Recent ransomware attacks and the release of the new cybersecurity Executive Order from the Biden Administration foreshadow increased scrutiny for companies managing critical infrastructure and personal data.\nAttacks like the one suffered by Colonial Pipeline bring profound real-world implications: millions of people without services, millions lost in revenue, reputations tarnished, general societal chaos and dysfunction, and attackers were paid and free to hit other targets. Ransomware attacks have consistently increased in sophistication and volume for more than seven years. Many private and public organizations, small and large, have been victims of such attacks resulting in payouts averaging $1.45M per incident.\nAnd yet, companies continue to underestimate the risk of cyberattacks, especially ransomware. So why isn\u2019t ransomware a top priority for everyone? A previous audit of Colonial Pipeline showed severe security posture flaws, and one researcher said, \u201can eighth-grader could have hacked into that system.\u201d\nThe recent Executive Order on Improving the Nation\u2019s Cybersecurity and more stringent privacy laws such as GDPR and CPRA are going to make the ramifications of data theft interesting.\nNorsk Hydro\u2019s response\u00a0to a ransomware attack in 2019 was a model of change that showed a deep desire to learn, improve, and \u2014 most importantly \u2014 protect the data that the company had in its trust. They used their attack to rebuild their network security from the ground up using zero trust architectures that connect users to applications directly and limit lateral movement across systems by monitoring workflows across different cloud deployments.\nWill Colonial Pipeline follow suit?\nWhat have we learned from the Colonial attack?\n\nIt wasn\u2019t a targeted attack on the Industrial Control Systems (ICS) or Operational Technology (OT). Unlike the Saudi Aramco attack of 2017, this attack has no indications that it caused physical damage to the pipelines or injured plant operations personnel. This is most likely an attack that locked up the IT systems that managed operational inventory and logistics.\nPaying the ransom is not going to restore your operations in time. A well-planned and tested backup and restore strategy can save the day. Paying the ransom only encourages more attacks. An 81-page urgent action plan delivered to the White House in April 2021 by a public-private task force noted that enriching ransomware criminals only fuels more global crime, including terrorism.\nInsurance companies are starting to exclude ransom payments. In an apparent industry-first, the global insurance company AXA recently said it would stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals (and then AXA was promptly hit with a ransomware attack).\nThe US government is finally taking notice. The new Biden Administration executive order requires organizations to go beyond the compliance-based approach. \u201cWithin 60 days of the date of this order, the head of each Federal agency shall \u2026develop a plan to implement Zero Trust Architecture.\u201d\nPrevention is a lot less expensive than mitigating the attack aftermath. It is easy to see that the loss of revenue from unplanned downtime far exceeds any investment in defending against such attacks.\n\nWhy was Norsk Hydro\u2019s response to a ransomware attack the gold standard?\nRansomware attacks can be mitigated and prevented. Companies like Norsk Hydro have dealt with such attacks in the past and shared the wisdom with the world. What did they do?\n\nNorsk Hydro did not pay the ransom.\nThe company went public with the news of the attack and was transparent about its response plan.\nThe company reported the attack to authorities and worked closely with the security industry to prevent attacks on other companies.\nNorsk Hydro used the opportunity to rebuild, redesign, and strengthen its security and infrastructure.\nThe company is not in denial about the likelihood of future attacks.\n\nEven with the best planning, the reality of a successful attack is much more difficult. For example, Norsk Hydro couldn\u2019t use any of its printers to print safety procedures for plant staff.\n\u201cHad Hydro not already moved communications to a managed cloud service like O365, the situation would have been more grave,\u201d said Norsk Hydro\u2019s Chief Financial Officer, Eivind Kallevik.\nWhat should your organization do to plan and prevent ransomware attacks?\nAssess the business risk of your IT and OT architecture and reduce your attack surface:\n\nDon\u2019t go directly into ICS threat monitoring without analyzing the entire attack surface.\nAsk the right questions when assessing your security posture. Do you have a flat network? Are your IT and OT networks sharing the same resources (e.g., domain controllers)? Do your IT security solutions from different vendors natively work together (like your secure web gateway integrating with your endpoint security and SIEM solution) to break the kill chain?\nConsider extending zero trust to your OT environments. Attackers cannot get to systems they cannot see on the open internet.\n\nAir-gapped OT networks do not serve the business needs:\n\nAllow internet access for ICS workstations through browser isolation. ICS employees with two laptops can create complexity that leads to security issues.\nReplace VPNs with zero trust network access (ZTNA) using a software-defined perimeter approach for remote access of your OT systems.\n\nApply segmentation: \n\nSegment the control, management, and IIoT sensor networks in OT environments.\nDon\u2019t aim for full micro-segmentation, as there is not enough downtime on the OT network to implement it. Protecting the intersection of OT and IT will yield the most benefits.\n\nUse the cloud to your advantage:\n\nLearn from Norsk Hydro's experience and move as many functions into the cloud as possible. This allows for a faster recovery and better protection of critical systems.\nSecure Access Service Edge (SASE)-based security implementation is an easy way to reduce your ICS network\u2019s attack surface and complexity.\n\nIn the SolarWinds attack, an intern\u2019s weak internal password for privileged software led to the massive breach of thousands of enterprises and government organizations, jeopardizing national security. The shared passwords used in the water processing plant in Oldsmar risked the lives of an entire city.\nThe recent executive order demonstrates a commitment to improving the security posture of the United States\u2019 critical infrastructures. Since private companies manage much of that, one would hope the order extends to them as well.\nThe actions of companies handling critical infrastructure affect millions of people. Companies responsible for critical infrastructure must use the best security practices in order to ensure public safety and well-being.\nRead more about the realities of ransomware here.