Mayhem in Manufacturing, Part I: Four Best Practices to Avoid Ransomware Attacks

by: Ross Williams, Critical Start DFIR Leader

According to the CrowdStrike 2021 Global Threat Report, “Although most ransomware operations are opportunistic, CrowdStrike Intelligence identified the highest number of ransomware-associated data extortion operations this year in the industrial and engineering sector (229 incidents), closely followed by the manufacturing sector (228 incidents). The manufacturing industry is particularly vulnerable to ransomware operations. Not only does the industry suffer the normal consequences of a ransomware infection, but a disruption in day-to-day operations would greatly affect the core business if a company were unable to meet production demands due to system outages.”¹ With that in mind, it seems like a good time to offer a few industry standards and best practices to help manufacturers avoid costly ransomware attacks.

First, Understand Your Environment…

Using the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) as a reference point, the first of the five core functions is Identify. Managing the cybersecurity risk to systems, assets, data, and capabilities begins with a full understanding of your environment. You must have full visibility to your digital and physical assets, how they are interconnected, and defined roles and responsibilities.

In addition, you should understand your current risks and exposure, then put policies in place to manage those risks. Consider what the impact would be if your critical systems went down. (Remember the Colonial Pipeline ransomware attack?)

…Then, Do Everything Possible to Defend It.

Best Practice #1—Prevent Malware Delivery

Ransomware infections usually start with an email, through a malicious URL or attachment. You can mitigate their impact by implementing network services, such as:

• Filtering email and spam to block malicious emails and remove executable attachments. These three security protocols are worth the investment:
  • Sender Policy Framework (SPF) hardens your Domain Name System (DNS) servers and restricts who can send emails from your domain. This can prevent domain spoofing and enable your mail server to determine when a message came from the domain that it uses.
  • DomainKeys Identified Mail (DKIM) makes sure the content of your emails remains trusted and has not been tampered with or compromised.
  • Domain-based Message Authentication, Reporting and Conformance (DMARC) ties the first two protocols together with a consistent set of policies and links the sender’s domain name with what is listed in the “From:” header. DMARC also allows mail recipients to report bad domains.
• Deploying Internet security gateways, which can inspect content in certain protocols (including some encrypted protocols) for known malware
• Intercepting proxies and utilizing safe browsing lists within browsers to block known malicious websites. Be aware of potential “drive by” or “watering hole” attacks where an attacker observes websites, such as Facebook, Twitter, and other non-business sites that your employees visit and infects one or more of them with malware that can, in turn, infect your network.

Speaking of your employees, remember that they can be your weakest link.  Don’t neglect the importance of providing them with ransomware awareness training on these critical topics:

• Types of ransomware and scams
• Signs you have ransomware
• What to do if you have ransomware, whether you are working in the office or working remotely
• What you can do to protect yourself and your company

Best Practice #2—Secure Access & Protect Sensitive Data

• The second core function in the NIST CSF is Protect. Attack surface reduction is especially critical for manufacturing environments in which specific equipment performs a specific function.  Implement rights management and access control to limit what applications can be run on devices, what code can be executed, which services can run, etc.
• Use Data Loss Prevention (DLP) rules and policies to determine which files and data are considered confidential, critical, or sensitive, and then protect those files from being accessed, shared or transmitted.

Best Practice #3—Prevent Spread and Malicious Code Execution

Detect, the third core function in the NIST CSF, involves implementing the appropriate measures to quickly identify cybersecurity events. To comply with this function, you should adopt continuous monitoring solutions that detect anomalous activity and other threats to your operational continuity. Make sure your organization has visibility into its networks to anticipate a cyber incident and that you have all the information you need on hand to respond to one.

Adopt a zero-trust approach, by which you assume that malware will reach your organization’s devices. Zero Trust Network Access (ZTNA) is a set of technologies under which access is granted only on a “need-to-know”, least-privileged basis defined by granular policies. ZTNA gives users seamless and secure connectivity to private applications without ever placing them on the network or exposing applications to the internet.

The complexities of today’s global supply chain also require third-party risk management (TPRM) strategies. In 2019, Airbus experienced four large-scale attacks through four different suppliers. Consider all the third parties you deal with and identify any weak links, then put measures in place to mitigate any potential risks.

Best Practice #4—Implement a Secure and Resilient Strategy

So, what should you do if you are breached in spite of all your best efforts?

Respond is the fourth core function in the NIST CSF. This function focuses on your ability to contain the impact of a breach.  To comply, your organization must craft a response plan, define communication lines among the appropriate parties, collect and analyze information about the event, perform all required activities to eradicate the incident, and incorporate lessons learned into revised response strategies. Remember, you don’t have to go it alone. Expert Blue Teams such as those we have here at Critical Start can guide you through the Incident Response process.

Last but not least, the fifth core function of the NIST CSF is Recover. Organizations must develop and implement effective activities to restore any capabilities or services that were impaired due to a cybersecurity event. Your organization must have a recovery plan in place, be able to coordinate restoration activities with external parties and incorporate lessons learned into your updated recovery strategy. Defining a prioritized list of action points which can be used to undertake recovery activity is critical for a timely recovery.

Don’t Forget to Back Up Your Data!

The key to mitigating the ransomware damage is to ensure that you have up-to-date backups of all important files so you can recover your data without having to pay a ransom. Ensure your backups are kept separate from your network or in a cloud service designed for this purpose. Also, do not rely on just one back up; remember to follow the 3-2-1 rule of backups:

• Keep 3 copies of any important file: 1 primary and 2 backups.
• Keep the files on 2 different media types to protect against different types of hazards
• Store 1 copy offsite (i.e., outside your home or business facility)

Be Ever Vigilant

Following these best practices will help better secure your enterprise against ransomware attacks, but remember to always stay vigilant. As we have seen, cyber criminals can find new vectors and vulnerabilities to exploit, so you must continuously assess your environment for risks and vulnerabilities. CRITICALSTART can help. Our Cybersecurity Consulting offerings are based on a three-phase process (Assess/Respond/ Defend) that helps secure your infrastructure on-premise or in the cloud, meets compliance standards, and reduces your exposure.

You might also be interested in: 
Learn how a major international manufacturer stopped a breach with CRITICALSTART IR Services.

¹  Crowdstrike 2021 Global Threat Report, Crowdstrike: https://www.crowdstrike.com/resources/reports/global-threat-report/