No industrial operation is free of risk, and different industrial organizations would legitimately have different appetites for certain types of risks.
For decades, Industrial Control Systems (ICS) were not connected to other systems or the Internet. They were physically separated from other networks within industrial organizations, which became the main security feature that protected critical systems from cyber-attacks.
The COVID-19 pandemic accelerated business objectives in terms of remote work. Additionally, there’s also the need for lower costs and improved operational efficiencies. Meeting regulatory compliance and providing decision makers with a holistic view of plant operations are all the more urgent with the changes caused by the pandemic.
In such a sense, this acceleration brought about the introduction of cost-effective and more connected IT technologies such as VPNs into the operational environment.
Awareness for ransomware ballooned four years ago when WannaCry spread rapidly around the globe. Recently, ransomware as a topic is in the spotlight again thanks to the Colonial Pipeline cyber-attack. In its aftermath, organizations scrambled to patch vulnerabilities and implement broad security hygiene education.
While there is no foolproof way to prevent ransomware, ensuring good protocol hygiene, and behavioral monitoring of the environment can go a long way toward limiting the blast radius. Attackers have become highly adept at evading detection upon entry into a network, but they can’t hide from the network.
David Sajoto, Vice President, Asia Pacific and Japan, ExtraHop, shares with CybersecAsia why and how network visibility is key to mitigating ransomware in the new normal:
How can businesses fight ransomware with the help of machine learning?
Sajoto: Approximately 2.7 million ransomware cases were detected in ASEAN within the first three quarters of 2020. With financial damage accumulating to over a billion US dollars, the need for protection against ransomware has become more crucial than ever.
By adopting machine learning to analyze every digital interaction occurring on the network, businesses can take a proactive stance and transform that data into an accurate and timely source of intelligence in their fight against ransomware.
Machine learning enables a positive and proactive security model, putting the power of pattern-based analysis and machine learning to work against malicious actors. Organizations can also improve threat detection and take advantage of scalability when they utilize cloud-scale machine learning architecture.
With these automation capabilities, users can detect, investigate and respond to attacks faster.
Beyond detection, machine learning enables automated analysis of potential threats detected and assists in the triage, investigation and remediation process. It also facilitates automated response to threats such as blocking malicious IP and domains, alongside quarantining devices, locking users, or restricting network access.
Machine learning in network detection and response is a vital layer of defense in detecting suspicious activity at every stage of the attack lifecycle.
Why is it important for organizations in the manufacturing and ICS sectors to adopt automation in cybersecurity?
Sajoto: Over the past two years, critical industries such as energy and manufacturing have been among the most frequently targeted. IT disruptions in a manufacturing environment can be detrimental to the country from potential sabotaging of critical services to the citizens. From a business perspective, it can be a logistical nightmare. The slightest delay in order processing, shipment tracking and fulfilment obligations can instantly affect the bottom line.
Security has become more challenging and complicated with Industrial Control systems (ICS), which often have microcode embedded within proprietary hardware or aging computer platforms. A relatively straightforward solution for companies is by relying on network data analytics, which are far less vulnerable to tampering and erasure without requiring extensive software installation.
Automation supports organizations by flagging suspicious activity pertaining to ICS, whether it includes unusual logins, traffic, or requests for sensitive data. Automated network data analysis raises alarms and prompts organizations to take action quickly. Ultimately, automation bolsters security in discerning file access events, particularly when they relate to confidential information.
Organizations in the manufacturing sector must adapt to automation and technology that allows real-time monitoring, giving them the visibility they need to fine-tune their operations, maintain security for proprietary data, and ease the way for implementing new systems like IoT to carry their business into the future securely.
In the midst of accelerated digital transformation efforts, what are the key security challenges and what are some tips you have for organizations to tighten data security?
Sajoto: As organizations accelerate their digital transformation efforts and become more connected and data driven, they are exposing their organization to a wider surface attack. Moreover, cybercriminals have also been more advanced in their approach, steadily increasing the volume and complexity of phishing campaigns and ransomware attacks.
Here are some tips that can help organizations tighten their security posture.
- Prevention is a pipe dream: With global data breaches on the rise, organizations are increasingly shifting their strategy from protection and prevention at the perimeter to detection and response. While prevention still has value as a first line of defense, cybersecurity leaders should decenter their operations – people, process, and technology – on reducing dwell time and mitigating damage.
- Get clarity on cloud security: If companies are hosting anything in the cloud, it is critical to understand where their cloud service provider’s security responsibility ends and theirs begins. Some of the most common threats to cloud security are home-grown and preventable, including misconfiguration, unauthorized access, and insecure APIs.
- Trust no one — not even vendors: A Zero Trust approach determines trust dynamically, regardless of where the users are located. With access and privileges continually verified, no asset or network segment is implicitly trusted as authorization is only valid on an as-needed basis. Enterprises often rely on vendors for everything from infrastructure and applications to security. Organizations should question their vendors to ensure they understand how data is being handled, where it is going, and what level of encryption the vendor uses.
- Put your defenses to the test: To improve the security posture of your organization and find potential gaps in your defenses, run red vs. blue exercises. These keep your security team sharp and help proactively identify your security vulnerabilities.
We have since entered the second half of 2021. What are some cybersecurity predictions that have been proven accurate, and what are some of your predictions moving forward?
Sajoto: In December 2020, we predicted that ransomware would continue to be the greatest threat to enterprises. We had foreseen new cybercrime groups entering the picture as well as the continuing development of more complex attack tactics. We also predicted that these attacks will affect high value targets in healthcare.
That prediction has proved to be accurate with the recent ransomware attack on AXA Partners Asia. The attack affected the Thailand, Philippines, Malaysia, and Hong Kong operations. The criminals responsible for the attack claimed to have robbed three terabytes of data, including medical records and communications with doctors and hospitals.
Moving forward, we predict that businesses will have to rethink how enterprise data and infrastructure are secured against ransomware attacks and other forms of cybercrimes, as we believe that remote work will be in higher demand. Remote work will cement its place as a standard part of working life and companies will have to consider various ways to protect themselves especially in a hybrid working environment.