.png)
Industry Defence Insights
Our engaging episodes will equip you with essential knowledge about OT/ICS/IT cybersecurity to safeguard your digital presence. Your digital safety starts here!
Industry Defence Insights
Ransomware in Industrial Systems
Ransomware attacks on industrial systems are not just financial threats—they're real-world dangers that could disrupt essential services. Ever wondered how the convergence of IT and OT systems has opened up new vulnerabilities for cybercriminals? We're unpacking notorious cases like the Colonial Pipeline attack to illustrate this high-stakes issue. Hackers have evolved, finding new ways to bypass traditional IT defenses, putting critical control systems in their crosshairs. Our discussion sheds light on the tactics employed by these cyber adversaries, from phishing to lateral movement, and stresses the precarious balance between maintaining operational continuity and implementing necessary cybersecurity measures.
As we hone in on solutions, we emphasize proactive strategies that industrial environments can adopt to thwart these threats. Think of network segmentation as closing the doors in your house to prevent a fire from spreading—it's a crucial step in reducing risks. We explore the power of AI tools for continuous monitoring, the importance of having resilient, air-gapped backups, and effective vendor risk management practices to fend off third-party vulnerabilities. Preparedness and a layered security approach are no longer optional; they're essential for safeguarding our critical infrastructure. Listen in to understand how to fortify your defenses and ensure operational resilience in the face of growing cyber threats.
In today's podcast we are going to talk about the ransomware attacks on industrial OT environments threats and mitigation hey everyone and welcome back.
Speaker 2:We're going to be diving deep into a topic that's pretty impactful. I guess you could say it's ransomware, but not the kind that, like you know, locks up your computer. We're talking the stuff that hits industrial systems.
Speaker 1:Right, so that means the things that run like power grids and water treatment plants in factories.
Speaker 2:Basically all the important stuff that we rely on every day, the backbone of modern life, and it's not just about like data theft anymore. We're talking like real world danger and disruptions to all those essential services.
Speaker 1:Exactly, it's a whole other level of threat.
Speaker 2:I mean, it sounds like something out of a movie.
Speaker 1:Yeah.
Speaker 2:But it's really happening and we're going to like break down a why to understand, like why this is such a big deal. We got to talk about this thing called ITOT convergence.
Speaker 1:Right yeah, so it's essentially the merging of IT, which is like your typical computer networks, with OT, which stands for operational technology.
Speaker 2:OT OK.
Speaker 1:Yeah, so those are the systems controlling physical machinery and industrial processes.
Speaker 2:So like the computer systems that actually like run the machines, exactly OK. So why is this happening?
Speaker 1:So the idea is to make things more efficient, improve data analysis, allow for remote management.
Speaker 2:Sure, that all sounds good, but more efficient always sounds good.
Speaker 1:It is, but you're right, it creates new entry points for attackers.
Speaker 2:Uh-oh.
Speaker 1:So like remember the Colonial Pipeline attack back in 2021?.
Speaker 2:Oh yeah.
Speaker 1:That was like a big wake-up call. Hackers got into their IT network and were able to shut down the entire pipeline.
Speaker 2:Yeah, that was insane. Gas prices went through the roof Right. But it sounds like things have gotten even more sophisticated since then. Like that was a while ago now.
Speaker 1:Absolutely. We're seeing attackers exploit this ITOC convergence to go after critical infrastructure directly, directly. Divergence to go after critical infrastructure directly.
Speaker 2:Directly. Oh, okay, so they're not just, like you know, mithering around with the IT systems anymore.
Speaker 1:No, they're going straight for the control systems.
Speaker 2:Wow.
Speaker 1:Okay, yeah. And one example that really highlights this is this Conti ransomware attack on a research and development firm.
Speaker 2:Okay. It started into phishing email, simple, but Everyone always says like watch out for the phishing emails.
Speaker 1:Right. So important. But in this case the hackers didn't stop at encrypting the data on the regular computers. They actually encrypted the operational data on the firm's HMI and ICS historian, so essentially locking down the control systems.
Speaker 2:OK, hold on. Before we go any further, could you just like break down those terms for us?
Speaker 1:Yeah.
Speaker 2:What is HMI and ICS historian?
