Are IT and OT losing the ransomware battle?

A report from Claroty finds ransomware attacks against critical infrastructures rampant, and paying ransoms often results in less downtime and lost revenue. Is there a way out?

If cyber-physical security company Claroty’s Global State of Industrial Cybersecurity 2021 report is any indication of the state of the war against ransomware, both IT and OT (operational technology) have been losing ground in their battles.

According to the report, 80% of critical infrastructure organizations reported experiencing a ransomware attack in 2021. Ransoms were paid 60% of the time (most frequently in the US, where 76% of ransoms were paid), and in more than half of cases those ransoms amounted to more than $500,000.

To tip the scales further into ransomers’ hands, the majority of respondents said revenue per hour losses due to ransomware downtime equaled or were greater than the ransom itself. Twenty-eight percent said that they still experienced “substantial impact to operations” despite paying the ransom, but that’s the sort of gamble businesses may be willing to take.

“These findings suggest that, despite the well-known downsides of paying the ransom, the alternative (revenue loss due to prolonged operational downtime) is too costly for most victim organizations to justify,” the report said.

SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

Ransomware is just part of the story

The general gist of Claroty’s report goes beyond ransomware to define a trifecta of problems that caused unprecedented disruption in 2021: the aforementioned ransomware, increased speeds of digital transformation and a shift to remote work triggered by the COVID-19 pandemic that is unlikely to shift back in the next few years.

In terms of industries hit the hardest, Claroty found that IT hardware, oil and gas, water and waste and automotive companies were the hardest hit, with 90% of respondents from those industries reporting their organization faced a ransomware attack in the last year. In the electric energy and heavy industry sectors that number is barely lower, with 87% reporting a ransomware attack in 2021.

Among those hit, roughly half report a substantial impact to more than one site or function of at least several days, and about half said that the ransomware affected either OT/ICS or both IT and OT/ICS systems.

More than 90% of respondents said that COVID-19 accelerated their digital transformation initiatives, which Claroty said necessitates enhanced connectivity between IT and OT networks. Herein lies the problem: OT networks and the hardware that lives on them isn’t always designed to have a connection to the internet, even if indirect.

“Changes to OT/ICS environments also introduce risk by creating additional vectors for attackers. Results have played out in the headlines and spurred renewed warnings by the government on the risk of connecting industrial networks to IT networks and the need for a heightened state of awareness and controls,” the report said.

Add to that the fact that 73% of respondents say that remote work at their organization is likely to continue for the foreseeable future and you have a recipe for a security nightmare that has been clearly spelled out before.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

How to minimize your OT/ICS trifecta risks

If remote work and OT/ICS-exposing digital transformation are what open you up to increased risk, then ransomware is what that increased risk opens you up to. Things may seem grim based on the numbers Claroty presents, but that’s not the conclusion it draws.

“Organizations across the globe have strong executive leadership and trusted cybersecurity experts at the helm. Standing together, they are on the right track,” the report concludes.

Staying on the right track isn’t effortless though, which is why Claroty makes five recommendations to companies worried about facing more of the same risk trifecta in 2022:

• Extend risk governance to include all industrial IoT, ICS, and enterprise IoT components: It’s these that introduce much of the risk to OT networks.
• Segment your network to ensure nothing but essential communication passes between IT and OT networks. Claroty also recommends virtually segmenting OT and ICS networks to prevent lateral movement if an attacker is able to penetrate it.
• Practice good OT/ICS/IoT cyber hygiene. This includes regularly updating devices, ensuring there aren’t any shared passwords being used, enacting MFA, and the like.
• Implement monitoring software that can cross the boundaries between IT and OT networks. Make sure that IT and OT have access to the same information and reports to streamline management and mitigate risk.
• Practice makes perfect, so be sure you run regular tabletop ransomware exercises. Have thorough after-action reviews to find weak spots, and shore them up with additional training, resources, and software as needed.