Adaptive Segmentationmicro-segmentation November 22, 2022

Why Manufacturing Must Secure IIoT Resources Against Ransomware

Christer Swartz, Principal Technical Marketing Engineer

Ransomware is not a new security threat. It first appeared back in 1989 and was distributed via floppy disks.

But it has taken on a dramatic second life as the ideal modern criminal business model: hijacking critical resources in industrial environments in exchange for ransom.

Keyboards are more effective than guns in holding industrial infrastructures hostage. The problem is only going to get worse before securing digital assets are specifically addressed as a cybersecurity priority within the manufacturing and critical infrastructure sectors.

A large number of recent ransomware attacks have been directed at the manufacturing and critical infrastructure sectors, with these sectors traditionally focused on creating physical assets.

However, most of the manufacturing industry is fast migrating many of their compute platforms and remote-access solutions to the cloud, exposing their industrial control systems and factory sensors to attack vectors coming in from the cloud.

Ransomware attacks cost manufacturing millions each year

The manufacturing sector may traditionally consider itself to be largely immune from digital crime. But they’re wrong.

21 percent of ransomware attacks are against manufacturing, and the sector pays the highest amount of ransom of all industries at an average of $2.036 million in 2021.

All it takes is for a motivated hacker to breach a manufacturer’s cloud security tools and remotely access critical controllers or sensors – IIoT devices – deployed deep within an industrial or factory environment and disable them. This causes very real physical risks from digital intrusion, forcing the victim to make a choice between paying ransom or dealing with the fallout of disabled operations.

Most victims decide that paying ransom is the cheaper option, costing manufacturing organizations millions.

Ransomware is far too tempting of a target for the modern cybercriminal, with it being an almost certain guarantee of financial gain. Ransomware-as-a-service even exists on the dark web, complete with support contracts and help desks to assist aspiring cybercriminals in choosing their next victim.

And deploying ransomware is often the last step in the cybercriminal’s intrusion into an industrial environment. They first hunt for critical assets to disable, expose intellectual property, and learn what cybersecurity insurance coverage the intended victim has to set a price for ransom. Once this information has been extracted, the final step is to hold the infrastructure hostage in exchange for payouts, which the majority of victims choose to pay. It is a cybercriminal’s dream come true.

Ransomware attacks on manufacturing has real-world risks

The manufacturing sector has long perceived itself as mostly outside of the scope of cybercrime. If an industrial chain of factories produces energy, steel, food, or conducts mining operations, for example, how much of a risk are they to cybercrime?

In reality, the risk of cybercrime is high.

In 2015, it was reported that a steel mill in Germany experienced what was claimed to be the first example of physical damage as a result of a cyberattack. Cybercriminals managed to remotely access some critical control systems in the factory which were connected to their IT network, and these were disabled. This caused critical sensors to be unable to monitor heat levels in the factory, causing a blast furnace to become seriously damaged due to not being shut down automatically by these sensors.

The physical world was suddenly exposed to purely digital risks, and since then this fact has not gone unnoticed by cybercriminals.

Paying ransom: What are the risks?

Choosing to pay a ransom during an attack brings its own risks to the victim.

Increased cyberinsurance premiums

Cyberinsurance carriers are now facing serious loss of revenue as a result of paying out for ransomware attacks, something they were largely immune from before the rediscovery of ransomware.

Carriers are now compelling clients to implement some form of segmentation in their network as a way of making it more difficult for malware to move throughout the network. If clients agree to this, their monthly premiums can decrease – but cyberinsurance premiums have still increased significantly in the past years.

It is now in the potential victim’s best financial interest to take proactive cybersecurity seriously as opposed to simply relying on insurance to cover them.

Adverse legal consequences

The second risk is the fact that many ransomware gangs are based in countries which are on the U.S. government’s blacklist, the so-called OFAC Sanctions List (Office of Foreign Assets Control).

This is a list of foreign dictator regimes, narcotics traffickers, terrorist organizations, and weapons dealers against whom the U.S. has imposed economic and trade sanctions in the interest of national security. It is a crime for anyone in the U.S. to do business with those on the list.

If a ransomware gang from a sanctioned country holds a U.S.-based manufacturing asset hostage and the organization decides to pay the ransom, the organization risks being criminally liable for doing business with the gang.

