Deloitte Ransomware

Ten key questions and actions to tackle ransomware in critical infrastructure

Critical infrastructure assets are high-value targets for state-based cyber espionage and asymmetric warfare, as well as for active ransomware criminal organisations, which are becoming more prevalent. 2020 was marked by a major surge in cyber-criminal activities, particularly ransomware assaults, which was aided by growing digitization. But, in their escalating ambition to earn higher rewards, can ransomware groups cause significant disruptions to the energy grid and other critical services?

Think about what we already know:

  • Against January 1, 2020, cybercriminals launched an attack on several industrial sites, including water treatment plants, manufacturers, and even a nationally significant pipeline operator in the United States. Following the pipeline attack, there was a severe shortage of fuel in a wide area, affecting gas stations as well as airports, the military, and even home heating. (3) There is no doubt about the ability to cause severe and widespread disruption. Moreover, as a result of a successful cyberattack on critical infrastructure, all of our important services are increasingly at risk, including:

operations are disrupted, as is the supply of essential commodities such as electricity and fuel; dependent services, such as emergency services and hospitals, suffer shortages or are compromised as a result of collateral damage; revenue is lost; reputation is harmed, and litigation or regulatory consequences resulting from the service outage, and an economy comes to a grinding halt in the event of an extended and severe outage; and

The ransomware landscape

The widespread downstream consequences of the pipeline operator ransomware assault in the United States in May 2021 were not the first of their kind. Ransomware assaults on Taiwan’s main domestic energy provider caused widespread disruptions at many of the country’s gas stations a year earlier, as part of a series of targeted attacks on the country’s essential infrastructure. Ransomware groups have now set their sights squarely on the world’s essential infrastructure and have begun what is known as ‘big game hunting’ campaigns, which explains an estimated 500 per cent increase in attacks on industrial organisations between 2018 and 2020, according to security researchers. (4) While this is happening, we are also witnessing an increase in the number of ransomware programmes that include capabilities that explicitly target industrial control systems.

Why are ransomware attacks so successful?

Due to the denial of access to critical systems, ransomware has the potential to cause an organization’s operations to be severely compromised. As ransomware gangs have become more sophisticated, the threat to critical infrastructure has increased as well. Organizations are increasingly embracing digitisation to meet stakeholders’ demands for simplicity, efficiency, and value while also adhering to budget constraints. This includes integrating information technology (IT) and operational technology (OT), as well as leveraging cloud and Industrial Internet of Things (IIoT) technologies. Furthermore, the epidemic compelled many organisations to immediately implement remote access for their operations and maintenance workers. As a result of these modifications, operational technology (OT) settings are increasingly vulnerable to increasingly potent cyber assaults.

Ten questions to move forward

Critical infrastructure organisations must create transparency around key cyber risks, such as ransomware, so that leadership, boards of directors, and the C-suite can better monitor and address them—and maintain safety and reliability while modernising their operations—to better protect their customers and employees. Running through the following 10 essential questions should assist you in getting started with or re-evaluating your efforts to secure critical operational processes and systems from the threat of ransomware:

1. Has your organisation identified the most crucial business processes that are reliant on technological infrastructure?

What exactly are they? Who is the owner of these items? This investigation must be limited down to the essential functions that just cannot function successfully without the use of technology.

2. Is there a thorough ‘tree of dependencies’ for these essential business processes that encompass technology systems, suppliers, and people in the organisation?

It is critical to understand this mapping because it enables an organisation to identify the components that can create system failures or introduce ransomware into their network infrastructure. And then begin evaluating the failure possibilities that come from this.

3. Is it possible to obtain independent cyber risk assessments for each of these essential business operations and their interdependencies?

A clear picture will be provided of the particular vulnerabilities and dangers that fall outside of the risk appetite parameters.

4. Is there a framework of non-negotiable cyber controls for technology that underpins important business operations that have not been compromised?

Many cyber events, according to good practise frameworks such as the Australian Cyber Security Centre’s Essential Eight, as well as other research, are based on the exploitation of a small number of cyber hygiene concerns and control vulnerabilities. In regulated industries, non-negotiable controls will also be derived directly from obligatory standards, guidelines, or maturity models, as well as from other sources.

5. Is cyber risk owned by the business executives in your organisation, and do they work together, productively, and effectively?

This is a common problem in organisations when inefficient cyber risk management results in critical vulnerabilities remaining unaddressed for long periods. This occurs when official decisions about taking risks or paying repair are made in isolation, without coordination, or simply aren’t made at all—and as a result, aren’t followed through on.