Skip to main content

How to mitigate ransomware risks against critical infrastructure

(Image credit: Pixabay)

As the recent ransomware attack on the U.S.’s second-largest meat producer, JBS, made clear, cyberattacks on critical infrastructure can cause harm beyond the digital realm. By encrypting key data and IT systems, the attack forced JBS to shut down its production facilities for days, only narrowly avoiding nationwide shortages of beef, pork and chicken.

As long as ransomware attacks remain both lucrative and relatively easy for cybercriminals, they’ll continue to be a threat to critical infrastructure from the food supply chain to fuel pipelines.

People often think about security as a binary — a system is either secure or insecure. In reality, security is more about effectively managing risk. No organization has the resources to prevent 100 percent of intrusion attempts and other security incidents. However, you can take steps to ensure that when an attack does occur, the damage is contained or minimized as possible.

The key to mitigation is early detection — and failing that, good backups

One of the reasons ransomware attacks are so damaging is because they’re so public. It’s difficult to conceal a total business stoppage. The resulting issues — like shortages, panic buying and price spikes — also attract headlines and attention. So, many victims feel pressure to pay the ransom quickly in hopes of restoring their systems and resuming operations. However, ransoms are expensive — JBS reportedly paid $11 million — and there’s no guarantee that attackers will stick to their word after receiving the cash. Many also get hit a second time.

Fortunately, few attacks start with ransomware, giving you an opportunity to detect, isolate and mitigate threats before severe damage occurs. When we investigate ransomware incidents for clients, we usually find that malware or some other compromise has occurred in the environment for a period of time ranging from a few months to more than a year.

When they first gain access to a system, attackers sniff out useful information like credit card numbers or social security numbers, which they can steal without being detected. It’s only after they’ve exhausted their other options for making money that attackers deploy ransomware to extract a final payout from the breach.

Five steps to reduce your ransomware risk

If you can detect an intrusion in a few days instead of a few months, you’ll significantly limit the fallout from the attack — and probably prevent the attackers from using ransomware at all. But if you do get hit with ransomware, the right preparations can help you recover quickly with less long-term damage to your business.

Don’t neglect asset management. It sounds obvious, but a big part of security is simply knowing what’s in your environment. You can’t patch an application if you don’t know it’s running on a system in your network. Besides simply taking inventory of the systems you have, prioritize them by business criticality and look for interdependencies between them. For example, maybe your customer relationship management (CRM) software won’t function unless your email server is running. Identify critical systems that are at the center of multiple dependencies or that control critical infrastructure, such as industrial equipment, and focus on hardening those assets against attacks. Every company has finite resources to devote to security, and you want to defend the most important parts of your network first.

Segment your network. In the same way that most ransomware attacks don’t start with ransomware, most attacks on critical infrastructure don’t start with a breach of those systems. Instead, cyberattackers gain access to less secure, lower priority elements and leapfrog to more attractive targets from there. By segmenting your network, you’ll make it harder for attackers to reach their targets.

Monitor systems closely. It’s not enough to just monitor firewalls or server logs anymore. To swiftly detect intrusions in today’s connected environment, you must regularly check for anomalies across dozens of components, including cloud infrastructure and connections to third parties. Invest in security staff, tools and resources so that you can effectively monitor relevant logs and artifacts.

Back up your systems properly. If you get hit with ransomware, you may need to rebuild all your tech infrastructure from scratch. So, it’s incredibly important to have adequate backups on hand to expedite the process. Don’t assume the backup procedures you already have in place are up to the task — review them with ransomware in mind. For example, since a ransomware attack is often preceded by a months-long malware infection, consider storing backups for a longer period of time so you have a clean, uninfected copy of your system configurations and data. In addition, vary your backup strategy so that not all backups are in one server or technology. Utilize local, cloud and offsite options to ensure maximum coverage.

Remediate weaknesses after an attack. It’s no use restoring your systems if you just leave the same vulnerability open to exploitation again. After a ransomware attack, invest in forensics to determine how attackers gained access to your systems. Then, close that point of entry and address any other weaknesses that allowed the attacker or malware to move throughout the network. And as mentioned in the previous point, avoid using backups that are infected with the malware that caused the initial breach.

The threat of ransomware isn’t going to go away anytime soon, particularly for companies that touch critical infrastructure. While there’s no foolproof solution, performing due diligence by boosting monitoring, segmenting your network and backing up your most vital systems can go a long way toward reducing your risk — and mitigating the damage if and when your organization is targeted by attackers.

Tim Grelling, CISO, Core BTS

Tim Grelling is the CISO at Core BTS, a national network solutions provider.