Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) networks control our most critical infrastructures. Power generation and distribution, industrial manufacturing, chemical refineries, oil rigs, large communication systems – any plant that relies on automation utilizes some sort of SCADA network.
Last month, InfraGard and the Secret Service held a ransomware summit in Dallas. Accudata’s Senior Assessment & Compliance Consultant Joe Juchniewicz attended, and I recently sat down with Joe to learn the key takeaways. Here’s Joe’s top 10:
- Don’t pay!!!!
- See if the attacker used an older version that has already been decrypted. See Kaspersky’s Ransomware Decryptor.
- If possible, try to review the ransomware code to see if the attacker mis-coded it and the decrypted key is in the message. See No More Ransom!
- Take all infected systems offline for cleanup or to restore images.
- Limit the use of Admin accounts within the environment. The use of a privileged identity management tool could assist in restricting administrator access.
- Use firewalls, Access Control Lists (ACLs), and VLANs to limit the movement of malware to other share systems/files within your network. In addition, institute the concept of least privilege for file, directory, and network share permissions.
- Make sure backups are performed on a regular basis and are properly secured. Use a third-party tool to assist in creating fast, but usable backups.
- Make sure your backups are good and stored off line. To check the integrity of the backups, try to reload random systems to ensure they load quickly and correctly.
- Educate your employees on not opening unknown emails or attachments.
- If needed, call in the authorities: Cyber Task Force, US Secret Service, Electronic Crimes Task Force, Internet Crime Complaint Center.