Presented by Ashley Van Hoesen

RANSOMWARE AND
ICS
ABOUT ME

DHS-ICS Certified
Extensive background in ICS -
Working in multiple industries
(oil & gas, energy,
manufacturing)
Former Naval Nuclear Engineer
Industrial A Brief Introduction

Control
Systems
 OUR WORLD

The Operational
Technology(OT)/Industrial
Control Systems (ICS) world is
being exposed to more threats
than ever seen before. These
systems provide an attractive
target for malicious actors.
01
02 01 OT
Overarching term for
the use of hardware or
software to control
physical processes
02 IT
Applying appropriate
mitigation techniques
to the environment
ICS Security
Architecture
RANSOMWARE AND HOW RANSOMWARE AFFECTS
ICS
ICS
Ransomware Threats Today
The most well-known recent ICS attack occurred
on May 6th of this year and affected Colonial
Pipeline. The attack was considered the most
disruptive attack in history.
 1,112 1,097

H1 2021 RANSOMWARE
2020 RANSOMWARE VICTIMS
ATTACKS
RANSOMWARE
25 GROUPS
TRACKED IN
2020

RESPONSIBLE FOR MORE THAN 1200

ATTACKS
400

300

200

GROUPS RESPONSIBLE

In the first half of 2021, we

100
have seen an over 100% increase
in ransomware attacks from
2020. About 75% of the attacks
0
CONTI AVADDON REVIL DarkSide PSYA
originated from 5 groups..
How MALWARE is Deployed

EXTERNAL
PHISHING WATERING HOLE
INFRASTRUCTURE
How Does Ransomware
Affect ICS?
OPERATING INFORMATION
SYSTEM REPORTING
CHANGES CONTROLLER SAFETY
Malicious actors
CHANGES could report bad
CONTROLS
Changes to an
operating misinformation
Changes to Tampering with
system may resulting in
Programmable safety
present unwanted or
Logic controls could
unwanted unnecessary
Controllers, result in
results. action.
Remote prevention of
Terminal Units fail-safes,
or other putting lives
controllers at risk.
could damage
equipment.
PROTECTING
AGAINST
RANSOMWARE
STAGES OF AN
ICS ATTACK
CYBER KILL
CHAIN

STEPS CARRIED OUT BY AN ATTACKER

 ACTIONS &
DELIVERY &
RECONNAISSANCE OBJECTIVES
EXPLOITATION

WEAPONIZATION INSTALLATION &

COMMAND AND
CONTROL
01
02 01 PREPARE
Environment analysis
to determine critical
processes.

02 MITIGATE
Applying appropriate
mitigation techniques
to the environment
 DETERMINE CRITICAL PROCESS RELIANCE
ON IT INFRASTRUCTURE

Assess the OT/IT network interdependencies

which could provide an attack path for OT.

IDENTIFY A RESILIENCE PLAN

Develop a plan for continuing critical

processes in the event of an IT incident.
PREPARE

INCIDENT RESPONSE & BACKUPS

Develop a separate IR plan for the OT

environment, including backups and backup
restoration.
 PRACTICE GOOD CYBER HYGIENE

Develop a plan for regular software

updates.Implement MFA for OT access from IT.

NETWORK SEGMENTATION
MITIGATE

Create robust network segmentation between IT

and OT networks.

CONTINUOUS MONITORING

Use threat hunting tactics and continuous

monitoring software to prevent attacks.
 CONNECTION
PERSISTENCE
Network traffic consistently
reaching out to an external
source
ABNORMAL PROTOCOL
BEHAVIOR
Network traffic outside of
the norm

LENGTH OF DATA
A minimum of 12 hours of
data
Thank you