Hacked for the Holidays: Securing OT Infrastructure Against a Season of Increased Risk

December 13, 2022

Nostalgia brings us all to a special place every year during the holiday season. It’s an odd feeling of stress and elation as we increase contact with loved ones, pile on some new deadlines, weigh our personal and organizational accomplishments over the last 12 months, and simultaneously look forward to a short respite that is well deserved after all the hard work we’ve put in. It can be difficult to find a balance between optimism and realism during this time. The purpose of today’s post is to focus on staying focused, and finding solace in knowing you are prepared.

The sheer number of deadlines and decisions to be managed can be overwhelming. Most of us have our wallets out and our minds elsewhere, even at work. Retailers love it, and bad actors do too. That’s why we nearly always see an uptick in attacks, from enterprise-level ransomware to traditional consumer fraud, in the November to January months.

A Special Treat Just for OT Security

And it’s not just consumers, retails, and digital businesses in the crosshairs, there’s significantly increased risk to our critical infrastructure too. Unfortunately, just when OT security teams need to be at peak readiness, the distractions of the season, with all their urgency and complexity, are ready to change the subject. And the consequences of this aren’t just dangerous—they could be disastrous.

We Remain in an Always Escalating State of Cyber War

Given the slowly unfolding uncertainty in Ukraine, it’s easy to feel like the world is on edge. I’d argue this is really not new, and that we’ve been at war for quite some time, even if the holidays are yet another stark reminder. Since 2014, Russia’s ongoing cyberattacks on the Ukrainian power grid have served as a reliable reminder of infrastructure vulnerability.

Years before the current invasion that now sees them relying on heavy weaponry, Russia launched regular cyber incursions into the SCADA systems controlling the electrical system for Ukraine and Crimea, with varying degrees of success. The 2015 attack, later linked directly to Russian GRU teams, knocked the power out for nearly one quarter of a million Ukrainians and served as an ominous wakeup call for other countries, America included.

While the attacks in 2015 obviously served regional interests, many experts believe the attack was also a dry run for a possible future attack on the US grid, which is similarly designed but, at least at the time, more poorly protected. And while we might be transfixed by events halfway around the globe, events like the recent, still unexplained attack on substations in North Carolina remind us that the threats come from anywhere.

External Threats: New Kinds of Weapons and Warriors

Russia’s decision to wage war has had other implications on cybersecurity around the world. We’re seeing an escalation in cyber tactics, as both sides in the conflict, and other opportunistic groups and nation states, bring new digital weapons to the global battlefield. The war’s economic disruption has also destroyed jobs across the region, and thousands of people with significant technical skills are now looking for ways to turn that expertise into cash.

While the seasonal rise in ransomware attacks is to be expected, it’s hard to think the war isn’t making the problem worse in lots of ways. Additionally, recent news from Kaspersky labs on a new flavor of destructive wiper malware reminds us that bad actors never stop innovating. The new version, dubbed CryWiper, was first seen in attacks on the Russian court system.

Like other wiper variants, the malware drops an ominous ransomware note with a link to a BTC wallet for payment. Unfortunately for victims, this is a pseudo-ransomware attack designed to destroy data through file corruption. Payment, if made, does nothing. As we move into 2023, especially with no clear end in sight for the Russian invasion, we should expect to see more attacks move from that theatre of operations to ours.

Internal Threats: Holiday Cheer and Staff Chaos

While global instability makes the external threat landscape more dangerous, chances are that risks are coming from inside your organization as well. All the energy and urgency and busyness that makes consumers bigger targets applies to security teams too.

While bad actors are working overtime to launch new threats and tactics, infrastructure security teams are also on the job 24/7. But the realities of the season intrude here, too.

Holiday schedules typically find teams understaffed and overstressed. It’s common to find teams reducing headcount to allow for time off, stretching already thin resources even further.

Staff shortages also directly impact security response. If and when potential incidents are detected, certain escalation paths may be unavailable due to OOO staff. This, plus urgency, can force teams into sub-optimal decision making—just when they need to be 100% focused on securing their OT environment.

Turning Risk into Readiness: Holiday-proofing Your OT

While the year-end holidays will always be seen as a peak season for bad actors, OT security teams can do more to better prepare for risks now and throughout the year. As with everything holiday, a little preparation can go a very long way.

  • Operate like a high value target. This means realizing the critical role your teams play in securing the infrastructure that is, in turn, critical to the nation. If your teams don’t recognize this criticality, remind them that hackers and cybercriminals definitely do.
  • Review security controls and assigned roles. Make sure the right redundancies are in place to support proper strategic decision-making, no matter the schedule.
  • Look for critical points of failure that might exist elsewhere in the organization, even outside formal controls. Again, make sure redundancies or workarounds are in place to ensure teams can maintain peak readiness.
  • Maximize staff downtime where and when it exists. Even with worries about seasonal security readiness, business does typically slow down as other teams also take time off for the holidays.
  • Simulate, simulate, simulate. Some of this downtime can be used to tabletop some of the risks and threats typically seen over the holiday season. Are your controls ready? Are failovers in place if control systems go down? Now’s the time to get these questions answered.

Staying merry, safe, and sane

OT cybersecurity is never a seasonal business, but risk clearly escalates over the holidays. OT leaders need to pause and reflect on how they prepare their teams to stay ready now and across the year. ‘Tis the season for a little readiness.