By Gregory Hale
WannaCry hit over 200,000 computers, from manufacturing to medical, in at least 174 countries starting Friday and through the beginning of this week and this ransomware attack could easily be prevented if manufacturers just follow some basic steps.
The malicious code relied on victims opening a zip file emailed to them and from there the ransomware package used a patched flaw in the Microsoft operating system software to proliferate. Microsoft did release the patch for the vulnerability in March, but like most patches – especially in the manufacturing automation sector – patching is infrequent, or it takes time to validate, or does not happen at all.
That all leads to what can manufacturing companies do to protect themselves from this debilitating kind of attack.
“It still comes down to the fundamentals of basic ICS cybersecurity,” said John Cusimano, director of industrial cybersecurity at aeSolutions. “It comes down to having a good handle on your assets. Having a good asset management program so you know what computers you have out there and what operating systems and what patch level they are operating on and having some kind of patch management program.”
The irony, Cusimano said, is this vulnerability was known and patched, but a good portion of the world does not patch.
“The other thing is if you don’t patch, you need to have good network segmentation,” Cusimano said. “The networks that are unpatched are at least isolated by multiple layers of protection so the likelihood goes way down that the infection will go from the business environment to the control systems network. The control systems are either air gapped or have multiple layers of firewalls, but none of them are perfect and there are multiple ways around that.”
“It comes down to having a good handle on your assets. Having a good asset management program so you know what computers you have out there and what operating systems and what patch level they are operating on and having some kind of patch management program.”
— John Cusimano
Whitelisting would also be extremely effective, Cusimano said.
“Whitelisting would be on the Windows boxes. It just would not let the malware executable install itself. All these Windows servers and workstation that can’t be patched for some reason; if you had whitelisting software on them the whitelisting would just block anything unauthorized from executing,” he said. “Whitelisting basically says only these executables or these DLLs can run and everything else is blocked. Then you just configure it so only the stuff the control system needs, runs. It works pretty well in this environment because you don’t need to be installing a lot of software. Usually everything is set up and left alone for 20 years. Particularly for the boxes we are talking about like the Windows XP boxes the vendor won’t let you update because the application is not being supported anymore there is no option to go to a newer operating system. Whitelisting is a really good solution for those kinds of situations where you are stuck and can’t upgrade. It really locks the boxes down so nothing can run except what is on it. We have a lot of customers either installed or are going to it.”
Security controls expert, Eric Byres, agrees with some the protection approaches.
“There is no silver bullet for preventing the Wanna Cry ransomware type of attack from impacting an industrial control system. If the malware gets into your control system it is going to hurt. The trick is to make it very hard for the malware to get a foothold and if it does, make it doubly hard to spread through your plant.
“The solution to these attacks is deploying a holistic strategy that follows an ICS security management program like the one defined by the ISA/IEC-62443 standards. Within ISA/IEC-62443-02-01 (and NERC-CIP) there are four concepts that really make a difference in reducing the probability and impact of a ransomware event in ICS.”
“If the malware gets into your control system it is going to hurt. The trick is to make it very hard for the malware to get a foothold and if it does, make it doubly hard to spread through your plant.”
— Eric Byres
Byres offered four protection points:
1. Endpoint Management: Backup and recovery processes: “Setting up a system that enforces regular backups across all ICS devices and then automatically validates each backup,” Bryes said.
Patch and Version Management: “We all know that patching is tricky for control systems, but that doesn’t mean you shouldn’t try. Typically, Windows machines in ICS can be patched regularly using a staggered process. And where you really can’t patch, you at least need to accurately track the versions and vulnerabilities for all your ICS devices. That way you can come up with a mitigation strategy when something evil like Wanna Cry starts making the rounds.
“For example, if you can quickly determine that you have 200 machines that are patched against today’s malware and 20 that are not, you know where to focus your efforts. You might decide to put in stricter firewall rules for those 20 vulnerable machines or even temporarily cut the wire and isolate them until you can get them patched. In the case of Wanna Cry, simply disabling the Windows service SMBv1 on vulnerable computers will stop the malware in its tracks. But you probably don’t want to do that on every computer in your ICS, so it’s best to know where to focus your efforts.”
Five years ago, doing those tasks on a regular basis could be terribly labor intensive, Byres said. Now there are platforms that can automate version management, patching, backup, backup validation, A/V updating and even whitelist management from a single dashboard. And they can do it for more than just Windows computers. The best industrial management platforms coordinate the endpoint management of all your equipment, including devices like PLCs and RTUs, he said.
2. Network Segregation (aka Zones and Conduits): Separating the Network into Security Zones: “Having a big, flat control system network makes the bad-guys job of spreading malware easy. As an operator of an ICS, you want to make it very hard. The best way to do that is to divide up your control system into security zones and then install control points (typically firewalls) to monitor and manage the traffic between zones. The first separations should be between the Purdue levels in your plant or factory — having firewalls between Purdue Level 2 (Control systems), Level 3 (Manufacturing operations systems) and Level 4 (Business logistics systems) is the bare minimum. But it is also important to separate each level into process units so the malware doesn’t spread laterally if it accidentally infects one lower level device like an HMI.
“Going back to the Wanna Cry problem we’re now facing, adding firewall rules to block TCP port 445 to zones with vulnerable computers is a potential quick fix. Just be aware that this will also end any SMB (System Message Block) communications, impacting all Windows file sharing between zones.”
3. Event Monitoring: Watching your ICS: “Installing locks on the doors of your house, but never turning on the burglar alarm is a poor way to fight crime. Similarly, installing firewalls and then never monitoring the logs is also poor practice. Modern ICS need a Security Incident and Event Monitoring (SIEM) system to keep track of what is happening on your network and your computers. There are free SIEMs out there, but if it is too much work to watch the SIEM on a 7/24 basis, considering either outsourcing the task or even passing the logs to the IT department’s SIEM.”
