Jason Christopher, Dragos Principal Cyber Risk Advisor, joins CyberWire for this podcast that discusses the evolution of ICS/OT ransomware, its impacts on the community, and cybersecurity best practices ICS/OT practitioners can implement to combat it. Listen to the full podcast here: https://dragos.com/resource/ransomware-in-an-industrial-world/
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Â
Dragos and CyberWire: ICS Ransomware
1. I N D U S T R I A L C O N T R O L S Y S T E M S C Y B E R S E C U R I T Y
V I S I B I L I T Y . D E T E C T I O N . R E S P O N S E .
RANSOMWARE IN AN INDUSTRIAL WORLD
2. Principal Cyber Risk Advisor
JASON D. CHRISTOPHER
§ Cyber risk management professional services,
tied to threat intel & Dragos platform
§ Certified SANS Instructor for industrial control
systems security
§ Former CTO for Axio Global, Inc., leading
critical infrastructure protection strategy
§ Federal energy lead for several industry
standards and guidelines, including NERC CIP,
NIST CSF, and the C2M2
§ Led cyber incident & risk management
team for US Department of Energy
§ Security metrics development across
EPRI and other research organizations
§ Began career deploying & securing ICS
§ Frequent speaker at conferences &
client events
§ MS, Electrical Engineering, Cornell
@jdchristopher
linkedin.com/in/jdchristopher
3. 3
Quick ICS Overview
Ransomware⊠where?
Actionable Recommendations
âą OT security concepts
âą ICS Cybersecurity Kill Chain
âą Attacking ICS
âą Evolution of ransomware
âą ICS & untargeted ransomware
âą Recent events and examples
âą OT-specific security programs
âą The M&M model
âą ICS hardening and limitations
RANSOMWARE in an
INDUSTRIAL WORLD
4. 4
Focused on processes that impact the real
world, using industrial control systems
(ICS) and operational technology (OT)
INDUSTRIAL
TECHNOLOGIES
24 x 7
10-30
16
operations
year lifecycle
critical infrastructure
sectors
5. What are industrial control systems?
When a 0 or 1
impacts the
physical world.
Devices and
systems
include:
Sensors
Controllers
Motors Generators
Safety
Systems
I/O Devices
Field
Devices IEDs
Human-
Machine
Interface
5
6. Evolution of Operational Technology (OT)
3rd Industrial Revolution
Automation of Production by Electronics
DCS | Distributed Control System
SCADA | Supervisory Control &
Data Acquisition
4th Industrial Revolution
Smart Connected Systems
âIndustry 4.0â // âIndustrial IoTâ
STAND-ALONE LOOSELY CONNECTED HIGHLY CONNECTED
s t a n d a r d i z a t i o n
6
7. Traditional IT Security Issues in OT
Endpoint
Agents
ENCRYPTION
VULNERABILITY
SCANNING
ANTI-
VIRUS
PATCHING
7
8. Real-world cyber-based industrial-impacts
8
AGAIN
Think physical
processesâŠ
2009:
Centrifuge
Failure
2012:
Telvent
Espionage
2001:
Sewage
Spill
2014:
Furnace
Loss of
Control
2015 &
2016:
Power
Outages
2017:
(un)Safety
System
9. Describing ICS Cyber Attacks
9
The Lockheed Martin
Cyber Kill ChainÂź is a
model to help in the
identification and
prevention of cyber
intrusions activityâŠ
but does not
consider steps
needed for ICS-
specific attacks
STAGE1
10. Describing ICS Cyber Attacks
10
Stage 2 of the ICS
Cyber Kill Chain
discusses unique
capabilities required
to result in real-world
impacts.
STAGE2
11. STAGE1STAGE2
Stage 1 and Stage 2 work
together to impact industrial
processes, stretching across
both IT and OT networks
INDUSTRIAL
ATTACKS:
IT and OT
Corporate IT
Plant OT
15. THE DRAGOS PLATFORM
ICS SECURITY SERVICES
DRAGOS WORLDVIEW
2017-2018 2018-PresentPre-2017
Evolution of Ransomware
§ Interactive operations to
attack corporate networks
§ Hold entire networks
hostage
§ RISE OF THE WORMS
§ Single victim machine,
opportunistic targeting
§ Primary targeting via
phishing, malicious
websites
§ Single victim, single
machine focus
15
16. 16
WannaCry
Animated map from New York Times, accessed 2020-03-30: https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html
17. 17
âWiper disguised as ransomware,â
with increased collateral damage
beyond any initial targets.
