For some time it has been the bogeyman of all CIOs, CISOs but also of production managers: the ransomware, or a malware that arrives from the network, which can block the factory, with a consequent request for a ransom in order to restart production.

Unfortunately, we know that ransomware can easily get deep. All it takes is a moment, a sneaky e-mail containing an attachment or a link that shouldn't be opened, and the nightmare begins: files get encrypted, PCs crash and production goes haywire.

Just in the recent SANS document, the 2021 OT/ICS Cybersecurity Survey, 54,2% of the nearly 500 CIOs surveyed highlight Ransomware as the most feared threat.

Just in recent weeks, NIST (National Institute Standards and Technology), a US body that also issues standards on Cyber ​​Security, published a draft of the NISTIR 8374 document "Cybersecurity Framework Profile for Ransomware Risk Management" to collect comments: it is a report clearly not referring only to the assessment and mitigation of ransomware risk in the factory, but which can give us good indications on how to deal with this type of threat which, as we have seen, also affects systems and networks that manage plants in industry and utilities.

But what could be done to not fall for it? And in the unfortunate event that ransomware affects our production systems, what to do?

Let's make a premise that is valid in all cases: given that by the time the malware has arrived at the factory it is too late to find adequate countermeasures, it is better to think about it beforehand and be prepared.

So here are some points to consider for an in-factory ransomware protection strategy:

  • Always have an antivirus product active if possible and set the software to automatically scan e-mail, connected USB drives and logical disks.
  • Keep PCs and Servers up to date: have scheduled checks to identify available patches and install them as soon as possible.
  • Segmented Networks: Segment internal networks to prevent malware proliferation among potential target systems, and segregate critical assets/Servers
  • Continuously monitor directory services (and other related Primary Files) for indicators of compromise or ongoing attack.
  • Block access to potentially harmful websites: Use products or services that block access to Servers, IP addresses or ports and protocols known to be harmful or suspected to be potential indicators of harmful activity to the system.
  • Only allow authorized software and applications: Configure operating systems and/or third-party software only for authorized applications. Establish periodic review processes, with addition or removal of authorized applications (white/black listing).
  • Use standard user accounts: Avoid using accounts with administrative privileges whenever possible.
  • Restrict personal devices (Notebook PCs, smartphones, tablets, etc.) on factory/company networks.
  • Avoid using personal apps, such as email, chat and social media, from workplace PCs connected to the corporate network.
  •  Social Engineering Awareness and Training of all contributors: Do not open files or click on suspicious links, from unknown or even known sources, unless you first run a virus scan or look closely at the links.
  • Assign and manage the authorization of appropriate access credentials for all PCs, Servers, and software in use in the Company and periodically verify that each account has only the appropriate access.

Some changes/adjustments at an organizational level will also have to be foreseen, especially in the phases of emergency management and restart after a ransomware incident (Emergency & Disaster Recovery).

Here are some steps that organizations can take in the event of a Ransomware incident:

  • Have a Recovery Plant: Develop and implement a post incident recovery plan with defined roles and strategies for each decision making process. This can be part of a business continuity plan. The plan should identify business-critical services to enable recovery prioritization and business continuity plans for those critical services.
  • Data backup, secure backup and restore test of. Carefully plan, adopt and test a backup and recovery strategy for the data and software necessary for restarts, without forgetting adequate protection and safe storage of backups of important data.
  • Have an emergency contact list: Maintain an up-to-date list of internal and external contacts to be activated and consulted in the event of a ransomware attack, including law enforcement.

Here are the five functions provided by NIST as described in the Cyber ​​Security Framework:

Identify: i.e. develop an organizational understanding to manage cybersecurity risk across systems, people, assets, data and capabilities. The activities of this Identify Function are critical to effective use of the Framework. Understanding the business context, the resources that support critical functions, and related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

Protect: i.e. develop and implement appropriate security measures to ensure the provision of critical services. The Protect feature supports the ability to limit or contain the impact of a potential cybersecurity event.

Detect: that is, develop and implement appropriate activities to identify the occurrence of a cybersecurity event. The Detect feature enables timely discovery of cybersecurity events.

Respond: i.e. develop and implement appropriate activities to take action on a detected cybersecurity incident. The Respond function allows you to contain the impact of a potential IT security incident.

Recover: i.e. develop and implement appropriate activities to maintain plans for resilience and restore all capabilities of services that have been compromised due to a cybersecurity incident. The Recover function allows the timely recovery of normal operations in order to reduce the impact of an information security incident.

Sign up for mcT Cyber ​​Security, at 11.30 in the Sala Arena do not miss our speech "IT/OT and information infrastructure convergence: what are the implications for cyber security?", speaker Mario Testino, COO of ServiTecno and at 15 pm our workshop. Click on the banner to register!

SUBSCRIBE

ServiTecno can support you in defining a correct management strategy for all aspects related to factory CyberSecurity through state-of-the-art services, solutions and technologies, in particular:

  • Assessment on networking and factory OT devices
  • OT cyber security posture assessment
  • Definition of an effective plan of Disaster Recovery OT
  • Dedicated trainings
  • OT visibility systems: anomaly and vulnerability detection (Nozomi)
  • Adaptive network protection technologies: "fuses", "diodes" (Bayshore Networks)
  • Active external VPN access management systems (Bayshore Networks)

IT/OT convergence

Control Room and HMI

Industrial Cyber ​​Security

Remote control

Do you want to know more about our offer? Click here to contact us!