Choosing what appears to be the financially cheaper option of paying ransom can easily expose the victim to unintentional criminal and adverse legal consequences.

Protecting industrial assets from cybercrime: Stop east-west lateral movement

Ransomware comes from somewhere, and that is generally from the IT side of the overall cyber architecture. All varieties of ransomware share one detail in common: They all like to move.

Once any workload is hijacked, ransomware will hunt for open ports on that workload to use as a vector to migrate laterally to the next workload, and onwards from there towards the industrial side of the fabric toward the intended targets.

While most security tools are deployed at the north-south boundary – preventing entry of malware into a data center or cloud – ransomware utilizes the fact that controlling east-west lateral propagation at scale is a problem that is still largely left unsolved.

The majority of the best-in-breed security tools deployed at the north-south boundary offer little protection for inevitable breaches and subsequent east-west lateral propagation within the trusted network.

Zero Trust Segmentation stops ransomware spread

Zero Trust requires enabling microsegmentation, also called Zero Trust Segmentation, of every workload in a compute environment, at any scale, and implementing a least-privilege access model between all of them.

That microsegmentation solution needs to define every workload as a unique trust boundary and do so without relying on any appliance in the underlying network or cloud fabric to do so. Workload segmentation should be as agnostic as possible to all other forms of segmentation.

The least-privilege access model between all workloads means that all ports between all workloads are denied by default. There is rarely a legitimate need for workloads to SSH or RDP laterally between each other. All modern operating systems have these ports enabled since they are used by administrators to remotely manage those workloads, but access is almost always restricted to specific centralized admin hosts. These ports need to be shut off everywhere by default, and then exceptions can be defined to allow access to only the authorized administrative hosts.

Segmenting every workload from every other workload and shutting down all ports laterally between them means that ransomware has no way of laterally propagating through the IT network and from there into the industrial operations side of the network.

Ransomware can breach the perimeter security solutions – however strong they may be – and once breached, the ransomware will hijack the first workload it can find. Zero Trust Segmentation can isolate that first hijacked workload, with all ports disabled between workloads and no vectors available for the ransomware to go anywhere deeper in the network.

Zero Trust Segmentation stops breaches from spreading throughout the IT infrastructure. And, in turn, protects the industrial systems located deeper in the core architecture.

Zero Trust Segmentation provides visibility into industrial infrastructure systems

A second aspect of Zero Trust Segmentation is visibility into traffic between all systems deployed in both the industrial and IT sides of the network. Traffic dependencies and behaviors between sensors and control systems, for example, need to be as clearly visible as traffic between systems in the IT network both on premises and in the cloud.

Illumio enables full visibility for both:

Managed workloads – those on which a virtual enforcement node (VEN) can be deployed to directly collect application telemetry

Unmanaged workloads – devices on which no VEN can be deployed, such as IoT devices like controllers, sensors, and IoT cameras deployed within the industrial core network

Illumio enables visibility from IoT devices by harvesting telemetry from network switches and load balancers via protocols such as Netflow, sFlow, IPFIX, and Flowlink, with all traffic between all of these systems displayed alongside all managed workloads in Illumio’s PCE (Policy Control Engine).

Policy is defined on the PCE the same way for both managed and unmanaged workloads, using labels to identify workloads rather than by their network address. Policy for unmanaged workloads is pushed down to switches and translated into access control lists (ACLs) which the switch can use to enforce policy between switch ports and into iRules. A load-balancer can then use this information to enforce policy there.

Illumio removes blind spots between digital devices end-to-end. This allows for a full Zero Trust visualization and label-based policy model to be implemented across the entire industrial control system and IT fabric.

Get ransomware protection for IIoT systems with Zero Trust Segmentation

Illumio Zero Trust Segmentation offers protection of all industrial environments, controlling all lateral propagation between workloads, and removing the attack vectors required for ransomware to propagate.

No industrial environment is immune to ransomware, whether large or small. OT systems, and IIoT systems deployed within the industrial architecture, do not need to be left exposed to the next opportunistic ransomware gang looking for their next target.

Illumio can protect the entire critical industrial IIoT environment from the impact of a ransomware attack, keeping your firm out of tomorrow’s newspaper as the latest victim of ransomware.

Want to learn more about containing ransomware with Zero Trust Segmentation? Visit our ransomware containment page.

Adaptive Segmentationmicro-segmentation
Share this post: