The recent WannaCry/WannaCrypt, attacks received global attention in the news and social media. Its widespread impact and rapid propagation shocked and scared people around the world. Concern was amplified by reports that it involved a stolen NSA exploit (EternalBlue). Existing Microsoft patches for the underlying SMB vulnerability gave some comfort, but only those with new and updated Windows systems.
The impact on business was particularly noteworthy. Operations were disrupted in parts of the British National Health System, Spain’s Telefonica, FedEx, Deutsche Bahn, LATAM airlines, and Renault-Nissan, which had to stop production at several plants.
While there were no reports of control system compromises, there are important lessons for industrial companies. Compromises of corporate IT systems can impact operations just as much as a compromise of plant systems. The ease of broad propagation across networks suggests that more segmentation and isolation of critical operations applications, like ERP, may be required. Isolation of plant interfaces is also critical as these could become targets for smart criminals and dramatically increase the potential impact of any compromise.
These Likelihood and Impact Assumptions are Changing
The rapid propagation of WannaCry within networks should also raise concern within plant cybersecurity teams. Companies can no longer assume the impact of untargeted attacks, like WannaCry, will be low or isolated to individual PCs. Perimeter firewalls and basic anti-virus software are no longer adequate defenses against these kinds of attacks. Following are some specific actions that you can take to further reduce the likelihood and/or impact of a WannaCry-like attack:
- Use Newest OS and Keep Patches Up to Date – Ironically, new Windows systems and patched systems were the best defense against WannaCry. But this is probably the hardest option for most industrial companies. At a minimum, older systems can be hardened to eliminate unnecessary services and ports.
- Application Whitelisting – This approach can reduce the likelihood that an intrusion can establish a foothold within a PC. Suppliers are offering new approaches that can greatly reduce whitelist management challenges.
- Segment Networks into more granular security zones - This approach reduces the impact of a successful intrusion by limiting the PCs that can be infected. Careful network segmentation can likewise prevent compromises of backup equipment which will facilitate a fast recovery. Popular standards, like IEC-62443, discuss how this should be done.
- Isolate Plants with Unidirectional Gateways – This approach eliminates the possibility that an external attack like WannaCry will get into the control system and greatly mitigates the damage that an internally infected system can cause. See ARC’s report on this technology for some ways to apply this technology when bi-directional communications are required.
- Protect Critical Devices with ICS DPI Firewalls – This approach can reduce the likelihood of intrusions by blocking messages from external sources, limit the ability of malware to propagate, and block malicious commands from compromised devices.
- Implement Anomaly & Breach Detection – This approach reduces impact by quickly detecting changes to PCs and network messages that attempt to propagate malware across systems. Investments should also be made in security analysts who can respond rapidly to alerts.