The prevalence — and cost — of increasingly sophisticated ransomware attacks continue to grow unabated. The threat of ransomware is nothing new, but the nightmare scenarios targeting businesses in every sector are becoming more targeted and crippling by the day.
Attackers using ‘big game hunting’ tactics, for example, are setting their sights on specific larger organizations where they anticipate that they can extract the largest financial pay-out. Unlike auto-spreading ransomware such as WannaCry and NotPetya, many new strains open the door for criminals to steal data and manipulate systems, as attackers exhibit deeper knowledge and understanding of their target’s environment.
Amid the disruptive impact of the global pandemic over the last year, cyber criminals are turning their attention to the life sciences industry. The industry’s crucial role in launching COVID-19 vaccination programs — combined with the sector’s massive revenues and endless volumes of sensitive data — makes it an ideal target for organized crime groups wielding today’s destructive ransomware tactics.
Notable ransomware attacks on the industry to date include Ryuk, Conti and Sodinokibi — and cyber criminals are expected to keep healthcare and pharmaceutical businesses firmly in their sights in 2021 and beyond.
The evolving threats of ransomware
Today’s ransomware attacks are transitioning away from traditional ‘smash-and-grab’ tactics, as more-sophisticated and intrusive techniques increase the impact and profitability of attacks. This often involves attackers spending weeks performing significant reconnaissance of targets to gain a deep understanding of their systems and data, and how best to leverage a ransomware attack for the largest financial pay-out.
So how is ransomware changing?
More effort, inside the box:
Despite efforts by leading companies to protect their systems, there is still much work to be done by many organizations. In my view, many high-profile ransomware attacks could have been avoided or at least reduced. And, many companies are still not meeting a minimum level of cyber security to fend off such attacks.
Segmentation of a company’s distributed network would reduce the risks, since firewall separations between key areas would make it easy to shut down and isolate a cyber hack. We must also ask whether companies are investing enough to keep their operational environments up to date and address the costs of replacing legacy systems; whether the avoidance of scheduled maintenance shutdowns that could impact production has led to issues; or if companies should do more to ‘push’ their technology vendors to deliver adequate updates to aging industrial systems. Whatever the answer is to these questions, it seems that many operational systems languish with outdated functionality and lack much-needed security upgrades.
Also, an enduring ‘people culture’ within many organizations can stall their cyber security efforts. While operations teams may lack cyber-savvy, the issue may originate at the supervisory and executive board level, where leaders are not familiar with their own operational assets, nor understand their ecosystem dependencies. This culture may extend to front-line employees who aren’t adequately trained on basic “Don’t click the link” cyber-safe practices, nor are they encouraged to report operational issues or glitches that create vulnerabilities to future cyber-attacks.
More effort, beyond the box:
Beyond better internal awareness and controls, there’s a need for greater beyond-the-box planning to address ecosystem weakness. While national or regional governments might logically provide this oversight and coordination of cyber security strategies for critical industries, not many governments have embraced the task.
Exceptions include the UK’s Government Communications Headquarters (GCHQ), which promotes cyber vigilance in industry, the U.S. Department of Homeland Security and other agencies that drive industry standards, and Singapore’s efforts to apply stringent cyber security regulations. However, most countries are yet to implement similar regulatory frameworks.
Cooperation is also limited at the trans-national level, due to lack of political consensus or the slow pace of legislative change. For example, although the European Union is in the midst of updating its Network and Information Systems Directive (NIS), it could take years for the NIS 2 guidelines to be implemented within member nations. Currently, even basic, cross-border sharing of intelligence, to alert national agencies of emerging cyber threats, is in its infancy.
In light of these realities, the critical role of ecosystem protection may hinge on industry collaboration, with leadership provided by the largest infrastructure and tech firms who can bring their counterparts to the table to iron out common principles and practices. Such industry-wide consensus could ultimately spur on corresponding regulatory activity. For example, this variety of ‘industry-made’ solutions has already taken place in the banking sector, where Europe’s largest banks worked together nationally and internationally to draft cyber security standards and threat intelligence information sharing.
This industry-driven approach could produce better, ‘out-of-the box’ strategies, based on real world field experience from operators who already practice meticulous risk mitigation of their internal, physical assets. Today, most companies can quickly shut down (part of) their own operating environments, if a problem occurs, and revert to alternative processes. This ‘can do’ mindset must be extended to the ecosystem level, so that risks relating to an industry’s labyrinth of dependencies are identified, work-around solutions are developed, and back-up plans are tested and practiced jointly by companies, industries, tech and regulators.
While it will take time and commitment for the numerous stakeholders to develop effective ‘out-of-the-box’ approaches to manage the risks embedded in their ecosystems, it’s encouraging to see that industry participants are now taking preliminary steps.
Like any major challenge, it must begin with ‘awareness,’ and recent, headline cyber-attacks are prompting CEOs and Heads of State to ask, ‘What assets do we have?’ ‘What is our level of Operational Technology maturity?’ and ‘How could the ecosystem impact our ability to operate?’ The next step is industry, government and technology collaboration, to think outside the box and protect the critical infrastructure upon which we all depend.