Powering Strong Communities

White House memorandum outlines best practices to protect against ransomware

The Biden Administration on June 2 issued a memorandum to corporate executives and business leaders that outlines the U.S. government’s recommended best practices to guard against the threat of ransomware.

The memo was sent by Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology.

“The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively,” she wrote. “To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations.”

The memo outlines several steps that should be taken now to address the threat of ransomware.

First, it recommends implementing the five best practices from President Biden’s Improving the Nation’s Cybersecurity Executive Order.

Second, the memo recommends backing up data, system images, and configurations, regularly testing them, and keeping the backups offline. “Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.”

It also recommends updating and patching systems promptly. This includes maintaining the security of operating systems, applications, and firmware, in a timely manner. “Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.”

Testing of incident response plans should also occur. “There’s nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?”

In addition, the memo highlights the need to check a security team’s work and recommends using a third party to test the security of systems and the ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors, the memo notes.

The memo also recommends segmenting networks. “There’s been a recent shift in ransomware attacks – from stealing data to disrupting operations. It’s critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure Industrial Control System (ICS) networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.” 

Ransomware is a very familiar threat to the public power segment of the industry and APPA held a webinar on April 21 of this year, with the Cybersecurity and Infrastructure Security Agency. The slide deck and the recording can be accessed here. Additionally, the Electricity Information Sharing and Analysis Center (E-ISAC) in February of this year released a report labeled Ransomware Trends for Utilities and APPA encourages public power utilities to review this resource.

APPA continues to stress the importance of public power utilities joining the E-ISAC for timely and actionable sharing of threats to the electricity subsector. Currently, the E-ISAC is specifically designing a portal and report for small and medium sized public power and cooperative utilities.  To learn more about the E-ISAC and how to join, visit the E-ISAC website or contact E-ISAC Member Services or the public power address below.

Any questions can be directed to: [email protected].