Preparing for and detecting ransomware attacks in OT environments

Defense in Depth strategies - part 7 - Security Architectures

It is increasingly the small and medium size businesses with OT environments that fall victim to ransomware attacks. The reason for this is that the SMEs often don’t consider themselves to be a potential attack target and as result downplay the importance of having a robust OT cybersecurity policy in place.

According to a study quoted by Dragos, in 2021 there were more than 4000 confirmed ransomware incidents and 70% of them were aimed at businesses with less than 500 employees.

A conclusion can be drawn that the rogue actors have realised that the big companies have spent a lot of resources and are well prepared to defend their OT environments and as result, the criminals are targeting the smaller companies. Reportedly there are ransomware groups that specialise in SMEs.

People, Processes and Technology

For a successful defense against ransomware in industrial settings, it is essential to consider elements related to human factors, operational procedures, and technological solutions.


To be able to recognise a ransomware attack and be able to react efficiently, IT and OT teams need to be trained to be able to do just that. As historically there is a chasm, or at least a lack of trust, between these two groups, in order to ensure an appropriate response during a cyber incident, the two teams should understand their roles and responsibilities.

As part of staff training chosen staff members to have to be appointed key roles in the incidents detection scheme, able to notice signs of abnormal or unusual system functioning. These key staff would have an in-depth knowledge of the day-to-day operations of the system. They will be also the same people who will play a key role in the system recovery process.

When thinking of people, one shouldn’t narrow oneself to the company’s employees only. Vendors and third-party consultants are valuable assets and can be used to minimise the impact of an attack, speeding up the recovery process and advising on causes and how to avoid similar incidents from re-occurring.


Planning for visibility and security

All contemporary IT and OT solutions have to be designed with cybersecurity in mind and not implemented as an afterthought to a design. Not only is it difficult to fit cybersecurity solutions retroactively into a system – it might be very also impractical and costly.

For legacy systems and systems already in operation review the architecture in place.

Inventory and baseline

Make an inventory of your OT environment assets (including model types, current firmware versions, etc) and establish a network profile that will act as a baseline to compare actual activity in the environment helping to identify any unusual system behaviour.

Crown Jewel Analysis

Identify system components critical to the functioning of the operations and treat them with additional importance by applying architecture solutions enhancing security such as appropriate network segmentation, security monitoring and endpoint & network management.

The Collection Management Framework 

The CMF is a database of various data sources, the length of time those sources will be retained, and how the data can be utilized to monitor security, respond to incidents, and hunt for threats. This information can then be used to effectively carry out a threat hunt to uncover malicious activities already taking place in the network.

Backups and gold images

Developing fault-proof backup and restoration plans for data and systems based on operational risk and business requirements will significantly decrease the amount of time needed to recover from a ransomware attack.

OT-specific Incident Response Plan (IRP)

As the OT environment varies from the IT environment, it should have its own, dedicated IRP in places.

Once an Incident Response Plan (IRP) is crafted, it needs to be practiced, examined, and confirmed before a crisis occurs. This is most effectively done through a tabletop drill, where a simulated incident is used to talk through how the IRP would be put into effect. Additionally, assessing the forensic collection tools and approaches is a necessary step, which can be done during downtime or in cooperation with operating staff. These procedures can then be included in future tabletop drills.


In order to be fully armed against a potential cyber-attack, an enterprise should have technology in place that allows it to collect and aggregate data, monitor network traffic, alert and notify SOC or ICS staff of potentially malicious activity, and provide for effective incident response.

Further technology-related aspects of a robust OT environment could include:

A timely application of updates & patches and mitigations to applications and operating systems to neutralise known vulnerabilities.

Preventing users from installing and running applications that can jeopardise the business operations (i.e., java, add-on, or browser extensions).

Limit the number of accounts with administrative privileges.

Implement multi-factor authentication for any methods of remote access and critical or sensitive resources.

About this article
This article was prepared based on a  Dragos whitepaper available here.

Add a comment


Submit a Comment

Your email address will not be published. Required fields are marked *