The networks for critical infrastructure systems are particularly at risk because they are old and fragile. Taking down oil & gas, telecommunications, transportation, and electricity networks has long been a priority for nation-states and hacking groups. It would be foolish to have a false sense of security today, thinking that the defenders are stopping the attacks any more efficiently today than they were a few years ago. Ransomware is an especially prevalent attack vector for ICS companies. In fact, earlier this year, we launched a honeypot to analyze the tactics, techniques, and procedures used by state-sponsored groups and cybercrime actors to target critical infrastructure providers. The honeypot was built to look like an electricity company with operations in Europe and North America. We identified multiple attackers executing ransomware operations involving data theft, the stealing of user credentials, and lateral movement across the victim's network to compromise as many endpoints as possible. This includes critical assets like the domain controllers, which could take between several minutes to several hours to properly infiltrate. Ransomware capabilities were deployed early on in the hacking operation, but it was not immediately detonated. The ransomware was designed to detonate only after preliminary stages of the attack finished across all compromised endpoints in order to achieve maximum impact on the victim. This operational attack pattern attempts to impact as many victim assets as possible, representing a higher risk to organizations compared to ransomware attacks that impact the single machine they initially access. However, this operational pattern also represents an opportunity for defenders with a rapid detection and response process to detect the attack at its early stages and respond effectively before ransomware is able to impact the environment. Critical infrastructure providers want to minimise the mean-time-to-response, so it is critical to establish cyber incident response tools and procedures across both the IT and OT networks. Minimising damage and preventing an ICS network from being taken offline is essentially the cat and mouse game being played by attackers and defenders. Organisations can reduce risk by minimising the time it takes to respond to a threat. In addition, organizations should establish a unified security operations center and workflows across both IT and OT environments, meaning the hackers will likely try to use the IT environment as a gateway to the OT environment where the real damage can be done.  Read Less