Ransomware Contingency Planning for ICS

As we have discussed elsewhere, ransomware attacks on ICS are on the rise and the OT data and functions hosted by Windows applications are the most vulnerable. You will be at less risk if your core controls are intrinsically authenticated and encrypted.  That will make it much harder for attackers to manipulate your processes. However, lack of HMI visibility or even inability to maintain process history can still force a shutdown. Defensive measures to keep ransomware out of your system are fundamental, but the best thing you can do to protect your operations is to have a recovery plan in place. Yet, according to ICS security consultant Dale Petersen, many ICS managers falsely believe that the ICS redundancy itself is enough protection.

“For a community that preaches availability as the most important ICS goal in the C-I-A*triad, it is surprising that recovery capabilities are so often lacking. This is primarily due to a reliance on redundancy that has served the ICS community well to date. The ICS doesn’t go down because there are redundant servers, networks, power, control centers, …, he writes in a recent LinkedIn post, “This redundancy is highly effective against most causes of ICS outages, but it is ineffective against a cyber-attack. The same attack that took out the primary will usually work on the secondary or standby cyber asset. And they are all networked together.”

Petersen believes that the reality of ICS ransomware, can, however, make it easier to convince reluctant asset owners of the need for contingency planning in the event of a ransomware attack. He suggests using ransomware in a tabletop exercise in which ransomware has impacted all Windows computers. The result of the exercise is to help determine the shortest time to recover access to systems, which is known as a recovery time objective or RTO, with the ultimate RTO target being ZERO.

“There isn’t necessarily a need to recover all of the computers to meet the RTO. Creative thinking and advance planning will identify alternatives to achieve the ICS’s purpose. For example, you may only need to recover a server and two workstations to be able to monitor and control the critical functions for a short time. Or you could run certain parts of the system manually, and the RTO could be getting the right people to the right places. The key is to have thought this out and tested it prior to it happening,” Petersen writes.

RTOs have been most common in the IT world. IBM defines an RTO as “the amount of time an application can be down and not result in significant damage to a business and the time that it takes for the system to go from loss to recovery. This recovery process includes the steps that IT must take to return the application and its data to its pre-disaster state.”

But the growing existence of ransomware in OT makes contingency and back-up planning essential for companies who want to minimize the risk of downtime. Petersen continues:

“While ransomware has infected ICS, the more common case is ransomware has caused ICS and the underlying process to shut down because necessary supporting systems are unavailable. For example, a factory may be unable to continue to produce goods because the shipping related systems are down. The factory can only pile up so much product. Or the scheduling system is down. Or the recipe system is down,” he writes, urging asset owners to look into segmenting or protecting such enterprise applications and determining their RTO.

For more information on ICS ransomware read CISA Issues New Ransomware Guide.