NotPetyaâŠ
Not Ransomware
+$10B
2M
+65
in estimated damages
computers impacted in 2HRs
countries involved in response
18. Norsk Hydro & LockerGoga
âŠat executionâŠ
âŠthrough encryptionâŠ
âŠto lock outâŠ
§ Removes self, launches child
process
§ Writes ransom note
§ Encrypts files, binaries, etc
§ Changes local user and admin
credentials
§ Disables system network card
§ Logs off all logged-in users
Read more here: https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/
18
19. STAGE1STAGE2
Again, think back to the ICS
Cyber Kill Chain â there are no
OT-specific knowledge or tools
leveraged during these events.
IT-Centric
RANSOMWARE
in OT Systems
Corporate IT
Plant OT
OT was collateral
damaged
20. 20
EKANS and ICS
§ Ransomware with ICS-specific
system processes highlighted
Trends & Considerations
Whatâs next?
§ Ransomware evolution over the
past few years shows trending
towards bigger impacts
Ransom = $$$
§ What are organizations willing to
pay to unlock data?
§ Whole networks?
§ Entire industrial facilities?
Ransomware vs. Wiper
§ Careful distinction, but would that
change your behavior?
§ Regardless of paying the ransom,
would you ever trust that device
again?
21. 21
Paying the Ransom as
âRemediationâ
P a y t h e r a n s o m ? ⊠o r g o o u t o f p o c k e t ?
V S
Read more here: https://www.forbes.com/sites/forbestechcouncil/2020/01/07/taking-governments-hostage-three-fixes-for-a-ransomware-world/
24. Getting Started on
Industrial
Cybersecurity
Dedicate OT-specific resources
Planning for a bad day
Understanding the impacts
§ Who knows how to protect ICS?
§ In-house & 3rd party resources
§ Whatâs the worst-case scenario?
How would you prepare?
§ Who would you call?
§ Whatâs the cost associated with
downtime? Or broken equipment?
§ What are the âcrown jewels?â
25. invest in
PERIMETERS
Strengthen & harden
SYSTEMS
where possible
BACK-UP
Lock up those crown
jewels
Restrict external
communications
Look for bad stuff
happening
Mileage will vary
Understand the last known
âgood stateâ
ICS is a critical, high-trust
zone. Treat it accordingly!
Hot and cold storage
considerations
ICS-specific: set points, project
files, engineering documents
TEST. TEST. TEST.
26. 26
BRINGING IT ALL TOGETHER
Establish, Enable, & Enhance Your ICS Defenses
Understand your ICS
environments with impact-
based prioritization
Learn attackersâ behaviors,
proactively find threats, and
reinforce your detection methods
Test your defenses with real-
world scenarios and strengthen
your response procedures
1 3
2
- ARCHITECTURE REVIEW
- OT-SPECIFIC RESOURCES
- CROWN JEWEL ANALYSIS
- INVEST IN PERIMETERS
- HARDEN SYSTEMS
- BACK-UPS!
- DATA COLLECTION
- OT DETECTION
- THREAT HUNTING
- TABLE TOP EXERCISE
- PENETRATION TESTING
- MANAGED THREAT HUNTING
S T A R T H E R E
27. Dragosâ Year in Review provides
insights and lessons learned from
our teamâs first-hand experience
hunting, combatting, and
responding to ICS adversaries
throughout the year.
Provides an analysis of ICS-specific
vulnerabilities and discusses impacts, risks,
and mitigation options for defenders
ICS VULNERABILITIES REPORT
Provides insights on the state of ICS
cybersecurity, the latest trends and observations
of ICS-specific adversaries, and proactive
defensive recommendations.
ICS THREAT LANDSCAPE REPORT
Provides a synopsis of trends observed within
the industry and lessons learned from Dragosâ
proactive and responsive service engagements
LESSONS LEARNED FROM
THE FRONT LINES REPORT
27
28. THANK YOU
JASON D. CHRISTOPHER
@jdchristopher
linkedin.com/in/jdchristopher