January 9, 2020
A recent ransomware attack on the U.S. Coast Guard lead to a 30-hour operational shutdown and highlights the potential implications for improperly configured or secured convergent systems. The USCG issued a bulletin following attack, which was caused by ransomware known as Ryuk, noting it impaired both the IT systems and industrial control systems of a facility regulated by the Maritime Transportation Security Act (MTSA).
The attack occurred after an employee clicked on a link in a phishing email, which then delivered the malicious software.
“Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files,” USCG officials said in the security bulletin. “The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The impacts to the facility included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems.”
No specific facility was named in the bulletin. The organization did note several measures may have prevented or limited the breach and decreased the time for recovery, including:
· intrusion Detection and Intrusion Prevention Systems to monitor real-time network traffic
· industry standard and up to date virus detection software
· centralized and monitored host and server logging
· network segmentation to prevent IT systems from accessing the Operational Technology (OT) environment
· up-to-date IT/OT network diagrams
· consistent backups of all critical files and software
Pierre Bourgeix, CTO and founder of ESI Convergent, and an expert on converged security, said as the number of converged systems increase around the globe, the criticality of ensuring those systems are secure also grows.
“The main reasons why systems are breached revolve around improper segmentation, weak policies and procedures, weak security awareness training, improper redundant backup infrastructure, lack of governance to define communication and collaboration between siloes and finally unsecure technology at the edge such as sensors, SCADA control systems, Programmable Logical Controllers, access control systems and readers, cameras, etc. One or all of these would have played a role in the ransomware attack. The takeaway is that organizations and agencies must continuously assess as well as ensure that redundant systems are in place and are segmented and secure to prevent this in the future.”