Back in early June, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published a fact sheet discussing the rising threat of ransomware to operational technology (OT) assets. This development raises several questions. Why is ransomware a threat to OT environments? And what can organizations do to protect their OT assets against ransomware?
To find out, I sat down for a chat with three Tripwire experts: Britney Palmer, account executive here with Tripwire; Lamar Bailey, senior director of cybersecurity for Tripwire; and Zane Blomgren, security senior engineer at Tripwire. Here’s what they had to say.
A Quick Overview of Ransomware and the Colonial Pipeline Attack
Richard Springer: Lamar, could you help level-set the audience and introduce ransomware?
Lamar Bailey: Ransomware is a subset of what we call “malware.” Malware is basically anything that you don’t want on your system that can come through various means. That said, ransomware is a little bit different. When it gets onto a system, the purpose of it is to basically hold that system and that data for ransom. The attackers will oftentimes steal the data on the system, encrypt the drives, encrypt all the data, and then charge you money to unencrypt it.
A couple of things to think about with ransomware. First, it costs you downtime plus the money you pay to get your data back. Second, just because you pay the ransom does not mean that the attackers will give you back your data and not come back to re-encrypt everything a week later.
RS: Thank you, Lamar. Britney, I’m going to turn to you about the oil and gas side and all things Colonial. Could you paint a picture of pre-Colonial and post-Colonial with regards to how ransomware has affected your customers?
Britney Palmer: I think the biggest thing is that the Colonial Pipeline incident has brought a lot of awareness. The mindset of “It won’t happen to me” is now shifting to “It might happen to me, and if it does, what are my next steps?” A lot of our customers are saying, “Well, I want to mitigate the risk.” That’s what we’re here to help them with.
With the Colonial Pipeline attack, the breach was on the information technology (IT) side, but it really affected OT. And so now they’re saying, “Okay, I need to get more visibility. I need to become aware of what’s on my network, of what’s vulnerable, so that this doesn’t happen to me.”
The Impact on OT Environments
RS: Shifting gears now. Lamar, using what we just discussed with ransomware and OT, could you talk specifically about how ransomware is a threat in the OT space?
LB: A lot of the systems in OT are running IT systems, Windows, or embedded Linux. These are OSes (operating systems) and applications that attackers know very well. They’ve been going after these for years, and all of a sudden, they’re like, “Wait a minute. These also exist in this other realm over here.”
When you attack one company that’s just producing software, then you’re shutting them down for a period. When you attack something that’s in critical infrastructure, then you’re not only shutting down that company, you’re hurting their customers. You’re hurting that area of the country.
Acknowledging that, there’s been a lot more interest from ransomware actors when it comes to OT environments. If you’re delivering gas to half the United States, you’re going to be more inclined to pay a ransom quickly than someone who’s writing software for customers and users.
There’s a couple of other interesting points there, too. First, the industrial piece of it is we’ve got a twofold risk portfolio: the cyber risk of an attack and the production risk of experiencing an outage. Second, there’s the question of who’s behind all of this. Ransomware is a legitimate business, after all. There are franchises. There are shared tactics, and there’s customer service in individual ransomware operations. It’s a lucrative business for those who engage in it.
How Tripwire Could Have Helped Detect the Colonial Pipeline Attack
RS: Let’s get Zane in here. Talking from the Tripwire lens, how could we have helped Colonial from an anti-ransomware standpoint?
Zane Blomgren: When you go back and look at a lot of security events, there’s typically multiple stages where you could have captured or detected malicious activity. So, you want to have multiple layers where you can detect or respond or do things.
Looking at the Colonial situation specifically, the initial breach came through a SonicWall VPN using a SQL injection. Through either credential theft or creation, something they created elevated privilege. This would have been something that Tripwire IP360, as an example, would have been able to detect.
Maybe you don’t have IP360 but are a Tripwire Enterprise customer. In that case, you can look at the MITRE ATT&CK Framework. That’s content you can pull down and leverage for security purposes. Indeed, our MITRE ATT&CK policy would have detected some of the infections to directories, the modifications to the registry and other types of events.
If we go along a little bit further, we can say there were directories that were created, information that was downloaded, and/or files that were sent or copied over. Tripwire can detect changes such as those. We can take that feed into something like Tripwire File Analyzer, a tool which can look at that file and alert on it. Those are just some of the places where detection should have occurred in the Colonial example and where Tripwire could have helped.
RS: Interesting. So, Britney, is there a rush-to-buy situation among your customers, or is the regulatory piece causing some confusion?
BP: It’s a mix of all of that. You’re going to have some that are a little bit more aggressive and going, “Okay, this is an issue. I don’t know what is on my network. I don’t know what’s vulnerable? I’m nervous. I need to get help.” Others are sitting back and seeing what’s going to happen.
Overall, a lot of what I’m seeing is that customers are starting to look at what the long-term effect is on their business. They’re reaching out and asking for help, and they’re starting to put money aside for this part of their business. We’re starting to see that become a big shift, with some even asking for pricing for budgeting reasons. “I need to understand the value behind this,” they say. “I need to see how it works on my network.”
Responding to Ransomware
RS: Lamar, could you briefly talk about a response plan in regards to ransomware?
LB: Yes. Ransomware accords with old adage, “An ounce of prevention is worth a pound of cure.” It’s probably an ounce of prevention is worth a $30 million of cure, in this case. Once you’ve got ransomware, it’s very hard to get it cleaned up.
The thing that I try to suggest that people do is run scenarios within their company at least quarterly to see how they would respond to ransomware if it happened. So, get your response plan made out. Figure out which assets are the most critical to you and what the consequence of a ransomware attack would be on them. If those assets go down, do you have a plan for bringing them back up? Do you have a spare that you can bring up that you’ve kept locked in a closet?
RS: Thanks for your answer, Lamar. I want to thank our panelists here for their excellent insights and advice.
Tripwire and the Ransomware Threat
For more insights on how Tripwire can help organizations keep their OT assets safe against ransomware, check out this blog post.