Ransomware Attacks: CISA Shares Operational Tech Asset Security Guide

June 10, 2021 - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency unveiled guidance for defending against ransomware attacks targeting operational technology assets and control systems, in light of the rise in critical infrastructure attacks.

The guidance joins a host of federal agency and White House efforts to crack down on ransomware and improve threat sharing between entities, as the frequency and disruption of attacks continues to ripple across the country.

From the massive SolarWinds and Accellion hacks, to recent hospital outages and attacks against transportation entities, security leaders are increasing pressure on the Biden Administration to better combat these threats and strengthen the country’s cyber posture.

Particularly as healthcare remains a top target in these attacks, healthcare entities should review the insights to ensure they’re employing best practice defenses.

The guide aims to support entities with improving overall functional resilience and reduce the likelihood of a successful ransomware attack and the risk of severe business disruptions after a security incident.

Further, the insights can be used by system administrators to determine the needed steps to prepare for, mitigate, and respond to cyberattacks, as well as a better understanding the interdependent relationship between IT and OT systems and why it’s such a prime target for hackers.

“OT components are often connected to IT networks, providing a path for cyber actors to pivot from IT to OT networks,” according to the guide. “As demonstrated by recent cyber incidents, intrusions affecting IT networks can also affect critical operational processes even if the intrusion does not directly impact an OT network.”

“Given the importance of critical infrastructure to national security and America’s way of life, accessible OT assets are an attractive target for malicious cyber actors seeking to disrupt critical infrastructure for profit or to further other objectives,” it added. 

In response, CISA is urging all critical infrastructure asset owners and operators to adopt a heightened state of awareness, while implementing the recommended measures in the guidance.

Administrators should identify critical processes specific to their enterprise, which refers to the systems that must continue uninterrupted to provide essential services, then develop and regularly test manual controls and workarounds to ensure the processes and networks that support them can be isolated and continue operating without IT network access, amid an event.

Those processes include a complete asset inventory for components and devices that support operational processes and evaluating the cyber risk of OT assets. CISA also recommended the development of an accurate, “as-operated” OT network map, including network interdependencies.

Other recommendations include the implementation of robust segmentation between IT and OT networks and ensuring implemented backup procedures are regularly tested and isolated from network connections.

CISA also provided steps for incident response and resilience plans, as well as the elements that make up industry-standard “good cyber hygiene,” such as software update processes, allowlisting, access management and controls, and the use of multi-factor authentication.

The guidance also provides best practice recommendations for responding to a ransomware attack, from the initial attack assessment to engaging your internal and external teams and stakeholders to support attack mitigation, response, and recovery.

Administrators will also find a list of additional, free resources and how-to reporting steps for threat sharing with appropriate law enforcement entities.

“CISA offers a variety of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By enrolling in these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors,” the guide authors wrote.