Updated May 19, 2017 and October 16, 2019.
The WannaCry ransomware malware broke onto the world scene on Friday May 12, 2017 when it infected over 200,000 computers in more than 150 countries. Thankfully, the impact on critical infrastructure and manufacturing systems was relatively low. While WannaCry’s spread has been curtailed for now, new variants have been reported. This means that critical infrastructure operators and manufacturers need to take measures today to protect their Industrial Control Systems (ICS) from the WannaCry family of ransomware malware.
Immediate actions start with determining whether your systems are vulnerable by identifying computers and devices running Windows operating systems not updated with the latest security patches. You should also identify any devices communicating with the Windows SMB1 protocol, which is used to propagate the malware. If these situations exist, you need to execute a plan to mitigate and protect against these security weaknesses.
While we can take a deep breath that WannaCry did not shut down essential services such as power systems and water systems, the malware is certainly a very loud wake-up call. Let’s look at what can be done immediately, and over the longer term, to prevent and mitigate ransomware infections to industrial systems.
What To Do Now: Determine ICS WannaCry Vulnerabilities and Implement Mitigations
WannaCry inserts itself into networks using email phishing campaigns and then self-propagates using a Windows SMB1 vulnerability. While OT systems should be protected from threats coming from the IT network, nowadays there are many pathways to industrial networks and incidents of transportation and manufacturing systems being infected with WannaCry have been reported.
To determine whether your Industrial Control Systems (ICS) are at risk, identify which computers and other devices are running old versions of the Windows operating system. Also, identify which network connections are communicating using SMB1.
A way to do this is to use an ICS asset management and visibility tool which quickly and automatically identifies all assets with their operating systems/ version numbers, and identifies all network connections and their communication method. This will focus your attention on the devices that need patching or other remediation measures. If you do not have technology that does this for you, you will need to consult with the right OT staff or use other manual methods to identify the vulnerable components of your systems.
While patching industrial devices or changing how they communicate has risks, you need to weigh those risks against the risk of what ransomware might do to your ICS. As part of your action plan, know that Microsoft has made available – free of charge – security patches for out-of-date versions of the Windows operating system.
Here are some resources to help you develop your plan (the first link takes you to the Microsoft free security updates):
- Microsoft.com: Microsoft Update Catalog
- Microsoft.com: Customer Guidance for WannaCrypt attacks
- US-Cert.gov: Indicators Associated with WannaCry Ransomware
- For technical details on WannaCry and risk management approaches for enterprise networks, see the FireEye article: WannaCry Ransomware Campaign: Threat Details and Risk Management
Based upon the level of risk to your systems and the impact and infection might create, you can consider a range of responses, from a planned patch/test cycle to the more extreme step of temporarily disconnecting OT and IT networks.
What do Next: Seek To Improve Cyber Resiliency Over Time
1) Implement Real-time Asset Management
A foundational ICS security best practice is to have an updated asset inventory that includes information for each device such as its operating system, version number and known vulnerabilities. In the past, obtaining and maintaining this information for large, heterogeneous industrial systems was time consuming and difficult.
Nowadays, there are solutions that do this quickly and automatically. While, we offer one of these solutions, the main point to you is to take whatever action is necessary for your organization to have a good asset management program, with real-time visibility and query capabilities.
2) Revisit Your Patching Program
Industrial systems are notorious for not being patched. There are some good reasons for not doing so, because patching may cause an application or an entire process to stop working. Or, the resource requirements to test and safely implement patches may be constrained. Whatever the reason, WannaCry, is a shout-out to revisit your patching program. Ideally you don’t want to have to explain how a process or manufacturing system was brought to its knees when a patch that would have prevented the problem was available.
3) Ensure Visibility and Monitoring of the Industrial Network and Process
Like asset management, historically it was very difficult to have comprehensive visibility and monitoring of large industrial networks and the processes they control. Now, there are new solutions that provide real-time industrial network visualization interfaces, including showing network connections, anomalies and the status of process variables. We offer one such solution, but your takeaway is to be aware that passive, non-intrusive visibility to OT systems is now possible.
In the case of WannaCry, such a system would facilitate detection and remediation in several ways:
- Detecting the anomalous DNS request that the ransomware uses to verify whether it should continue with the attack or not. An alert should then be generated that provides context about the DNS request and PCAP information to help analyze it.
- Identifying any network connections using the Windows SMB1 protocol. WannaCry communicates using this protocol, and by identifying devices using it, defensive decisions can be taken. For example, spread of the malware would be limited by stopping all SMB1 communications.
4) Review Your Incident Response Capabilities and Plan
There’s nothing like a fast spreading, real-life malware to test your incident response plan. How well did it work in this case? What could have been improved? Is it time to initiate a process to update the plan? Did alert fatigue plague rapid response? Know that incident correlation and replay features are now available specific to ICS environments that will ease incident management and speed response to major cyber incidents such as those triggered by WannaCry.
Furthermore, how good are your forensic tools for analyzing cyber incidents? Do you have SIEMs or other solutions in place for identifying OT cyber security events and alerting the right people? Do you have tools that provide PCAPs and before / after ICS system snapshots for analyzing events and learning how to prevent them in the future? If not, now is the time to look for solution that give you these capabilities.
5) Implement Industrial Cyber Security Standards
A watershed cyber security event like WannaCry will certainly draw the attention of executives and likely a review of current ICS security practices. Where does your organization stand with respect to implementing industrial cyber security standards like IEC-62443, the NIST framework or NERC CIP?
These standards help you deploy layered security measures (defense-in-depth) that work to stop and contain cyberattacks that, one way or another, get into the OT network.
For example, an important measure is to segment the industrial network into security zones and then install conduits, usually firewalls, that control the communication between zones. Firewalls might be installed between the Purdue Levels of a facility and each level might also have multiple process groups.
In the case of WannaCry, an anomaly detection solution could identify that a malware attack was occurring and even actively communicate with firewalls to, for example, block TCP port 445 to stop its spread. Our product, Guardian, integrates with firewalls to provide this type of functionality. For sure, there are significant considerations to be evaluated with this approach, but be aware that such a capability that exists.
6) User Awareness and Training
It is an old adage that the weakest security link in an organization is people. WannaCry is widely believed to have entered systems by people clicking on attachments and / or links in phishing emails.
Ongoing training and awareness, tailored for different user groups is essential. If your efforts in this regard are less than ideal, WannaCry is an impetus to revisit them.
Conclusion: Escalating Cyber Security Concerns May Lead to New Approaches
Like the Conficker worm of 2008, WannaCry 2017 will cause most organizations to re-examine their cyber security practices and defenses. While fortunately critical infrastructure systems and manufacturers were not significantly impacted this time, your organization’s cyber resiliency may need strengthening to defend against future attacks.
Our technical team of ICS cyber security experts has decades of experience and is standing by to help your organization with WannaCry and beyond. They can demonstrate how real-time cyber security and visibility for industrial control networks can help you protect against WannaCry and other threats to industrial operations. Simply reach out to us at firstname.lastname@example.org.