?
Actionable Recommendations
• OT security concepts
• ICS Cybersecurity Kill Chain
• Attacking ICS
• Evolution of ransomware
• ICS & untargeted ransomware
• Recent events and examples
• OT-specific security programs
• The M&M model
• ICS hardening and limitations
RANSOMWARE in an
INDUSTRIAL WORLD

4. 4
Focused on processes that impact the real
world, using industrial control systems
(ICS) and operational technology (OT)
INDUSTRIAL
TECHNOLOGIES
24 x 7
10-30
16
operations
year lifecycle
critical infrastructure
sectors

5. What are industrial control systems?
When a 0 or 1
impacts the
physical world.
Devices and
systems
include:
Sensors
Controllers
Motors Generators
Safety
Systems
I/O Devices
Field
Devices IEDs
Human-
Machine
Interface
5

6. Evolution of Operational Technology (OT)
3rd Industrial Revolution
Automation of Production by Electronics
DCS | Distributed Control System
SCADA | Supervisory Control &
Data Acquisition
4th Industrial Revolution
Smart Connected Systems
“Industry 4.0” // “Industrial IoT”
STAND-ALONE LOOSELY CONNECTED HIGHLY CONNECTED
s t a n d a r d i z a t i o n
6

7. Traditional IT Security Issues in OT
Endpoint
Agents
ENCRYPTION
VULNERABILITY
SCANNING
ANTI-
VIRUS
PATCHING
7

8. Real-world cyber-based industrial-impacts
8
AGAIN
Think physical
processes…
2009:
Centrifuge
Failure
2012:
Telvent
Espionage
2001:
Sewage
Spill
2014:
Furnace
Loss of
Control
2015 &
2016:
Power
Outages
2017:
(un)Safety
System

9. Describing ICS Cyber Attacks
9
The Lockheed Martin
Cyber Kill Chain® is a
model to help in the
identification and
prevention of cyber
intrusions activity…
but does not
consider steps
needed for ICS-
specific attacks
STAGE1

10. Describing ICS Cyber Attacks
10
Stage 2 of the ICS
Cyber Kill Chain
discusses unique
capabilities required
to result in real-world
impacts.
STAGE2

11. STAGE1STAGE2
Stage 1 and Stage 2 work
together to impact industrial
processes, stretching across
both IT and OT networks
INDUSTRIAL
ATTACKS:
IT and OT
Corporate IT
Plant OT

12. Industrial Process Impacts
For ICS-specific
capabilities, the
impact would
be focused on
operational
impacts.
12

13. ICS Attack Difficulty
The knowledge involved in
ICS attacks, with physical
impact, includes:
• IT security
• OT security
• OT-specific protocols
• Engineering processes
• Incident response
• Disaster recovery
13

14. ENTER
RANSOMWARE

15. THE DRAGOS PLATFORM
ICS SECURITY SERVICES
DRAGOS WORLDVIEW
2017-2018 2018-PresentPre-2017
Evolution of Ransomware
§ Interactive operations to
attack corporate networks
§ Hold entire networks
hostage
§ RISE OF THE WORMS
§ Single victim machine,
opportunistic targeting
§ Primary targeting via
phishing, malicious
websites
§ Single victim, single
machine focus
15

16. 16
WannaCry
Animated map from New York Times, accessed 2020-03-30: https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html

17. 17
“Wiper disguised as ransomware,”
with increased collateral damage
beyond any initial targets.
NotPetya…
Not Ransomware
+$10B
2M
+65
in estimated damages
computers impacted in 2HRs
countries involved in response

18. Norsk Hydro & LockerGoga
…at execution…
…through encryption…
…to lock out…
§ Removes self, launches child
process
§ Writes ransom note
§ Encrypts files, binaries, etc
§ Changes local user and admin
credentials
§ Disables system network card
§ Logs off all logged-in users
Read more here: https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/
18

19. STAGE1STAGE2
Again, think back to the ICS
Cyber Kill Chain – there are no
OT-specific knowledge or tools
leveraged during these events.
IT-Centric
RANSOMWARE
in OT Systems
Corporate IT
Plant OT
OT was collateral
damaged

20. 20
EKANS and ICS
§ Ransomware with ICS-specific
system processes highlighted
Trends & Considerations
What’s next?
§ Ransomware evolution over the
past few years shows trending
towards bigger impacts
Ransom = $$$
§ What are organizations willing to
pay to unlock data?
§ Whole networks?
§ Entire industrial facilities?
Ransomware vs. Wiper
§ Careful distinction, but would that
change your behavior?
§ Regardless of paying the ransom,
would you ever trust that device
again?

21. 21
Paying the Ransom as
“Remediation”
P a y t h e r a n s o m ? … o r g o o u t o f p o c k e t ?
V S
Read more here: https://www.forbes.com/sites/forbestechcouncil/2020/01/07/taking-governments-hostage-three-fixes-for-a-ransomware-world/

22. SO NOW WHAT?
awesome.

23. PROTECTING THE
CROWN JEWELS

24. Getting Started on
Industrial
Cybersecurity
Dedicate OT-specific resources
Planning for a bad day
Understanding the impacts
§ Who knows how to protect ICS?
§ In-house & 3rd party resources
§ What’s the worst-case scenario?
How would you prepare?
§ Who would you call?
§ What’s the cost associated with
downtime? Or broken equipment?
§ What are the “crown jewels?”

25. invest in
PERIMETERS
Strengthen & harden
SYSTEMS
where possible
BACK-UP
Lock up those crown
jewels
Restrict external
communications
Look for bad stuff
happening
Mileage will vary
Understand the last known
“good state”
ICS is a critical, high-trust
zone. Treat it accordingly!
Hot and cold storage
considerations
ICS-specific: set points, project
files, engineering documents
TEST. TEST. TEST.

26. 26
BRINGING IT ALL TOGETHER
Establish, Enable, & Enhance Your ICS Defenses
Understand your ICS
environments with impact-
based prioritization
Learn attackers’ behaviors,
proactively find threats, and
reinforce your detection methods
Test your defenses with real-
world scenarios and strengthen
your response procedures
1 3
2
- ARCHITECTURE REVIEW
- OT-SPECIFIC RESOURCES
- CROWN JEWEL ANALYSIS
- INVEST IN PERIMETERS
- HARDEN SYSTEMS
- BACK-UPS!
- DATA COLLECTION
- OT DETECTION
- THREAT HUNTING
- TABLE TOP EXERCISE
- PENETRATION TESTING
- MANAGED THREAT HUNTING
S T A R T H E R E

27. Dragos’ Year in Review provides
insights and lessons learned from
our team’s first-hand experience
hunting, combatting, and
responding to ICS adversaries
throughout the year.
Provides an analysis of ICS-specific
vulnerabilities and discusses impacts, risks,
and mitigation options for defenders
ICS VULNERABILITIES REPORT
Provides insights on the state of ICS
cybersecurity, the latest trends and observations
of ICS-specific adversaries, and proactive
defensive recommendations.
ICS THREAT LANDSCAPE REPORT
Provides a synopsis of trends observed within
the industry and lessons learned from Dragos’
proactive and responsive service engagements
LESSONS LEARNED FROM
THE FRONT LINES REPORT
27

28. THANK YOU
JASON D. CHRISTOPHER
@jdchristopher
linkedin.com/in/jdchristopher