As featured on BusinessMirror: The day after
In today’s alarming reality, adequate ransomware response and recovery programs should be embraced as crucial business enablers. Improvising when an organization’s operational technology (OT) and critical operations are engulfed in a deadly firestorm is likely not the answer. Operational technology (OT) involves the use of hardware and software to control industrial equipment. OT security is becoming vital today as OT is integrated with IT to create IT/OT convergence.
In the case of a large oil pipeline system, a major ransomware attack caused a shutdown of operations for almost one week and led to fuel shortages. The attack—the result of a single compromised password—focused on the pipeline’s IT systems, but the OT systems that transport oil was not directly targeted. The attackers stole data and infected the IT network with ransomware and to prevent it from spreading to the OT, the pipeline was shut down.
Ransomware attacks, which spread across the network and encrypt data, are soaring worldwide. The decryption of business data can be almost impossible amid today’s increasingly sophisticated ransomware attacks, during which attackers typically demand a ransom payment in bitcoins to release a key for data decryption. The organization under attack must either pay to regain access to its data or hope to recover the data in some other way, such as via backup applications.
As ransomware attacks skyrocket, ransoms could cost businesses a total of $265 billion by 2031, according to Cybersecurity Ventures, which predicts costs will rise by 30 percent annually over the next 10 years.
Effectively managing an attack is critical to address the initial impact on operations and costs, and to help minimize a recovery that may involve days or weeks of limited capabilities and interrupted customer services. Businesses need to prepare not only for an attack response but for rapid recovery—and this is particularly critical in the OT domain, where physical processes are typically involved. While many businesses are racing to enhance prevention and response programs, they also need appropriate recovery capabilities.
Recovery measures to restore operations quickly require a precise assessment to determine that the initial underlying threat has been eliminated. This is no small task amid the immediate need for response measures that include shutting down internal systems and key elements of the business network, along with rushed policy changes. It’s also crucial that the complex path back to normal operations includes key changes to security. The response and recovery process under these typical conditions can create remarkably complex challenges.
OT recovery readiness—being prepared for anything
When there’s a disaster, production outage, ransomware attack, or other events, you need to get your OT and production processes back online quickly. That means always being ready for anything. And given the constant change in today’s OT environments, ransomware readiness can’t be something you address quarterly or annually. Readiness should be a daily focus.
The constantly growing and changing scope of threats should always be taken into account. It’s not only about on-premises systems, but also IT and OT systems and their connected OT components such as the control system and programmable logic controllers (PLCs).
You need the capabilities to recover modern and old production systems, virtual machines (VMs), containers, programmable logic controllers (PLCs), and applications from anywhere in a modern hybrid IT/OT architecture. The cloud has also become part of today’s modern systems or OT infrastructures and these platforms also need to be considered.
This complexity clearly shows that one-size-fits-all approaches are usually unsuitable for OT and production sites at this point. To be prepared for an emergency, the following key points of recovery readiness should be achieved to restore operations within a reasonable time frame:
• First, be aware of all your critical assets for IT and OT and their dependencies on each other. Also, maintain up-to-date vulnerability reports from your critical systems and assess them regularly. Without this kind of information, we believe that recovery in a tolerable time frame is impossible.
• Define recovery objectives when recovering from a disruption. For example, the recovery capability should prioritize human and environmental safety before restarting the OT operation that was impaired by the cybersecurity event.
• Develop a site disaster-recovery plan (DRP) and business continuity plan (BCP), or both, to prepare the IT and OT organization to respond appropriately to significant disruption during a cybersecurity incident. IT and OT must not be considered separately but together (IT/OT convergence goal).
• Establish backup systems and processes to back up the relevant (critical) OT systems’ state (legacy systems, Windows/Un ix, PLCs, virtual systems, etc.), data, configuration files, and programs to support timely recovery to a stable state.
• Create awareness of threats (not only for IT), train your OT employees, simulate the worst-case scenario, and learn from your findings.
If you have not yet implemented these points, you should do so as soon as possible given the current and constantly increasing OT threat environment. We recommend focusing on your critical OT systems in the first wave of recovery readiness, followed by the medium critical and less critical in waves two and three.
The excerpt was taken from the KPMG Thought Leadership publication: https://home.kpmg/xx/en/home/insights/2022/12/the-day-after.html.