In the first part of this post we already introduced a Network Intrusion Detection Systems (NIDS) as a solution for mitigating ransomware attacks on Operational Technology (OT). Let’s have a closer look at how this is done.
As a general rule: An NIDS does not replace standard cyber security tools like firewalls, authentication, VPN and network segmentation. These standard measures still reliably detect and block the majority of attacks as long as they are signature-based and included in the tool’s library. An NIDS forms an amendment for attacks that are not documented in the signature libraries of the standard tools, i.e. cannot be detected by them either. This might include attacks that use novel infiltration techniques like zero-day exploits or other techniques like spear phishing that outrun classic mitigation measures like authentication and firewall filters. In regard to the high vulnerability of OT components and systems as well as the fast evolving threat landscape - as outlined above - this amendment is of growing significance for OT security.
An NIDS like Rhebo Industrial Protector consists of an OT monitoring with an anomaly detection that analyzes all OT communication and reports any activities that do deviate from the deterministic and authorized OT communication. It provides a second line of defense for security managers to detect those attacks that have already penetrated the network and are stealthily working their way through it.
To detect preparatory activities is to prevent encryption
Two popular real-world examples of such cyber incidents are the WannaCry ransomware campaign in 2017 which exploited the then EternalBlue vulnerability and the case of Colonial Pipeline in 2021 where attackers used a stolen VPN password. In both cases, firewalls and authentication measures were outplayed. Even though both attacks targeted IT they both had very negative repercussions in industrial processes of some companies due to the connection of IT and OT.
Before WannaCry crippled operations in thousands of companies worldwide, it had already left a trail of preparatory communication in the networks. The reason is that as soon as it infects the first machine, Wannacry tries to contact a kill switch domain, then starts scanning the local network and random internet addresses. This would include Windows systems that have become common even in OT environments.
A network monitoring with anomaly detection would have detected the endpoint scanning via port 445 with the SMB protocol as well as incomplete TCP. Furthermore, before being triggered WannaCry typically communicated with the kill switch domain outside of the company’s network. This connection and following communication would have been reported as an anomaly to the baseline OT communication structure. Response would have been accelerated to reduce impact.
Colonial Pipeline incident
Before the attackers encrypted servers at Colonial Pipeline and brought the company’s main pipeline to a halt, they had already left several fingerprints in the network. First, there is the 100 GB data transfer to an unknown IP address. Second, there is the VPN connection from an unknown external IP address. In an OT network, such activities would have been immediately reported as anomalies by an OT monitoring with anomaly detection giving security managers a time window to prevent any further malicious activity.
In the case of Colonial Pipeline, it was only the IT that was directly affected. Though it prompted the company to shut down their OT systems to prevent any further spreading of the ransomware. While this is a common-sense measure it resulted in a major shortage of oil and gas as well as revenue loss. With an OT monitoring with anomaly detection in place, the company would have been able to quickly cross-check its OT networks for any activities that indicate malicious activity. This would have provided security operators certainty whether the OT was infected or not giving them the capability to decide on OT operations based on fact not presumptions.
Make sure your OT is clean
Both capabilities - detecting any malicious activity in OT in real-time and being able to quickly assess the risk for OT from an IT ransomware attack - can decide over a blackout in utilities. In June 2022, German company Entega was hit by a ransomware attack. Its subsidiary, utility company e-netz Südhessen was in danger of a spill-over which would have affected energy supply to one million people. The utility company immediately asked Rhebo to conduct a Rhebo Industrial Security Assessment that included the analysis of the OT communication of the last month. Within 24 hours the e-netz security manager could rest assured. The OT showed neither a trace of the ransomware nor any sign of malicious activity that could be associated with the attack.
However, the assessment still found a couple of vulnerabilities and risks that the security manager was able to mitigate in the aftermath.
Thus, he was able to prevent shutdown, ensure energy supply and increase the cyber resilience of the utility’s industrial processes.