Fortifying Your Operations Against Ransomware Threats
Milling operations, like any other business, can be severely disrupted by ransomware attacks without adequate preparation. According to a 2023 report by Sophos, a security solutions provider, the number of employees or the financial size of the organization has a minimal effect on whether or not the organization will fall victim to ransomware. Just because the size of a milling operation may be small does not mean it will be shielded from the potential devastation of a ransomware attack. It is imperative that all milling organizations dedicate the necessary time and resources to protecting against, responding to, and recovering from potential ransomware attacks.
Ransomware attacks can occur due to several different factors and affect organizations through exploiting vulnerabilities, compromised credentials, malicious emails, or phishing attacks. Organizations most susceptible to ransomware attacks often share common vulnerabilities that contribute to their compromise. Effective cybersecurity practices require multiple layers of protection; however, a ransomware attack needs only a single security flaw to succeed.
Exploiting vulnerabilities is the most traditional method of compromise associated with cybersecurity attacks. Vulnerabilities exist in the software and operating systems that you use every day. To mitigate these issues, vendors release patches for their operating systems or software. However, in many milling and industrial control environments, patching is often viewed as a process that leads to perceived unnecessary downtime for the processing facility.
Compromised credentials are the act of a malicious user gaining access to an employee's username and password. This could be by brute force, guessing the username and password, or having usernames and passwords compromised through another type of data breach. Having a level of unpredictability in how an organization creates email addresses can increase the difficulty of guessing a username. It is very easy for a malicious user to spot username patterns in corporate email addresses such as <first.last> names, <last name.first initial>, or even just <first name last name>. Adding a random number in there can add one layer of obfuscation to a more publicly known username. Passwords can also be easily guessed for some individuals by scraping social media to find the individuals' children’s names, pets' names, graduating city, mascot, or year, and even parents' last names. These are all ways that weak usernames and passwords can compound onto compromised credentials. An even easier and more common way for malicious users to compromise credentials is to purchase them off the dark web from other data breaches.
Even if your organization is not the one that has been compromised, many people reuse passwords across multiple sites and applications. For example, one of your employees could have been compromised in the 2023 23andMe data breach, using the same password on that site as they do on your corporate network. An attacker could purchase a list of compromised credentials, see “John Smith” on the list, see “John Smith” works at your organization, figure out the username convention, try the compromised password, and suddenly, they have access to your network. A malicious user having compromised credentials for your organization does not necessarily mean that your organization was compromised to obtain them.
Finally, email is another top cause of ransomware events. While email may not necessarily be a function of operational technology, the results of email compromise can affect how production may function. Whether it’s a compromised email with a malicious file or link embedded or it’s a phishing email seeking further information from the victim, the resulting ransomware is just as devastating. Ensuring your organization has good email controls in place is the best protection against a potential ransomware attack.
Now that we understand how or why a ransomware attack may occur, it is important to understand what occurs during an attack. There are different types of ransomware attacks. Some types of ransomware will encrypt a system immediately. With others, there may be a persistent effect where it resides in the background to spread around a network. Once the first system becomes compromised, it will attempt to see what other systems it can spread to, and it will begin to extort data from the network and encrypt drives, folders, or files on the system itself. These factors can vary depending on the type of ransomware that is infecting the system.
While enduring a ransomware attack is devastating to any organization, minimizing the number of systems that are affected can help reduce how badly you are impacted. When systems and traffic are limited from traversing both vertically (from firewall rule sets) and laterally (via managed switches and VLANs), it helps reduce the number of other systems that are compromised. Decreasing the number of compromised systems will decrease the effort that is required to recover from the attack and get your organization back up and running as quickly as possible.
Once the ransomware is contained, it is time to clean up the environment. There are a few different ways to do this. If proper backups are completed, and they are housed in an air-gapped manner, it may be possible to reimage a machine to utilize its backup. Alternatively, you may need to completely rebuild the system and reinstall all the applications and data that were housed on it. Depending on the type of ransomware, it is possible that the ransomware key has been posted online and could be used to unlock the system. The least preferred way to regain your systems, of course, is to pay the ransom. While not recommended, there are organizations that have found success in this method.
The final piece to a ransomware attack, which is commonly overlooked, is performing an after-action review. This gives the organization the opportunity to have a retrospective look at what truly occurred, how remediation could be handled better next time, and what other security controls could be put into place to reduce the likelihood of a similar attack happening in the future.
Before your organization falls victim to a ransomware attack, it is a good idea to assess your organization to understand where your risks are and what threats you face. It’s crucial to educate your personnel on how to avoid ransomware and teach them what to do if they think they have been compromised. Make it a priority to evaluate your organization's current security strategy, and then create and test incident response and disaster recovery plans tailored to your operations.
This article was previously published in the Quarter 2 Issue of International Miller Magazine.