Using the NIST CSF Security Controls to Prevent and Recover from Ransomware

OT-Ransomware
Blog

Using the NIST CSF Security Controls to Prevent and Recover from Ransomware

Why Is Ransomware on the Rise?

According to Statista, there were a total of 304 million ransomware attacks worldwide in 2020, a 62% increase from the year prior. So far in 2021, the outlook has not improved. With targets ranging from meat processing giants and pipelines to regional victims like the ferry operator for Martha’s Vineyard and Nantucket, this ransomware epidemic doesn’t show signs of slowing anytime soon. Factors like widespread remote working, migration to cloud infrastructure, lax cybersecurity practices, cryptocurrencies, and the booming business of ransomware-as-a-service (RaaS) are all contributing to this problem.

So, what can companies do to prevent and/or quickly recover from a ransomware attack? The answer has been around for a while. Businesses must apply a defense in depth approach to their cybersecurity, and the controls found in the NIST Cybersecurity Framework are a perfect model for how to achieve this.

What Is the NIST Cybersecurity Framework (CSF)?

The NIST Cybersecurity Framework (CSF) is a voluntary standard put out by the US Federal government that uses business drivers to guide cybersecurity activities as part of an organization’s overall risk management strategy. It consists of three parts: a Framework Core, Implementation Tiers, and a Framework Profile. The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand in the form of five Functions. The Core guides organizations in managing and reducing their cybersecurity risks in a way that complements existing cybersecurity and risk management processes.

What Are the 5 Functions?

  1. Identify – Develop an understanding of your environment to manage cybersecurity risk to systems, assets, data and capabilities.
  2. Protect – Develop and implement the appropriate safeguards to limit or contain the impact of a potential cybersecurity event.
  3. Detect – Implement the appropriate measures to quickly identify cybersecurity events.
  4. Respond – Develop and apply a detailed response plan to take action if a cybersecurity incident is detected.
  5. Recover – Develop and implement activities to restore any capabilities or services that were impaired due to a cybersecurity event.

Using NIST CSF to Help Organizations Prevent and Recover from Ransomware

  1. 1. Identify

    The process of simply identifying what assets and networks you have and which ones are critical to your business is extremely informative. It’s not unlikely for someone to find an entire control system or network segment that has been forgotten. Having a strong asset management program inherently makes you more secure and aware. The old adage that you can’t protect what you can’t see has never been more relevant. Do not let an attacker be the one who reminds you about a forgotten part of your infrastructure when they exploit a vulnerability and install ransomware.

  2. 2. Protect

    Backup, backup and more backup
    Work under the assumption that you will be compromised, and you might not notice it right away. Application data and systems images are typically what is thought of and are a great start. But that is not enough, especially in operational technology (OT) environments. Do you have secure copies of critical project files and recipes? If you had to deploy a new switch, router or firewall do you have a secure copy of the firmware you were using? You can’t assume that you’ll be able to simply go the vendor’s website and grab it if your internet access has been compromised. You also need to make sure you have a secure copy of device configurations, things like firewall rules, running configurations and setpoints.

    Multiple points in time
    It may take some time to realize that you have been compromised, so make sure your backups contain multiple points in time to ensure you have a copy that is free from ransomware. A knee jerk reaction is a restore to a point in time right before the malware revealed itself, but it may have been hiding in there for months. Restoring at too early a point in time may cause the malware to run again.

    Multiple locations
    Sophisticated ransomware can encrypt any backups they have access to, so make sure you have a copy that is locked/read only and stored in a separate location.

    Update, patch and mitigate
    Patches typically come with downtime, so carefully evaluate patches from your vendors and take what truly provides additional protection and improves security posture. If you do not have a patching window, determine what can be done to mitigate the threat in the short term.

    Secure your perimeter and segment
    There are two factors that make or break a ransomware attack: the ability to spread and widen its impact throughout an organization AND the ability to beacon through public internet to provide updates and information to the remote attackers about its progress. By limiting network access to only allow required ports and protocols, you can greatly hamper these abilities.

    DNS queries are often triggers for malware and a critical way to reach its command and control infrastructure. Make sure you lock down protocols to not only the protocols allowed, but also the correct hosts. Your controllers don’t need to be resolving external websites, so your OT DNS servers shouldn’t either.

    Malware Detection
    Deploy antivirus and/or malware detection software and keep the signatures up to date.

  3. 3. Detect

    Before doing this step, I recommend you go back to Identify/Protect and take a hard look at what polices, programs and products you have in place. We see too many organizations jump right into detection before doing the basics of Identify/Protect. In fact, a recent poll we did revealed that 60% of respondents are still using spreadsheets to track assets and their configurations. By the time those configurations hit a spreadsheet, they are probably already out of date. Identify and Protect are truly the two, most important functions to have for reducing your risk and increasing your chances of recovering quickly from a ransomware attack.

    Would you invest in high-end security cameras at your home before installing quality door and window locks? But hey look the camera says it comes with AI/ML so this is really what I need, and it will alert me when it sees a suspicious car driving around the neighborhood. Turns out, your neighbor was just test driving a new car, and a thief walked right in through your unlocked basement. The AI/ML in the camera did not tell you about this because the thief looks just like someone who lives in your household.

    Long story short, monitor your firewalls and endpoints for changes that go against policy. Monitor your backups to ensure they run and finish within the allotted time. Monitor device logs for signs of compromised or abnormal behavior. Monitor user accounts for changes, and make sure that when onboarding and offboarding employees, they have the right access. Monitor critical files for changes. Monitor your antivirus/anti malware solutions to ensure they all get regular definition updates.

    When you have the above well covered, you can start to think about monitoring your network traffic for early detection of a breach.

  4. 4. Respond

    Practice makes perfect. Work on and practice a response plan that addresses how to maintain business continuity. Often the simple act of communication is missed during an incident, which can often add to additional spread of malware. A key component to responding is already knowing your priorities ahead of time. In a crisis, you won’t have the time to determine if you can do estimated billing if you lose your real-time metering data. In the stress of an emergency when your key employees are all at the conference is not the time to decide if you can continue to operate with this system or that.

  5. 5. Recover

    Create your recovery plan, test it and adjust it. Did we back up enough data? Too much? Do we have the right points in time available for a recovery? Does the configuration of the asset we recovered match its original? Is the vendor’s documentation adequate?

    Also don’t forget media fades and fails. We’ve seen otherwise perfectly adequate recovery plans fail because they were relying on 10-year-old CDs. Finding a drive to read it is a major problem, and you are highly likely to find bad sectors. OT environments have unique issues when it comes to recovery. You aren’t as beholden to historical data (like in banking transactions), but finding and maintaining the technology to recover brings challenges that only reveal themselves during actual exercises.

    Again, communication is key here – bringing a system back online before interconnected systems are ready may cause further spread of the ransomware.

Although ransomware attacks are happening all around us, you don’t have to panic. If you get serious about applying these defense in depth cybersecurity controls to your critical systems, your organization will be able to not only reduce its risk by about 85%, but will also be able to quickly recover if ransomware should strike. To learn more about applying the NIST Cybersecurity Framework in OT environments, download our NIST CSF implementation guide.

OT Compliance Guide: NIST Cybersecurity Framework

Download Guide

Stay Informed.

Sign up for our newsletter and receive the latest on ICS cybersecurity, product updates and more.

We welcome contributions to our blog from the ICS security community. View our submission criteria here.