How to safeguard your OT during the ‘ransomware pandemic'

The changing face of ransomware

Jason A Haward-Grau

Jason A Haward-Grau

Principal, Advisory, Cyber Security Services, KPMG US

+1 713-304-0044

Hemal Shah

Hemal Shah

Principal, Advisory | Cyber Security Services, KPMG US

+1 214-601-8198

Cybercriminals have transformed from amateur hackers into sophisticated “ransomware-as-a-service” professionals. As ransomware attacks have evolved, so has the collateral damage. In the past the impact of ransomware was typically limited to core infrastructures but today operational technology (OT) systems are also within reach. OT-focused enterprises traditionally were not designed with cyber security in mind, instead focused on safety, reliability and durability. A recent well-publicized cyber-attack on an oil & gas pipeline highlighted the new reality and the need to look to fold ransomware defenses into OT.

The FBI reported that in 2020, nearly 2,400 U.S.-based companies, local governments, healthcare facilities and schools were victims of ransomware.1 What’s more, the global cost of ransomware in 2020, including business interruption and ransom payments, ranged from $42 to $170 billion.2

Businesses need to harden defenses

Below are some recommendations that organizations, regardless of industry or market, can consider adopting to strengthen their OT ransomware defenses:

Develop a Ransomware response plan: Traditional incident response plans are no longer sufficient. Ransomware requires specialized processes and business decisions. For example:

  • What containment options are available and who has authority to pull the plug if needed?
  • Do you pay or not pay? Can you pay? How do you pay?
  • How do you coordinate with cyber insurance and other third parties?
  • How do you validate backups are clean?
  • How do you decrypt at scale? How do you recertify active directory before bringing systems back online? Are there specialized processes that need to be followed to recover certain applications to technologies?

These are all areas that KPMG is proactively working with many organizations to develop what we call a “enterprise-wide ransomware strategy”. Then once this is memorialized, we work with stakeholders to inform them of their roles through facilitation of tabletop and adversary simulations, to help refine the plan and practice.

Implement a least privileged access model: The majority of successful ransomware attacks are due to compromised privileged credentials. This is no different in the OT space, though the challenges can be more substantial due to the legacy environment. Enable security controls for non-human privileged credentials and remove standing privileged access where possible, that could unnecessarily expose IT and OT devices to ransomware by any user (including third party vendors) or non-human identities (e.g., Service accounts). This includes multifactor management controls. The principle of least privileged should be prioritized in taken preventative controls measures against ransomware and other cyber threats.

Implement detective controls: Install real time and detective controls that look for anomalies in individual and shared accounts as well as applications and services, particularly those with elevated privileges to modify any system(s). Also, leverage hunting techniques in the OT environment looking for bad often unearths other challenges, e.g. relaxed configurations or ladder logic. In almost every case of a cyber-attack, there were reconnaissance activities by the malicious attacker that could have been spotted if the right tools, and capabilities (including regular human monitoring) had been put in place, in the OT environment there are only so many places (like an engineering workstation) for a malicious attacker to put a hacking toolkit.

Develop a cyber risk vulnerability assessment program: This will help you understand the degree of cyber risk that your organization is facing. Looking to identify vulnerabilities, in close to real time and, given the challenge of patching in the OT space ensure robust mitigation actions are in place to manage the risk. In mature programs we see organizations extend this capability into tracking botnet activity that are often precursor to ransomware activity, as well as monitoring the darkweb. In tandem developing an effective ongoing asset inventory that is consolidated and visible to the Security organization for OT. This allows for risk analysis based on the critical processes which are most vulnerable to cyber-attack, and will help you plan where you need to harden your defenses.

Bolster your third-party vendor security: Third-party vendors are increasingly used in both the IT and OT space. In Industrial Control Systems (commonly called OT) most companies rely on large control system vendors to provide and manage the OT devices within their network and the environment is often opaque to the owner as they are proprietary in nature so understanding the environment is key and how your third parties are securely managing it, on your behalf. As these organizations could be a potential bridge into your network, the traditional security review that procurement does every few years when a contract’s up for renewal is generally no longer sufficient. You need to understand:

  • Which vendors you’re doing business with?
  • What they're actually doing for you?
  • How they're accessing your IT and OT systems?
  • Are your security standards extended to them?

Take action before it happens

KPMG has been at the forefront of ransomware incidents for many years and we have developed extensive cyber security experience in the OT space bringing these disciplines together to assist clients in mitigating OT risks, and if needed, help rapidly respond and recover when incidents occur. It’s critical to design and implement a better, stronger cyber security program now, with both preventative and detective capabilities and a response plan of action. We also recommend organization to routinely test these capabilities and plans.


  1. How To Stop Ransomware Attacks? 1 Proposal Would Prohibit Victims From Paying Up, (May 13, 2021)
  2. Ibid