Ransomware Threats are Rampant, but Industrial Cyber Resilience is Strengthening

Released earlier this month, Claroty's latest Global State of Industrial Cybersecurity report offers valuable insight into what industrial cyber defenders are currently doing to combat ransomware, as well as opportunities to strengthen resilience moving forward. A joint advisory issued last week by CISA and other cybersecurity authorities in the U.S., Australia, and the U.K. identified the targeting of critical infrastructure and industrial processes as a key trend in ransomware threats from 2021. This aligns with the survey of 1,100 IT and OT security professionals detailed in the new report from Claroty, which found that 47% of respondents had their OT/ICS environment impacted by a ransomware attack.

Nearly half of respondents reported ransomware impact on their OT/ICS environments.

Among respondents who experienced a ransomware attack, 49% reported a substantial impact on operations, including 24% who said the impact lasted longer than one week.

The objective of conducting this global survey was to understand respondents' levels of resilience to cyberattacks—despite unprecedented and unpredictable challenges—and learn about their priorities moving forward. We dug deep into ransomware and its impact on industrial organizations in the U.S., Europe, and Asia-Pacific and the results were surprisingly grim. Here are just a few of the findings:

Ransomware is rampant and payments are prevalent

• A staggering 80% of respondents experienced a ransomware attack, with 47% reporting an impact to their OT/Industrial control system (ICS) environment.

• 67% of enterprise respondents (>$1B annual revenue) reported paying the ransom, compared to just 55% of mid-market and small-to-medium business (SMB) respondents. The majority of enterprise respondents reported a ransom payment of more than $500,000 USD, while the majority of mid-market and SMB respondents reported a ransom of less than $500,000 USD.

• More than 90% disclosed the incident to shareholders and/or authorities, and 69% believe timely reporting should be mandatory.

There was very little variation in responses across geographic locations. As for differences by sector and size, in industries including IT Hardware, Oil & Gas, Water & Waste, and Automotive, 90% were impacted by ransomware and 87% in Heavy Industry and Electric Energy. Not surprisingly, the larger the organization, the more likely an attack, since large enterprises are both more likely to pay and more willing to pay a large ransom. The decision to pay the ransom comes down to financial models; respondents estimate the cost of downtime far exceeds the ransom sums in most cases.

Gaps in processes and technology to mitigate ransomware risk remain

• More than 65% rate their vulnerability management strategy as moderately to highly proactive, yet ransomware attacks are highly successful.

• Nearly 30% of respondents are sharing passwords, 57% employ usernames and passwords, and 44% use VPNs – all areas of opportunity to strengthen resilience.

• 22% of respondents who say they conduct proactive vulnerability assessments reported substantial impacts lasting more than a week following a ransomware attack. This is considerably less than the 33% reported by respondents who do not have a process for conducting vulnerability assessments regularly.

Industrial organizations are on the right track to build resilience

As concerning as the growing threat of industrial ransomware attacks may be, the survey results indicate that organizations are making promising steps toward effective mitigation. More than 80% of respondents report an increased budget for OT/ICS cybersecurity, confidence in security leaders continues to grow, and security professionals have support from the top. C-suite executives and board members are very involved in cybersecurity decision making and oversight. With these factors in their favor, CISOs and other security leaders at industrial companies can make swift and meaningful progress to mitigate the risk of ransomware attacks.

Detailed in greater depth in the report, the following five steps are core building blocks for building resiliency against ransomware and other cyber threats to your critical infrastructure and other industrial assets:

1. Extend risk governance to include cyber-physical assets:

   Devices that are not designed with security in mind introduce risk when connected to IT and OT networks.

2. Maintain proper segmentation:

   There are many business processes and applications that need to communicate across the IT/OT boundary, so organizations need to ensure this is done in a secure way.

3. Practice good cyber hygiene:

   Ensure that cyber hygiene practices extend to OT and IoT devices. This includes the use of strong passwords, a password vault, and multi-factor authentication. However, some processes, like patching legacy systems, might be more challenging or not possible in an OT/ICS context.

4. Implement a robust system monitoring program:

   Being able to monitor for threats in both IT and OT networks and anything that is traversing that boundary is imperative for effective and efficient detection and response.

5. Assess and build preparedness:

   Implementing the above capabilities and strengthening resilience gives security leaders and teams peace of mind. Running tabletop exercises of ransomware attacks provides a deeper understanding of organizational and technical preparedness.

For a full breakdown of the survey results and more insight into how to better secure your environment, download Claroty's latest Global State of Industrial Cybersecurity report.