Skip to main content
The Dragos Blog

11.22.21 | 4 min read

Assessing Ransomware Risk in IT and OT Environments

Dr. Tom Winston

Ransomware has become a prevalent form of attack on a multitude of industrial sectors in the last year. According to Dragos threat intelligence and other accounts, manufacturing organizations have been hit the hardest by ransomware – with a ratio of almost two to one when compared with other industries. During the last six months, ransomware actors have ransomed many manufacturing organizations, including Molson Coors, Honeywell, JBS, and Colonial Pipeline.

In the first half of 2021, the average remediation cost of ransomware cyber attacks reached approximately $1.85 million. This includes downtime, people hours, device costs, network costs, lost opportunities, ransom paid, etc.

Industrial organizations and governments are struggling to get their hands around this increasingly complicated cybersecurity issue. This blog presents a new way to look at the ransomware problem using complex systems analysis and advanced mathematics.

There has been little research to date that looks at the ransomware problem from this viewpoint. We examine the approach more fully in the Dragos whitepaper, “A Risk Assessment for Ransomware Prevention in Operational Technology Environments.”

What is Ransomware?

Ransomware creates unusable file systems and can halt processes, stop production, disrupt distribution, and cause weeks-long headaches for victims. The goal is to extort money from victims by denying access to their file systems and requiring payment to regain control of processes.

Ransomware techniques are varied but have common themes in accessing IT and operational technology (OT) infrastructure through known vulnerabilities. Ransomware actors capitalize on a perfect storm of antecedent conditions:

  • Weak boundaries between OT and IT
  • Poorly understood interactions between systems in OT
  • Poorly understood interactions between systems of systems between enterprise IT and OT
  • Remote access schemas put in place to serve work-from-home pandemic needs

Once the threat actors achieve initial access to the organization’s critical systems, they execute other programs to gain a foothold to move laterally to other connected systems. Best practices and better defense-in-depth architecture have proven ineffective against the blended approaches ransomware actors employ.

Ransomware victims have very difficult decisions to make in short order: How do we restore operations? How can we quickly and easily stop the money hemorrhage? How can we keep our shareholders happy? These are among the myriad questions facing ransomed organizations.

In some cases, organizations have paid the ransoms only to find that their systems don’t function properly even after the decryption keys are released and the systems are restored.

Ransomware Risk Analysis Compared to Cost to Reduce Risk

Organizations must consider the cost of actions to reduce ransomware risk compared to the cost of recovering from a ransomware attack. The cost of reducing risk can be substantial, but an even greater cost is the risk of losing days, weeks, or potentially months of manufacturing, distribution, and delivery.

Organizations are faced with a complex system optimization problem balancing the up-front cost of security controls, implementation, and cyber hygiene against exposure to ransomware attack vectors (unpatched vulnerabilities) with the potential cost of ransoms.

The activities to reduce risk can be substantial and include:

  • Security controls: defense-in-depth methodologies such as segmented networks and establishing a clear understanding of how OT and IT interact
  • Implementation: auditing, secure access controls, secure remote access controls, updated software and hardware across both IT and OT spectra
  • Cyber hygiene: strategic security plan to adjust to changing needs of the organizational IT and OT

Given this scenario, assessing ransomware risk is a perfect fit for complex systems analysis.

How Do I Assess Ransomware Risk with a Complex Systems Approach?

Complex systems are intrinsically difficult to model due to the dependencies, competitions, relationships, or other types of interactions between their parts or between a given system and its environment. This research proposes that ransomware is successful due to a lack of understanding of how complex systems interact with other complex systems.

The study of complex systems regards collective behaviors as the fundamental object of study, rather than looking at their constituent parts and the individual interactions between them. At its core, complex systems analysis considers how systems with many components (abstract or real) interact with other systems and their components.

Most complex systems have three to seven characteristics that define them. These are explored fully in the Dragos whitepaper as they relate to the complex systems of IT and OT operations and other variables and features. We can break the complexity for this research down into four categories: IT, OT, Access Control, and Auditing.

Complex systems analysis is relevant to ransomware prevention because it considers how these systems interact. A complex equation for security might look like this, for example:

F(S)=[(s(IT) s(OT) s(AC) s(AU))]

The functions of the security of IT, OT, Access Control, and Auditing comprise the F(S) or the function of security. It instructs the reader on how to create a generalized formula for each function, and references thought leaders in complex systems theory.

Each variable x1+x2+x3…xn represents a measure taken to improve the organization’s cyber defense posture. There can be any number of such measures and a measure can mean a patch, a configuration, a detection, or any measure taken to secure an infrastructure.

This mathematical approach to solving the ransomware problem is not a “silver bullet” but it aims to describe a security system using complex systems analysis as the foundation. It further creates a more comprehensive understanding of the variables, their interconnectedness, and a potential approach for multiplicatively solving the problem.

Understanding the Results

You may be startled by the results of simulating your operations in this model. Because even in relatively well-secured environments, this risk assessment method yields low numbers – meaning, not well prepared.

This mathematical approach puts weight on the value and necessity of measuring the usefulness of assets that perform security functions in a given environment. More work is needed in the measuring of security implementation artifacts and tweaking the formula to determine “overall security.”

This is by no means a fail-safe measurement tool for “absolute security,” and generally speaking, absolute security is unattainable in the majority of contexts. Understanding asset management and the security posture of each asset taken separately or as a whole is the strength of this approach.

Regardless of your results, improving the visibility of OT assets, reviewing the architecture of IT and OT networks, and conducting tabletop exercises to practice responding to ransomware attacks will help safeguard your operations.

Learn more about this new methodology to analyze risk in your industrial environment in the free whitepaper from Dragos or contact us about building the cybersecurity strategy that’s right for your organization.

CTA Image
< class="mini-cta__header heading--3"> Prevent Ransomware in your OT Environment
Assess cybersecurity risk with a new methodolgy designed by Dragos.

Ready to put your insights into action?

Take the next steps and contact our team today.