Speaker 1:Absolutely so. Hmi stands for human machine interface. Think of it like the control panel for industrial systems. It's how operators interact with and manage those systems, and the ICS historian is basically a database that stores all the operational data from the industrial processes.
Speaker 2:Oh, okay, so they basically locked up the control panel and the system's memory.
Speaker 1:Yeah, essentially.
Speaker 2:Wow, that's terrifying. Imagine that happening at a power plant or a water treatment facility Exactly, and that's what Imagine that happening at a power plant or a water treatment facility Exactly, and that's what makes it so alarming.
Speaker 1:The potential consequences are enormous. It goes way beyond just like disrupting business operations. Now we're talking about potentially disrupting critical processes that we rely on every day.
Speaker 2:Okay, so it's not just about money anymore. It's about like actual danger to people.
Speaker 1:Right Safety's at stake. It's about, like actual danger to people.
Speaker 2:Right, safety's at stake. Wow, and from what I understand, there's like a ton of different ways for these attackers to get in. Obviously, you mentioned the phishing emails, but what other tactics are they using?
Speaker 1:Yeah, so phishing is definitely still a major threat.
Speaker 2:Yeah.
Speaker 1:Especially when emails are disguised as messages from you know trusted vendors.
Speaker 2:Oh, that's sneaky.
Speaker 1:Right, you think it's legitimate, and then bam, you're infected. But once they're inside the IT network, they often use this technique called lateral movement to reach those crucial OT systems.
Speaker 2:Lateral movement. What is that exactly?
Speaker 1:So it basically means the attackers move sideways within a network.
Speaker 2:Sideways yeah.
Speaker 1:They exploit these little weak links to gain access to more sensitive areas.
Speaker 2:Oh, so they kind of like sneak around once they're inside sense of areas. Oh, so they kind of like sneak around once they're inside.
Speaker 1:Exactly. They could exploit shared active directory domains, which is surprisingly common. To jump from the corporate network to the industrial control systems. It's like finding a secret passageway.
Speaker 2:Oh, wow, okay.
Speaker 1:Yeah.
Speaker 2:So it's not just about have a strong firewalls anymore. Companies need to think about like internal security.
Speaker 1:Absolutely how to stop attackers from moving around once they're already in.
Speaker 2:This is getting complicated.
Speaker 1:It is. And what makes it even more challenging is that OT systems are often older. They're running legacy software with known vulnerabilities.
Speaker 2:Oh right, so like outdated, software.
Speaker 1:Exactly, and patching these systems can be difficult because they often run 2047. You know, any downtime can disrupt critical operations.
Speaker 2:Yeah, I get it. Nobody wants to shut down a power plant just to update the software.
Speaker 1:Right, but on the other hand, haven't we learned by now that patching is important?
Speaker 2:Yeah, you would think it might be inconvenient, but it's got to be less inconvenient than getting hit with a ransomware attack. You'd think so, right, right.
Speaker 1:But it's a tough balancing act. Yeah, a recent survey found that over 60% of manufacturers delay patching because they're worried about operational disruptions, but that leaves them wide open.
Speaker 2:So it's like a catch-22, patch and risk disrupting operations, or don't patch and risk a ransomware attack.
Speaker 1:Exactly.
Speaker 2:So what's the solution?
Speaker 1:Well, there's no easy answer, but we need to shift our thinking.
Speaker 2:Okay, in what way?
Speaker 1:We need to weigh the risks of patching against the very real risks of not patching.
Speaker 2:I see.
Speaker 1:And that's where understanding the impact of these vulnerabilities becomes crucial, Like take, for example, the Schneider Electric flaw CVE-2024-3278.
Speaker 2:Okay.
Speaker 1:This was a known vulnerability, but it was exploited in 12% of OT ransomware attacks in 2025.
Speaker 2:12%.
Speaker 1:Yeah, one single vulnerability can have a widespread impact.
Speaker 2:That's a lot, it is Okay. So it seems like these attackers are really good at finding and exploiting these weaknesses.
Speaker 1:They are, they do their homework.
Speaker 2:But why is OT so different? I mean, we've talked about IT breaches before, but what makes attacks on these OT systems so much scarier?
Speaker 1:The key difference is that OT systems control physical processes.
Speaker 2:Okay, right.
Speaker 1:So it's not just about data anymore. It's about safety. Remember the incident at the Oldsmar water treatment plant?
Speaker 2:Oh yeah, that was scary. Like hackers trying to mess with the chemicals in the water supply. It's like what were they thinking?
Speaker 1:I know it's chilly.
Speaker 2:Like how close they came to actually hurting people.
Speaker 1:And it wasn't an isolated incident. There was a German chemical plant that had a near miss in 2025 when ransomware messed up their cooling systems.
Speaker 2:Oh, wow.
Speaker 1:Putting a reactor at risk of overheating. Yikes yeah, these attacks can have real world physical consequences.
Speaker 2:So even if, like, nobody gets hurt immediately, the financial impact can be pretty enormous.
Speaker 1:Oh, absolutely. Manufacturing firms lose an average of $4.2 million per day during an OT ransomware outage. Just look at what happened to JBS Foods in 2021. They had to halt 20% of their US meat processing.
Speaker 2:Oh yeah, I remember that.
Speaker 1:Yeah, led to nationwide shortages.
Speaker 2:Yeah.
Speaker 1:And I think you're right. The automotive industry is particularly vulnerable because their supply chains are so interconnected.
Speaker 2:Yeah, like one little thing goes wrong and everything grinds to a halt.
Speaker 1:Yeah, one encrypted server can bring production lines to a halt across multiple plants.
Speaker 2:Really.
Speaker 1:Yeah, it's a domino effect.
Speaker 2:Oh, wow.
Speaker 1:Imagine your new car being delayed because a hacker decided to target a part supplier on the other side of the world because a hacker decided to target a part supplier on the other side of the world.
Speaker 2:Oh man, Okay. So we've painted a pretty grim picture here Hackers splitting ITOC convergence, using phishing and lateral movement to get into these critical systems.
Speaker 1:It is challenging.
Speaker 2:The potential for safety risks and math of financial losses. Are we just sitting ducks at this point?
Speaker 1:Not necessarily. There are definitely things companies can do to improve their OT security.
Speaker 2:Okay, good.
Speaker 1:Yeah, the key is to shift from being reactive to being proactive.
Speaker 2:So instead of just like waiting for the attack to happen and then cleaning up the mess, yeah, that's not a good strategy. No, it doesn't sound like it, we should be prepared.
Speaker 1:Exactly, and one of the most effective ways to do that is network segmentation.
Speaker 2:Okay, segmentation I think I've heard that term before, but I'm not really sure I understand what it means. Like, how does that work in practice?
Speaker 1:Okay, so imagine your house has multiple rooms with doors.
Speaker 2:Okay, yeah.
Speaker 1:And if a fire breaks out in one room, you can contain it by closing the doors.
Speaker 2:Right, yeah, preventing it from spreading to the rest of the house. Okay, so stop it before it spreads Exactly.
Speaker 1:Network segmentation works in a similar way.
Speaker 2:Okay.
Speaker 1:You divide your network into smaller, isolated segments.
Speaker 2:Okay, so like little mini networks within the bigger network.
Speaker 1:Exactly so. If one segment gets compromised, the damage is limited and the attackers can't easily move laterally to other parts of the network.
Speaker 2:Okay, so it's like building firewalls inside your network, precisely Okay.
Speaker 1:And the results are pretty impressive. There's this cybersecurity firm called Dragos. They specialize in industrial control systems. Okay, and they did some tests.
Speaker 2:Uh-huh.
Speaker 1:And they found that proper segmentation reduced the success rate of lateral movement by 89%.
Speaker 2:Wow, 89%. That's a huge reduction.
Speaker 1:Yeah, it's pretty significant.
Speaker 2:But segmentation sounds kind of complex.
Speaker 1:It can be.
Speaker 2:And significant, but segmentation sounds kind of complex it can be and potentially expensive.
Speaker 1:Is it really realistic for every company to implement this? It can be a significant undertaking, but the cost of not doing it can be far greater.
Speaker 2:Right, pay now or pay later.
Speaker 1:Exactly, and there are different levels of segmentation.
Speaker 2:Okay.
Speaker 1:So companies can start with a more basic approach and gradually enhance their defenses over time.
Speaker 2:Okay, that makes sense. It's like building a security system in stages. Yeah exactly Okay, cool. So besides segmentation, what other proactive steps can companies take?
Speaker 1:Another crucial element is continuous monitoring.
Speaker 2:Okay.
Speaker 1:You need to be able to spot suspicious activity on your OT network before it turns into a full-on attack.
Speaker 2:Okay, so always be on the lookout, but wouldn't that create a ton of false alarms?
Speaker 1:Yeah, it could.
Speaker 2:How do you filter out the noise and focus on the real threats?
Speaker 1:That's where AI and specialized tools come in. These tools can analyze OT-specific protocols things like ModBOS and DNP3, looking for anomalies that might indicate an intrusion, and they can be trained to recognize the normal behavior of your OT systems so they can quickly flag anything that deviates from the baseline.
Speaker 2:So it's like having a security guard who knows the building really well and can immediately spot anything that's out of place.
Speaker 1:Exactly.
Speaker 2:Okay, cool. But what happens if an attack does get in despite all these precautions? Well, that's where resilient backups become absolutely essential.
Speaker 1:What then? Well, that's where resilient backups become absolutely essential.
Speaker 2:Okay.
Speaker 1:Having reliable backups of your critical OT systems, especially things like PLC configurations and HMI screenshots, can be a lifesaver.
Speaker 2:Okay, so we're talking about backups of the control systems themselves, not just the data.
Speaker 1:Right, and these backups need to be air-gapped.
Speaker 2:Air-gapped. What's that?
Speaker 1:It means they're completely isolated from the network.
Speaker 2:Okay.
Speaker 1:So they can't be encrypted or tampered with by the ransomware.
Speaker 2:So it's like having a spare set of keys hidden away in a safe place just in case you lose your main set.
Speaker 1:Perfect analogy.
Speaker 2:Okay.
Speaker 1:And it's a strategy that has proven to be effective.
Speaker 2:Yeah.
Speaker 1:We've seen cases where companies were able to recover from attacks in a matter of hours because they had solid offline backups.
Speaker 2:Wow Hours.
Speaker 1:Yeah, like, for example, a European energy firm hit by LockBit ransomware was able to restore their SCADA systems in just eight hours using offline backups.
Speaker 2:Eight hours. That's amazing. I mean, the industry average is what like 72 hours or more.
Speaker 1:Yeah, something like that, wow Big difference.
Speaker 2:Yeah, huge difference. Speaking of recovery time, we talked earlier about phishing emails being a common entry point for attacks, and you mentioned that a surprising number of breaches actually originate from third-party vendors Right, so what can companies do to manage that risk?
Speaker 1:Vendor risk management is crucial. Okay, it's not enough to just secure your own network.
Speaker 2:Right.
Speaker 1:You have to make sure your partners and contractors are doing the same.
Speaker 2:Makes sense. So like if you're going to hire someone to work on your house, you want to make sure they're insured.
Speaker 1:Exactly. You wouldn't hire a contractor to fix your roof if they didn't have insurance, would you?
Speaker 2:No, definitely not. So what are some best practices for, like, managing vendor risk?
Speaker 1:Multi-factor authentication for all external partners is a must. It adds an extra layer of security to prevent unauthorized access, and something as simple as red-eared tabletop exercises where you simulate different attack scenarios can dramatically reduce the success rate of phishing attempts. One study showed a 54% reduction in successful phishing penetrations after implementing MFA and tabletop exercises.
Speaker 2:Wow Okay.
Speaker 1:Yeah.
Speaker 2:That's great. It sounds like tabletop exercises are really effective ways to prepare for like the unexpected. Yeah definitely, but this whole vendor risk thing got me thinking. It reminded me of when I hired a plumber a while back.
Speaker 1:Oh yeah, what happened?
Speaker 2:He was a great plumber, don't get me wrong. Okay, good, but he left his toolbox unlocked in my driveway while he was inside working.
Speaker 1:Oh.
Speaker 2:And I was thinking like what if someone just walked by and grabbed his tools?
