Since at least 2017, we have observed an increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. This trend results from increasingly skilled threat actors moving from indiscriminate ransomware propagation to deliberate deployment of post-compromise malware. This increases the likelihood of substantial financial rewards, especially when targeted organizations have high-availability requirements and/or lack backup processes.

Despite this scenario, it is not uncommon for ICS/OT security professionals to consider ransomware as an out-of-scope threat. Although it is true that this type of malware typically only propagates across IT systems, OT asset owners are often the most affected by its impacts. We find three main reasons to share responsibility to address this threat:

1. The main objective of ICS/OT is to facilitate and scale the production of specific goods or services to satisfy a certain demand. Ransomware at different levels of the enterprise architecture may directly or indirectly result in delayed, disrupted, or stopped production.

2. The growth of post-compromise approaches to ransomware situate the attacker at a privileged position where they can explore target networks and identify critical systems before deploying the payload.

3. The techniques, tactics, and procedures (TTPs) used for post-compromise ransomware resemble those employed by high-skilled actors across the lifecycle of past OT security incidents. Identification at earlier stages is only possible with collaboration between OT and IT security teams.

In this talk, we highlight why ransomware is a relevant challenge for ICS/OT security practitioners, describe some of the main TTPs used by attackers for post-compromise ransomware, and share ideas for actionable ways to address this problem. We invite the audience to learn how to collaborate across the organization so the next time they need to talk about ransomware, they are not forced to delegate the task to the next available agent.

Type or target audience

No pre-requisites, should be interesting for the general audience as we have seen a variety of customers inquiring about this topic. We believe this topic would work well both for experienced security professionals looking for a deep dive, but also for other positions that seek to understand what the challenge is and what to do about it from an organizational level.

What audience should expect from the presentation

The audience should expect to learn about the impacts of ransomware in industrial/critical infrastructure organizations, learn about past relevant cases, and take a deep dive into the TTPs that we have observed actors leveraging for post-compromise incidents.

One of the main strengths of the talk is that it will leverage knowledge from our organization responding to and understanding ransomware incidents, but it will also place the information in the context of ICS/OT.

It will also challenge some of the conceptions we currently have about the degree of collaboration between IT and ICS.OT security teams. Highlighting what can ICS/OT security teams do to address this challenge, mainly when it happens at different levels of the organization.

Key takeaway

Addressing the challenge of ransomware in industrial/critical infrastructure organization must be a shared responsibility. Even though there is no impact in the controllers, ransomware infections oftentimes result in direct or indirect delays and disruptions to production.