The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
Correcting Your Ransomware Posture
August 26, 2021 | Robert Bergman
The Cybersecurity and Infrastructure Security Agency (CISA) has added a Ransomware Readiness Assessment (RRA) tool to its CSET cybersecurity defense toolbox. CISA developed the tool to respond to growing ransomware threats. The tool is designed to help business and government organizations understand their cybersecurity posture and how well-equipped they are to defend or recover from a ransomware attack.
The RRA is also an improvement path, guided by a progression of basic, intermediate, and advanced questions covering the following recommendations:
- Back up critical data
Employ a backup solution that automatically and continuously backs up your business-critical data and system configurations. Ensure that the backed-up data is stored securely (encrypted) offsite or in the cloud and allows for at least 30 days of rollback. Periodically test your ability to recover data from backup.
- Filter out unauthorized websites
Leverage DNS filtering (AKA: DNS Blocking or DNS Firewall) with integrated threat intelligence to filter out connections to unauthorized websites, suspicious domain names, and known malicious domain names. Many effective commercial solutions are available to help with this, for free or at a low cost.
- Educate employees about phishing
Increase and maintain awareness of phishing threats. Conduct ongoing phishing and social engineering campaigns that randomly and periodically send simulated phishing emails to personnel. Offer phishing awareness training to staff to assist in recognizing and reporting phishing attacks. Utilize an SMTP (mail server) proxy that employs reputational (IP, URL, and sender) and traditional anti-SPAM and content filtering features.
- Monitor network perimeter
Look for suspicious activity and react quickly. Monitor internet traffic into and out of your organization. Be sure to use a product or service with integrated threat intelligence and consider subscribing to additional indicator sharing feeds, such as the Automated Indicator Sharing service that DHS provides to help identify attacks and bad actors.
- Manage assets
Protecting your systems requires knowing which devices are connected to your network, which applications are in use, who has access to them, and which security measures are in place. Cyber-readiness means keeping systems up-to-date and secure.
Be sure to remove unsupported or unauthorized hardware and software. Supported hardware and software generally allow you to receive updates and patches for vulnerabilities that otherwise are not available for unauthorized and unsupported assets. Inventory authorized hardware and software throughout your organization. Know the physical location and user of the hardware to keep patching updates current. This also allows for any unauthorized hardware or software to be identified and removed.
- Manage Patches and Updates
Make it generally harder for the bad guys by eliminating known vulnerabilities. Obtain, test, and deploy software and firmware patches as quickly as practical. Enable automatic updates whenever possible. Replace end of life (EOL) / unsupported operating systems, applications, and hardware with vendor-supported versions/models.
- Manage Users and Access
Implement policies, processes, and technologies that ensure only authorized users are granted the minimum privileges needed. Identify and deactivate unused accounts, eliminate shared accounts, remove unnecessary privileges, and enforce strong password policies. Monitor and analyze user activities for anomalous behavior such as access attempts outside of normal operating hours or from unusual locations.
Consider mechanisms that are stronger than password authentication such as biometrics, one-time passwords, and tokens for sensitive applications and functions. Multi-factor authentication, in particular, is highly recommended starting with privileged users first, then expanding to all users. User and Access Management will be a daunting and complex activity—and there is no “one size fits all” solution. Adopt a strategy appropriate to your organization and leverage a staged approach.
- Application integrity and allow list
Ensure your applications perform in a secure and as-intended manner by instituting an Application Integrity policy that allows only approved, authorized software and their libraries to load and execute. Monitor the integrity of approved applications with periodic checks of file hashes to ensure no unauthorized modifications have been made. As with identity and access management—due to the complexity and effort required—consider a staged, gradually phased-in approach starting with high impact endpoints (e.g., domain controllers, application servers, databases), followed by any remaining support systems, and ending with any remaining user workstations or endpoints.
- Risk Management (RM)
Invest in capabilities for your organization and staff. This includes not only investments in technology, but also continuous investment in cybersecurity training and awareness. Have conversations with your staff, business partners, vendors, managed service providers, and others within your supply chain. Use risk assessments to identify and prioritize the allocation of resources and cyber investment.
- Secure controls
This is one that we have added to the above list, not just to get an even number. For each of the CISA recommendations described above, the tool provides a set of assessment questions that could indeed help reduce risk and minimize the impact of a ransomware attack, as well as possible attacks from other malware, but they are far from foolproof. Anyone or anything that gets past those defenses gains access to your controls, which gives them greater leverage to extort money or otherwise create havoc with the performance and safety of your process. Making sure that your industrial control systems are intrinsically secure is a critical step in a comprehensive cyber security program.
For more information about combatting ransomware see: