Combating Ransomware – Protecting a Nation’s Critical Infrastructure

June 16, 2021

On May 7, 2021, Colonial Pipeline, one of the largest pipeline operators in US, suffered a ransomware attack. DarkSide, a ransomware as-a-service (RaaS) gang, effectively shut down the pipeline, leading to massive financial losses. On May 13, Colonial Pipeline paid $5 million to DarkSide to get the decryption key and restore operations. Due to the seriousness of the attack, several federal agencies, such as the FBI, the Federal Motor Carrier Safety Agency (FMCSA) and the Cybersecurity and Infrastructure Security Agency (CISA), became involved in investigating the ransomware attack.

Since then, another notable ransomware attack has occurred. Computer networks at the world's largest meatpacking company, JBS, fell victim to a group of Russian hackers known as REvil. Rapid response and recovery efforts helped minimize disruption to their operations. At this time, it is unknown if JBS elected to pay the ransom.

These attacks, as well as the software supply chain attack on network monitoring company SolarWinds, have thrown a spotlight on how vulnerable the nation’s critical infrastructure is to cyber criminals. On May 13, President Joe Biden signed an executive order intended to improve the nation’s cybersecurity posture.

Let’s look at some of the main points of the EO, which are geared towards protecting United States critical infrastructure from future cyber attacks.

Summary of the Executive Order

Modernizing cybersecurity procedures and tools is critical to fight ever-evolving threats.

The Federal Government is keen to move towards Zero Trust Architecture (ZTA) and advance the use of infrastructure as-a-service (IaaS), platform as-a-service (PaaS) and software as-a-service (SaaS), which will centralize and streamline access to cybersecurity data, in theory improving the way risks are identified. NIST will develop plans to implement ZTA and CISA will assist in modernizing all cybersecurity programs to comply with ZTA. Cloud service providers (CSPs) working with the Federal Government will have to comply with FedRamp regulations.

The EO mandates the establishment of a comprehensive training program. All participating agencies must be properly trained in handling FedRamp requests, and appropriate access to training materials, including on-demand videos, must be provided.

Software and supply chain security is vital for any company because all information technology (IT) and operational technology (OT) systems fundamentally rely on secure software to function correctly. Both open source and commercial software are vulnerable to malicious attacks if they fail to pass security scrutiny and lack appropriate controls. As a result, directors from the Federal Government, private sector, academia and other affected organizations will need to come together to create new standards, tools and best practices, as well as improving existing ones, to ensure software releases are more secure. The executive order talks briefly about implementing multi-factor authentication (MFA), enforcing end-to-end encryption, maintaining separate build environments and monitoring for alerts, all of which contribute to making software and its supply chain more secure. Software components and associated libraries should be continuously updated, and periodic automated scanning and process audits should be performed.

Image

The public will need to be educated on the weaknesses of Internet of Things (IoT) products, as they are vulnerable to cyber-attacks. Pilot programs are recommended for makers of IoT products to help them create more robust and secure IoT software.

The executive order emphasizes a close partnership between private companies and the Federal Government, where the scope of protection is IT and OT systems that power the nation’s infrastructure. The EO instructs the director of the Office of Management and Budget (OMB) to review the contract language for IT and OT providers and recommend updates. Service providers that contract with the Federal Government are now mandated to collect and preserve data and information. They must also report all relevant cybersecurity events supporting prevention, detection, response and investigation for systems under their control. In addition, service providers should share data regarding all cyber security incidents with federal agencies and collaborate with the aforementioned agencies in any investigation of events. The data collected will be shared in industry standard formats to help with future investigations.

Incident Response is Key

Detecting incidents early is key to preventing them. Per the executive order, the Federal Government must ensure maximum detection of incidents using all appropriate measures. Endpoint detection and response (EDR) should be used by all federal agencies for proactive detection, along with active threat hunting, incident response, containment and eradication techniques. It should be noted that mission critical systems should not be disrupted during threat-hunting exercises.

Once an incident has been identified, a playbook is required that describes standard operating procedures (SOPs) on the steps taken to identify, remediate and recover from vulnerabilities. The EO mandates creation of one such playbook, which will incorporate all NIST standards, to be used by federal civilian executive branch (FCEB) agencies. Any agency that wishes to deviate from the playbook will have to consult the director of OMB and the Assistant to the President for National Security Affairs (APSNA). They must demonstrate that the procedures they plan to follow will meet or exceed the standards dictated by the playbook. The playbook will be actively maintained and updated annually.

Improving the Federal Government’s investigative and remediation capabilities is crucial. The executive order mandates that network and system logs be maintained, which will help in investigation and remediation efforts. Logs can be collected from on-prem systems or from CSPs. The logs collected must be protected using industry standard cryptographic techniques. Log retention and management policies are to be followed and logs must be provided upon request by any federal agency investigating an incident.

Private Sector Impacts

The impact to the private sector, beyond providers servicing federal agencies, has also been clarified. In an updated memo, the US government has asked all private companies to avoid paying ransoms and to treat ransomware attacks more seriously and with greater urgency. It has also asked companies to engage with the Department of Homeland Security (DHS) when experiencing ransomware attacks.

The measures mentioned in the executive order and the subsequent memo are essentially foundational security practices that any company can and should follow. Practices such as periodically assessing vulnerabilities on networks and applications, creating and deploying secure applications, implementing and testing incident response procedures and keeping the software supply chain patched are all ways to help prevent cyber attacks. By partnering with the Federal Government, private companies can draw from their own experiences around cyber defense and incident response to ultimately make critical infrastructure more resilient to cyber attacks.

Conclusion

The executive order defines the measures the US Federal Government has outlined to protect its sensitive assets from future cyber security attacks. By modernizing its cyber defense techniques, partnering with private companies and academia and implementing IT and OT security guidelines, the US intends to aggressively protect its critical infrastructure and stay one step ahead of cyber criminals.

Optiv Inc. (www.optiv.com) is uniquely positioned to help private companies, as well as federal, state and local government agencies, in implementing all controls mentioned in the Executive Order. Optiv offers a wide range of cybersecurity services to design, build, deploy, monitor, and maintain secure systems and environments. To learn more about how Optiv can be your partner is securing your enterprise, reach out to us!.