Prioritizing Ransomware Readiness for Critical Infrastructure

Cyber Risk Highlights in Critical Infrastructure Series-Part 4

Welcome back to our blog series on cyber risk highlights in critical infrastructure. Last week’s blog post discussed the increased capabilities of cybercriminals and explained how cyber physical disruption is possible through IT and OT interdependencies. This week, we discuss the importance of prioritizing ransomware readiness for critical infrastructure organizations.

Advanced Ransomware Threatens Critical Infrastructure Security

The FBI’s Internet Crime Complaint Center found ransomware was a top threat to critical infrastructure Security in 2021, hitting a wide variety of organizations. The FBI said it began tracking reported ransomware incidents involving critical sectors in June 2021, coinciding with the highly publicized Colonial and JBS incidents which leveraged IT and OT interdependencies. The FBI found ransomware hit 649 critical infrastructure entities.

Healthcare and public health topped the list, with 148 reported ransomware incidents. Financial services came in second, suffering 89 attacks. The IT sector also took a hit, with 74 victims affected by ransomware. Critical manufacturing wasn’t far behind, with 65 reported incidents.

Given this increased frequency, critical infrastructure operators should be aware of the evolution of ransomware attacks. Early ransomware attacks were primarily focused on holding an organization’s data hostage. But, as companies have gotten better at data backup and recovery, ransomware attacks have evolved to taking over systems and networks, setting up command and control operations, and stealing intellectual property and sensitive data. This shift in cyber-attack strategy by cybercriminals has led to a new industry term: cyber big-game hunting.

Big-game hunting ransomware targets and prioritizes high-value organizations, high-profile entities, and ultimately high-impact consequences.

Assessing Ransomware Preparedness: The Community Still Needs to Master the Basics

Axio’s research study on the 2022 State of Ransomware Preparedness revealed several concerning findings about the general state of organizational readiness to combat the growing tide of ransomware. Over 100 organizations across multiple critical infrastructures have used the Axio360 platform to conduct our free Ransomware Preparedness Assessment. This new assessment tool is based on data from hundreds of real ransomware events, guidance from the US Department of Homeland Security, and Axio’s own research.

Overall, most organizations surveyed in 2022 are still not adequately prepared to manage the risk associated with a ransomware attack. Many organizations still lack the basic cybersecurity controls required to defend against ransomware.

We identified seven key areas where organizations are deficient in implementing and sustaining basic cybersecurity practices: management of privileged access, basic cyber hygiene, exposure to supply chain risk, network monitoring, incident management, vulnerability management, and training and awareness.

Some highlights from our report are alarming, showing many critical infrastructure organizations still have a long way to go to implement the cybersecurity basics. The following are some data points from the report.

• The number of organizations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.
• Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organizations reporting implementing these practices.
• Approximately 40% of organizations monitor third-party network access, evaluate third-party cybersecurity posture, and limit the use of third-party software.
• Less than 50% of respondents implement basic network segmentation, and only 40% monitor for anomalous connections.
• Critical vulnerability patching within 24 hours was reported by only 24% of organizations.
• A ransomware-specific playbook for incident management is in place for only 30% of organizations.
• Active phishing training has improved but is still not practiced by 40% of organizations.

How to Master the Cybersecurity Basics for Critical Infrastructure

So why have many critical infrastructure organizations struggled to master the basics? There is a multitude of reasons, but the most common roadblocks include a lack of financial resources, technical expertise, and limited strategic planning and organization. Achieving basic cybersecurity can often be a herculean effort due to the above constraints. Fortunately, there are many things you can do today that will not strain your organization’s current resources.

We recommend beginning your cybersecurity improvement journey with a free ransomware preparedness assessment in the Axio360 platform. The assessment was built using hundreds of real ransomware events, US Department of Homeland Security guidance, and our own research. The tool lets you assess your ransomware posture across 65 core cybersecurity practices in 8 domains. Additionally, the assessment output can be used to rapidly evaluate gaps in an organization’s cybersecurity posture that make it more susceptible to big-game-hunting ransomware. These results are critical in identifying and implementing protections against ransomware and will have the secondary effect of increasing the organization’s overall cybersecurity posture.

After performing the assessment, we welcome you to book a call with one of our experts to discuss your results and how you can use the additional functionality in the Axio360 platform to build a cybersecurity program that is agile and defendable to all business stakeholders.