CISA

Rising Ransomware Threat to Operational Technology Assets

Cybersecurity.JPG

OVERVIEW

In recent months, ransomware attacks targeting critical infrastructure have demonstrated the rising threat of ransomware to operational technology (OT) assets and control systems.1

OT components are often connected to information technology (IT) networks, providing a path for cyber actors to pivot from IT to OT networks.2 Given the importance of critical infrastructure to national security and America’s way of life, accessible OT assets are an attractive target for malicious cyber actors seeking to disrupt critical infrastructure for profit or to further other objectives. As demonstrated by recent cyber incidents, intrusions affecting IT networks can also affect critical operational processes even if the intrusion does not directly impact an OT network.

All organizations are at risk of being targeted by ransomware and have an urgent responsibility to protect against ransomware threats. Critical infrastructure asset owners and operators should adopt a heightened state of awareness and voluntarily implement the recommendations listed in this document, including:

• Identify critical processes that must continue uninterrupted in order to provide essential services;

• Develop and regularly test workarounds or manual controls to ensure that critical processes—and the industrial control system (ICS) networks supporting them—can be isolated and continue operating without access to IT networks, if needed;

• Implement robust network segmentation between IT and OT networks; and

• Ensure backup procedures are implemented and regularly tested and that backups are isolated from network connections.

These steps will help critical infrastructure owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if affected by ransomware.

CISA INSIGHTS Ransomware Outbreak

CISA.JPG

The Threat and How to Think About It

Ransomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation’s networks, locking up private sector organizations and government agencies alike. And that’s only what we’re seeing – many more infections are going unreported, ransoms are being paid, and the vicious ransomware cycle continues on. We strongly urge you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network (do you really trust a cybercriminal?).

CISA’s Role as the Nation’s Risk Advisor

Helping organizations protect themselves from ransomware attacks is a chief priority for the Cybersecurity and Infrastructure Security Agency (CISA). We have assisted many ransomware response and recovery efforts, building an understanding of how ransomware attacks unfold, and what potential steps you can take to better defend systems. But we also recognize that there’s no such thing as perfect cybersecurity and ransomware infections can still happen, so we’ve also developed recommendations to help organizations limit damage, and recover smartly and effectively.

Ransomware Mitigations to Help You Defend Today and Secure Tomorrow

The below recommendations – our first “CISA INSIGHTS” product – lay out three sets of straightforward steps any organization can take to manage their risk. These recommendations are written broadly for all levels within an organization. It’s never as easy as it should be, so if you need help, we urge you to reach out for assistance – CISA is here to help, but so is the FBI, numerous private sector security firms, state authorities, and others.

Actions for Today – Make Sure You’re Not Tomorrow’s Headline:

1.Backup your data, system images, and configurations and keep the backups offline

2.Update and patch systems

3.Make sure your security solutions are up to date

4.Review and exercise your incident response plan

5.Pay attention to ransomware events and apply lessons learned

Actions to Recover If Impacted – Don’t Let a Bad Day Get Worse:

1.Ask for help! Contact CISA, the FBI, or the Secret Service

2.Work with an experienced advisor to help recover from a cyber attack

3.Isolate the infected systems and phase your return to operations

4.Review the connections of any business relationships (customers, partners, vendors) that touch your network

5.Apply business impact assessment findings to prioritize recovery

Actions to Secure Your Environment Going Forward – Don’t Let Yourself be an Easy Mark:

1.Practice good cyber hygiene; backup, update, whitelist apps, limit privilege, and use multifactor authentication

2.Segment your networks; make it hard for the bad guy to move around and infect multiple systems

3.Develop containment strategies; if bad guys get in, make it hard for them to get stuff out

4.Know your system’s baseline for recovery

5.Review disaster recovery procedures and validate goals with executives

Please visit the CISA Resource Page on Ransomware for more information. Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.

Love where you live...