CISA Warns of Threat Posed by Ransomware to Industrial Systems

Following the devastating attack on Colonial Pipeline, the largest refined products pipeline in the United States, the Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet focusing on the threat posed by ransomware to operational technology (OT) assets and industrial control systems (ICS).

The Colonial Pipeline attack, which involved Russian cybercriminals and the Darkside ransomware, forced the company to shut down operations. The incident had significant implications, including states declaring a state of emergency, temporary gas shortages, and gas prices rising.

“OT components are often connected to information technology (IT) networks, providing a path for cyber actors to pivot from IT to OT networks,” CISA said. “Given the importance of critical infrastructure to national security and America’s way of life, accessible OT assets are an attractive target for malicious cyber actors seeking to disrupt critical infrastructure for profit or to further other objectives. As demonstrated by recent cyber incidents, intrusions affecting IT networks can also affect critical operational processes even if the intrusion does not directly impact an OT network.”

Learn more about threats to industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

The agency has advised critical infrastructure owners and operators to take measures to address the risk of ransomware attacks.

The 3-page fact sheet released by CISA last week provides a summary of the steps organizations should take to improve their resilience against ransomware attacks. In some cases, the fact sheet includes links to more detailed guidance.

The document provides recommendations for preparedness, which includes determining the reliance of critical OT processes on key IT infrastructure, and creating a resilience plan for situations where control of IT and/or OT systems is lost and workarounds or manual controls are needed to ensure the uninterrupted operation of critical processes.

Having an incident response plan and regularly exercising it, and having backups that are isolated from systems that could be hit by ransomware are also recommended.

As for mitigations, CISA recommends practicing good cyber hygiene, implementing robust segmentation between IT and OT networks, and implementing a continuous and vigilant system monitoring program.

When it comes to responding to ransomware attacks that may impact ICS, the agency recommends a series of steps that include determining which systems are impacted and isolating them, disconnecting or shutting down impacted devices to prevent the ransomware from spreading, triaging affected systems for restoration and recovery, conducting an initial investigation, and engaging internal and external parties (including CISA) for assistance.

If none of the initial mitigation actions appear possible, CISA recommends collecting system images, memory dumps and other digital evidence, and consulting law enforcement to find out if a decryptor is available for the ransomware that targeted them.

Related: NSA, CISA Urge Critical Infrastructure Operators to Secure OT Assets

Related: CISA Releases Tool to Detect Microsoft 365 Compromise

Related: CISA Details Malware Found on Hacked Exchange Servers