Speaker 1:Yeah.
Speaker 2:It's crazy how often security is overlooked.
Speaker 1:Yeah, especially in those everyday situations.
Speaker 2:Exactly, and I feel like that's kind of a good analogy for this whole OT security thing.
Speaker 1:It's not just about technology, it's about people and processes. Absolutely.
Speaker 2:It's about awareness and vigilance Right and like thinking about security from all angles exactly.
Speaker 1:Training your workforce to be aware of things like phishing scams, suspicious emails and social engineering tactics is absolutely crucial. Right even the most sophisticated technological defenses can be bypassed if an employee accidentally clicks on a malicious link it's like having a state-of-the-art security system, but leaving the front door wide open. Exactly.
Speaker 2:So training and awareness are key.
Speaker 1:Absolutely.
Speaker 2:Okay, so are there any like resources or organizations that companies can turn to for guidance on this whole OT security thing?
Speaker 1:Yeah, definitely, organizations like CISA and the ISAT. 64443 standards provide a lot of valuable resources and frameworks for OT security. They offer best practices, guidelines, a wealth of information to help companies improve their defenses. But the key is to move beyond just reading about best practices.
Speaker 2:Right, you've got to actually do it.
Speaker 1:Yeah, exactly, action over words. It's like having a gym membership but never going to the gym.
Speaker 2:Right, exactly. I think a lot of people are guilty of that one.
Speaker 1:Yeah, but in this case we need to go away from this. It can't happen to us mentality.
Speaker 2:Okay.
Speaker 1:With manufacturing facing a 56% annual ransomware attack rate.
Speaker 2:Wow, 56%. That's over half.
Speaker 1:It's clear that no one is immune.
Speaker 2:Wow. So a healthy dose of paranoia is actually a good thing in this case.
Speaker 1:Absolutely. Being proactive and vigilant is the best way to protect your OT systems and ensure the safety and continuity of your operations.
Speaker 2:Right. It's not just about protecting data anymore. It's about protecting our critical infrastructure and, in some cases, even human lives.
Speaker 1:Exactly.
Speaker 2:Wow, that's pretty powerful.
Speaker 1:Yeah, it is.
Speaker 2:It really is. It's a lot to think about. What's the one thing you hope our listeners kind of walk away with today?
Speaker 1:I think the big takeaway is that OT security it's like its own thing. You know it's not just an IT issue anymore.
Speaker 2:Right.
Speaker 1:We can't rely on the same old cybersecurity playbook. Ok, we need to be proactive, think about the potential physical consequences and really create a layered defense system that's built for.
Speaker 2:OT environments. So it's not just about data, it's about protecting, like our world, the real physical world.
Speaker 1:Exactly, and you know these systems are so interconnected, they affect our everyday lives in ways we don't even realize.
Speaker 2:Yeah, that's true.
Speaker 1:I mean, think about it the electricity that powers your house, the water you drink, the food you eat, the transportation systems. All of these things are controlled by industrial systems that are potentially vulnerable.
Speaker 2:That's kind of scary when you put it like. That Makes me think like what seemingly ordinary system do I rely on that could be affected by this my coffee maker. Yeah, the traffic lights on my way to work.
Speaker 1:Right, it's all connected and that's why it's so important to understand.
Speaker 2:Yeah.
Speaker 1:We need to be aware of the risks, we need to be having these conversations and we need to be pushing for better security practices at every level.
Speaker 2:Well said, and for our listeners, who are, you know, interested in learning more about this, we'll include some additional resources in the show notes.
Speaker 1:Yeah, good idea.
Speaker 2:Organizations like CISA, dragos and Clarity are all great places to start.
Speaker 1:Absolutely. Knowledge is power and in this case, it can help protect our critical infrastructure.
Speaker 2:Couldn't agree more. Well, that's all the time we have for today's deep dive on ransomware and industrial systems.
Speaker 1:Great discussion.
Speaker 2:We covered a lot, but hopefully you now have a better understanding of the risks and what can be done to you know, mitigate them.
Speaker 1:Yeah, absolutely.
Speaker 2:Thanks for joining us and until next time, stay curious, stay informed and stay safe. This podcast is supported by OTSET EU cohort.