Ransomware in Critical Infrastructure, and What You Should Already Be Doing
Ransomware attacks show no sign of slowing down anytime soon. In late September, one after another, two large ransomware attacks targeting the agriculture industry came to light. The ransomware group BlackMatter targeted NEW Cooperative, an Iowa software company that provides agricultural scheduling services. An unknown attacker compromised Crystal Valley Cooperative, a farm supplier and grain marketer in Minnesota.
There are a few important details that are becoming common to all ransomware attacks: poor security hygiene (Greig, 2021), large demands—$5.9 million for new Cooperative (Kass, 2021), and increasingly, potentially large disruptions to supply chains and critical infrastructure (Sharma, 2021). That last is an important point to make in light of an argument between NEW Cooperative and their attacker, as reported by Ars Technica. While NEW Cooperative may not be a household name, they claim that 40% of the grain industry runs on their software; if that is the case, they should fit anyone’s definition of critical infrastructure. BlackMatter states they will avoid certain targets, but since they only include power and water treatment in their definition of ‘critical infrastructure,’ NEW Cooperative is fair game (Sharma, 2021).
Ransomware is becoming the attack of choice for bad actors specifically because of the follow-on damage it can do. As the potential damage to the target, the supply chain, and the society as a whole grows, the pressure for the target to give in to demands becomes unbearable. And while other kinds of breach or compromise require further work to cash in, ransomware can often be relied on for a quick pay-day. And BlackMatter’s criteria for target exclusion shows the fallacy in assuming, for whatever reason, that you will not be made a victim.
There are many things your organization could—and should—already be doing to protect yourself from these sorts of attacks. If you aren’t already on top of the subject, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency provides a good introduction to the topic at Security Tip (ST19-001): Protecting Against Ransomware. But because many smaller organizations may not have a budget that allows for significant security expenses, I want to focus on just one security control: backups.
Backups have all kinds of potential benefits for an organization, like tolerance for hardware or electrical failures. But backups are the one control that will help even after a ransomware infection has occurred. I can’t promise that having backups will prevent you from having to pay a ransom. But if you know that you will be able to restore systems from clean backups in isolation, then you will likely be able to return to operation without the attackers’ assistance.
The first step to implementing a successful backup scheme is risk assessment. You need to identify which system or systems will be most critical to your continuity of operations during a crisis, so you can establish just what will be necessary to safeguard those systems. If your business runs from one server, then that might seem like an easy answer. But you should also consider good backups of workstations in mission-critical locations, so that you can prioritize returning certain operations to service as quickly as possible.
You should also know that, when we talk about backups for the purpose of ransomware security, we don’t mean backing up particular files. Those sorts of backups have their place, e.g., archival purposes. Here, we are talking about full system images: one-to-one duplicates of every speck of software needed to run a particular system, application software and operating system included. The goal is, after restoration, that computer will be completely ready for its normal duties.
Once you have a handle on which computers need to be protected, and how much data is involved, you can start planning for how the data will need to be stored. There might be external hard drives, network-attached storage, or storage-attached networks involved; the details will of course depend on your specific situation. The two things that will definitely be required are encryption and air-gapping. The data has to be encrypted, because the most mission-critical systems are of course the biggest targets. But air-gapping is even more critical: the back-up images are the highest-priority target for a ransomware attacker. During normal operations, they have to be completely inaccessible; they should only be connected when backups are taken.
Once storage is in place, then the actual backup procedures have to be developed—in writing. I can’t stress enough how important it is that these procedures be written down. Here is the justification: since the software and data on the computers will change, the backups must change too. Since the backups have to change, the backup procedures will have to be an ongoing process. Since the storage for the backups must be air-gapped, the backup process can’t be completely automated. Since the process can’t be automated, humans will have to be involved. Any procedure that humans have to follow will have to involve training and assessment, before and after, and that means procedure documents.
Then, after backups have been created, they must be tested. You should always assume that any backup that hasn’t been tested with a full system restoration will not be able to protect you if you’re attacked. In an ideal world, you would test each system image you create by restoring it to an identical system and allowing a user to confirm its operation. I know that procedure isn’t trivial for lots of situations. But the more difficult it seems, the more critical it may really be: if having a server down for hours for a back-up restoration test seems like a nightmare, how much more of a disaster would it be to try to restore that system and find that the backup image wasn’t going to work? If testing each image is impossible, then consider a scheme where only the most critical system images are individually tested, and others are tested on a random-sample basis.
Last up, incorporate your back-up and recovery schemes into your disaster recovery and business continuity policy documentation. Many industries, such as healthcare, have regulatory requirements for that documentation, after all. And by incorporating those procedures into policy, you also incorporate them into your policy review activities, which means you have a built-in opportunity for continuous improvement at review time.
What is your organization doing to back up your critical systems, or prepare for ransomware attacks in your industry? If you have thoughts or suggestions for me, I can be reached at crainm@purdue.edu.
CISA. (2019, April 11). Protecting Against Ransomware. Cybersecurity and Infrastructure Agency. https://us-cert.cisa.gov/ncas/tips/ST19-001
Greig, J. (2021, September 21). After ransomware attack, company finds 650+ breached credentials from NEW Cooperative employees. ZDNet. https://www.zdnet.com/article/after-ransomware-attack-company-finds-650-breached-credentials-from-new-cooperative-ceo-employees/
Kass, D. H. (2021, September 27). New Cooperative Ransomware Attack Timeline: Status Updates. MSSP Alert. https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/new-cooperative-ransomware-attack-timeline-status-updates/
Sharma, A. (2021, September 21). $5.9 million ransomware attack on farming co-op may cause food shortage. Ars Technica. https://arstechnica.com/information-technology/2021/09/5-9-million-ransomware-attack-on-farming-co-op-may-cause-food-shortage/