Friday, June 9, 2017

WannaCry Ransomware and Industrial Control Systems

The following article was posted on my LinkedIn account and was prepared by me with assistance from several of my colleagues at my employer, BBA (  
The actual article can be located at this LINK.
There’s been substantial discussion in the media and on the interwebs about the ransomware called “WannaCry”. This malicious software (malware), which blocks access to data until a ransom is paid, has been destructive. It’s caused financial consequences as well as extreme inconveniences for critical businesses across the globe, such as the National Healthcare Service in the United Kingdom, which was one of the first and most significant victims of the attack (a total of 300,000 computers in 150 countries had been locked by WannaCry as of the end of May 2017).


Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from a cyber program that blocks access to data until a ransom is paid. It displays a message requesting payment to unlock the data.
Where did ransomware originate? The first documented case appeared in 2005 in the United States, but quickly spread around the world.
How does it affect a computer? The software is normally contained within an attachment to an email that masquerades as something innocent.
How much are victims expected to pay? The ransom demanded varies. Victims of a 2014 attack in the UK were charged $864. However, there’s no guarantee that paying will get your data back.
How did WannaCry operate? It appears to have used a flaw in Microsoft's software, discovered by the National Security Agency and leaked by hackers, to spread rapidly across networks locking away files.


However, it appears that the ransomware was focused on the Enterprise IT systems and not the Operations Technology (OT), also known as Industrial Controls Systems (ICS), although a small number of U.S. critical infrastructure operators were reportedly affected. In any case, understanding the difference between these two types of systems is crucial to ensure the cybersecurity of your plant or facility… and whether or not ransomware like WannaCry can affect them.
The above figure illustrates the typical separation between Enterprise Information Technology (IT) and Operational Technology (OT), also known as ICS. Enterprise IT is composed of systems used to run a business: emails, time sheet reporting, finance, expense reporting, purchasing, etc. These systems are normally Windows-based, including Windows Servers and Windows operating systems.
On the OT side of the business, most of the “computers” are small and specialized machines, such as programmable logic computers (PLCs), distributed control systems (DCSs), engineering work stations, historians (basically focused, real-time databases), etc. Some Windows operating systems are used on the OT side, but there are also many other types of industrial communications protocols for data exchanges beyond normal TCP/IP.
Most importantly, Enterprise IT networks are usually connected to the Internet, while OT networks tend to be separated from the world wide web. There’s normally no direct communication links between IT and OT networks. That’s why WannaCry ransomware is affecting applications and data on Enterprise IT systems more than on the OT systems.
To date, a handful of cases where ICS were infected were reported. Nonetheless, “the news should put all companies that rely on industrial control systems (ICS) on high alert because the choices available to protect the systems within an industrial process facility are much more limited than those in corporate IT”, explained PAS Global CEO this week. Indeed, there are opportunities for WannaCry to locate and encrypt an unpatched Windows system in any ICS.
As of this time, there are no verified examples where WannaCry attacked and “bricked” a human machine interface (HMI) on a factory floor or caused an industrial system to fail quietly or catastrophically. But the opportunities are present wherever Windows operating systems are installed in the ICS in such places as HMIs, ICS engineering workstations, etc. ICS components of a plant are not patched or updated as often as IT systems components for a simple reason: reboot activities and software uploads require a production shutdown or the production lines must be in “safe mode” to avoid undesirable consequences on the production systems.


Here are four basic recommendations to ensure that ransomware, such as WannaCry, doesn’t endanger your production line and operations:
  1. Make sure the ICS is separated from the Enterprise Information Technology (IT) network and from the Internet where the WannaCry malware could migrate.
  2.  ICS operators/engineers/security personnel should make it a high priority to patch the Windows systems as soon as practical to reduce the risk and impact of the WannaCry malware.
  3. ICS operators should ensure that any portable media (e.g., USB drives) and/or laptops/test equipment capable of “carrying” the WannaCry malware (or any malware in all cases) is checked for known malware before the portable media even comes into contact with the ICS and its components.
  4. ICS operators, engineers and security personnel should make it a point to closely monitor the US ICS-CERT alerts and advisories or subscribe to their mail alert.


Simply stated, WannaCry can impact ICSs and susceptible components; it takes hard work and constant, 24/7 due-diligence to stay on top of the security of your ICS. Assuming the risks of a breach or successful attack should be a mantra and should always be at the top of everyone’s minds.