4. Staff Security Training: Train Personnel & Contractors: “We have all heard that people are the weakest link when it comes to security. So, it is critical to make sure that all personnel are aware of the existence and importance of your organization’s ICS security policies, standards and procedures. There are two parts to any successful training process.
“The first is to conduct an awareness program. An awareness program focuses on ensuring that personnel, throughout your organization, are aware of company policies standards and best practices. You want them to be aware of the current security landscape and the risks to your facility. To be successful, the awareness program should be communicated by senior management to all applicable employees. Then it should be followed up with regular communications to continually remind people of the security program.
“The second is a staff training program that informs employees how to be secure and what to do if they suspect there is a security breach. This training cannot be a one-size fits all program. Different personnel have different responsibilities and this needs to be represented in the training program. I highly recommend developing a role-based training program for control system security.”
Not Learning from the Past
“What made WannaCry so bad is that it spread to other machines within the network,” said Dewan Chowdhury, founder and chief executive at Malcrawler. “The issue that needs to be discussed is not how the malware got in, but how was it allowed to spread from machine to machine.”
“It has been a long time since there has been a massive malware attack that spread from machine to machine with the malicious intent to destroy,” he said. “Many of us who have investigated cyber espionage cyber-attacks have seen how espionage actors used the Windows SMB function to allow them to move laterally across the network quietly, so they can find more data to steal.
“The recommendation we gave over a decade ago was if there is no business justification for a regular workstation to talk to other workstations on the network using SMB it should be blocked. This simple step prevented many easy functions that allowed an attacker to move laterally to steal or spread malware across the network.
“The recommendation we gave over a decade ago was if there is no business justification for a regular workstation to talk to other workstations on the network using SMB it should be blocked. This simple step prevented many easy functions that allowed an attacker to move laterally to steal or spread malware across the network.”
— Dewan Chowdhury
“It’s unfortunate that in 2017 organizations still have not implemented security controls from a decade ago,” Chowdhury said. “The lesson is that before implementing all these new controls, an organization should examine if they implemented industry best security practice.”
Fix Not Deployed
“This kind of attack is easy to mitigate against because there were patches already in existence and available,” said Graham Speake, chief information security officer at Berkana Resources. “Obviously, companies to have to deploy them. For the IT side of the house, there is usually some delay even if there are important/critical patches released by a vendor as they have to be tested against the company’s base build (or perhaps multiple builds if it is a large multinational). There is still a lot of older or obsolete operating systems around, particularly in some hospitals where cost to upgrade play a big concern, especially like in the UK where it is a nationalized service. Within the ICS/SCADA world, the overall goal of segregated IT and OT systems would alleviate a lot of these attack vectors, but business drivers often outweigh the segregation issue. Having separate systems with a firewall with a strong rule set dividing the two and not allowing Internet access or email from the OT side of house would go a long way to protect the critical infrastructure.”
While this was a huge general attack against multiple industries, Speake said focused attacks are much harder to defend against.
“The more we have IIOT and devices connecting directly to the Internet, the less secure we likely are and more likely to see incidents affect our ICS/SCADA systems.”
— Graham Speake
“Often users will use similar techniques as their competitors to set-up and run their OT operations and knowing that a particular port is likely to be open or a specific application is running can allow attackers to craft the right attack,” Speake said. “Segregating the OT and IT sides of the house with few interconnections between them and flow always going from the OT to IT networks is necessary, and making sure we do not put things in to make it easier/cheaper at the expense of security. The more we have IIOT and devices connecting directly to the Internet, the less secure we likely are and more likely to see incidents affect our ICS/SCADA systems.”
ICS a Target
With this attack hitting multiple industries, is the ICS environment a potential target for industry-centric attacks?
“Traditionally, ICS has not been seen as an area where cybercriminals want to look,” said Jason Haward-Grau, chief information security officer at PAS. “It is much easier to go and hit a bank. Cybercriminals have been looking at things like VirusTotal where they are mining for legitimate ICS files. They innovate faster than we do. They are able to operate in a much more collective fashion.”
Haward-Grau said manufacturers need to get their crisis management plan and dust it off.
“What would we do if a ransomware hits? It is about accepting (an attack) will happen and being able to deal with a ransomware attack and not paying the ransom. If you pay the ransom, you become an even bigger target because you are known to pay. If you look at ransomware and the rise of ransomware and the vector changes, it is a matter of time before something significant happens to your environment.
“What would you need to do to recover from an attack like this because a ransomware attack would eliminate your control system,” he said. “How would you recover it? How quickly could you do it? Have you tested it?”
“I am astounded it has taken us this long to get to the point where we are realizing that visibility is key.”
— Jason Haward-Grau
In the end, Haward-Grau said it all comes back to the basics.
“Recognize you need to know what you have got. You need to understand the vulnerability today and that is an ongoing thing. You may choose to ignore a vulnerability, but knowing that you have it is a fundamental skill. If you don’t know you have it, you are in the blind. Principals and best practices are wonderful on paper, but the hard part is putting them in practice.
“IT has been doing this longer than OT has, but OT is different. But you can’t rely on one without the other. We need effective monitoring to continually see what is changing in your landscape.
“You need to recognize the security approach has to be holistic and it has to start from level zero all the way up. I am astounded it has taken us this long to get to the point where we are realizing that visibility is key.
“The nature of OT is people think in a structured way because that is way they have always thought,” Haward-Grau said. “The blitzkrieg of cyber will change the way people will think.”