back to article Ransomware continues to pile on costs for critical infrastructure victims

Costs associated with ransomware attacks on critical national infrastructure (CNI) organizations skyrocketed in the past year. According to Sophos' latest figures, released today, the median ransom payments rose to $2.54 million – a whopping 41 times last year's sum of $62,500. The mean payment for 2024 is even higher at $3. …

  1. Will Godfrey Silver badge
    Facepalm

    How many times do we have to say it?

    Get critical stuff off the Internet. In the long run it will actually be cheaper to have more people on site for control operations.

    1. Claptrap314 Silver badge

      Re: How many times do we have to say it?

      I have a cousin who is also a sysadmin at one of these facilities. He came loose at me because it's always a demand from ViP that they be on the internet in the first place.

      Which brings us back to the point: Congress should write a law that anything designated "critical infrastructure" MUST have it's control plane (at least) air-gapped from the internet. As a felony.

      1. Doctor Syntax Silver badge

        Re: How many times do we have to say it?

        Yup. If VIP goes to jail the insistence will be that it isn't on the internet.

        Add a felony offence for paying the ransom. The malware slingers must be amazed that they're enabled to get away with this scam.

    2. Binraider Silver badge

      Re: How many times do we have to say it?

      Not that simple, air gapping is still more vulnerable than one would think. Find me any *current* RTOS provider that doesn't demand firmware updates be applied, even on off-network devices. Devices need to be reconfigured periodically when parameters change even if not updated. This probably involves mobile engineer and his box standard laptop - with probably a USB Stick, ethernet or a serial port. Compromise the service laptop, compromise the field device.

      And often the field device you need a means of getting output back out of it. A strictly one-way serial connection is probably the safest, if you really need to stream such data. Noting that once it's out, you still need to send it somewhere else to consume. That probably means bog standard internet at that point (or if you are lucky, an internal network - still a point of vulnerability).

      There are retailers out there touting "wi-fi modules that don't conform to industrial standards" as a "defence" against folks targetting 802.11... $deity help you if you are dumb enough to buy one of those.

      Digital controls are *not* the right solution for many critical situations. The obsession with digitisation is seriously unhealthy and, one day, something *really* important will be hit.

      1. Claptrap314 Silver badge

        Re: How many times do we have to say it?

        You're mostly correct, but missing the point. After Stuxnet, no one can claim that air-gapping means you are safe. But not air-gapping mean's you're not serious.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like