Avoiding Shutdowns from Ransomware Attacks

Staff
By Staff
6 Min Read

In only five years, criminal ransomware has become the dominant cyber threat facing manufacturers. Waterfall’s 2024 Threat Report has found that in 2023 there were 68 deliberate cyber attacks in the public record, affecting over 500 sites, that caused physical consequences in heavy industry and critical infrastructures. Of those 68, over half (37, or 54 percent) impacted the manufacturing industry, causing production shutdowns, work stoppages, and logistical delays.

Since 2010, all but one manufacturing incident was ransomware-induced. Since 2019, attacks with real-world consequences have gone from a handful of annual incidents in the last decade, to yearly double-digit counts and have been growing exponentially. Staying ahead these days feels like a battle for survival against organized crime.

This trend shows no sign of slowing down or becoming less costly. In the past, production downtime following a ransomware attack might have been made-up for by restoring systems from backup and then running a few extra overtime shifts, resulting in no material impact to the bottom line at year-end. Today, ransomware criminals are getting more efficient at targeting everyone with money.

Feeling the Effects

Last year saw one of the costliest incidents to date, with MKS Instruments suspending operations after a ransomware attack, claiming $200 million in lost or delayed sales in a filing with the U.S. Securities and Exchange Commission (SEC). Their customer, Applied Materials, later claimed the incident would also cost them $250 million in lost sales because they were expecting supplies from MKS that did not arrive.

Meanwhile, Clorox reported to the SEC that a ransomware attack damaged their networks and forced them to take systems offline. This cost them $49 million, disrupted production for months, and their CISO left in the ensuing fallout.

The bulk of this sector’s incidents are being perpetrated by criminals after money, and not directly targeting industrial control systems. Many ransomware incidents have affected physical operations in one of three ways:

  • Only IT networks are affected by the ransomware, but OT networks and physical operations are shut down in an “abundance of caution.”
  • Only IT networks are crippled, but OT networks are shut down because physical operations depend on IT services that have been affected by the ransomware.
  • There is no clear distinction between IT and OT networks, and when IT networks are crippled, so are OT networks and servers.

One way to address these issues is with the emerging cyber-informed field of network engineering. Network engineers are employing new design techniques that allow OT data to become available to IT systems, without allowing cyber attacks to propagate from IT network back into OT networks. These techniques include analog signaling, dependency analysis, and unidirectional gateway technology.

None of these techniques exist in traditional cybersecurity standards and guidance, such as ISO 27001, the NIST Cybersecurity Framework (CSF), nor ISA/IEC 62443. All these techniques are applied at what engineers call consequence boundaries – connections between networks with dramatically different worst-case consequences of compromise. Practically speaking, the consequence boundary for manufacturers is the interface between the production floor’s OT network and the IT and front office network, where the most common worst-cases are shutdowns, but which also include safety and environmental worst-cases.

Applying network engineering to the ways ransomware affects manufacturing can produce:

  • A much stronger IT/OT interface – one where ransomware simply cannot “leak” into the plant floor. This means we no longer need to shut down production on expensive production lines over an “abundance of caution.”
  • Dependency analysis shows us what parts of the IT network are essential to operations, so that we can update the design of our systems and networks so that those critical IT functions can be re-constituted quickly by incident response teams, and can function along with OT, independent of the remainder of the still-crippled IT network.
  • Flat networks, with no barriers at all between IT and OT components that need to be addressed – we can apply network engineering only at the boundary between networks with different worst-case consequences of compromise – to do this we need two networks, not one.

Criminal ransomware impacts on OT networks are unlikely to ever go away. The good news is that there are powerful new approaches – like network engineering. Yet, the ways that industrial shutdowns occur suggests an efficient security program should protect physical operations by reconsidering how networks are interconnected. Production can then continue even if business processes or third parties are impacted, and provide greater flexibility to respond and recover.

When everybody else seems to be going offline due to an “abundance of caution,” having great defenses might just be the edge that keeps you ahead of the competition.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *