By Gregory Hale
WannaCry was a ransomware attack that went out to multiple companies covering various industries, so it was not a targeted attack. But this security incident did cause safety issues forcing plants to shut down either voluntarily or involuntarily.
Carmaker Nissan, which has an alliance with France’s Renault, confirmed some of its units ended up hit by the attack, including its plant in Sunderland in the UK. The company said there was no major impact on its business and declined to disclose further details, although it said production was affected at some plants late on Friday evening. Production started on schedule across all its European operations on Monday.
WannaCry hit over 200,000 computers, from manufacturing to medical, in at least 174 countries starting Friday and through the beginning of this week and this ransomware attack could easily be prevented if manufacturers just follow some basic steps.
The malicious code relied on victims opening a zip file emailed to them and from there the ransomware package used a patched flaw in the Microsoft operating system software to proliferate. Microsoft did release the patch for the vulnerability in March, but like most patches – especially in the manufacturing automation sector – patching is infrequent, or it takes time to validate, or does not happen at all.
“Out of an abundance of caution for the assets and the people, some plants were closed down,” said Patrick McBride with network monitoring firm, Claroty. “We have confirmation it accidentally shut some people down or others shut down to avoid an accidental shut down to prevent harm to people and machines. The attack was not targeted, but it did impact production lines.”
“We have other confirmed reports that had actual incidents, that had a spillover happen and it impacted the way things were going along with HMIs that caused line issues, where they had to shut them down out of abundance of caution for safety,” McBride said.
“The safety implication is massive,” said Jason Haward-Grau, chief information security officer at PAS. “You could have a hole in the ground if your system is wiped.”
With a general attack such as WannaCry over multiple industries having an impact on control systems, could this ransomware actually get into a safety system and hold it for ransom?
“The quick answer is yes, absolutely,” said Steve Elliott, safety expert and senior director of offer marketing – process automation at Schneider Electric.
“More good reason why separating control and safety systems is critical,” he said. “Just imagine if your safety processors also handle the communications to the DCS, HMI, and Historian rather than through a dedicated communications module than can provide isolation between the controller executing the safety application logic and external communications. The processor could be held ‘hostage’ and it wouldn’t just be a loss of communications that could suffer. The safety processor could freeze, stop executing the safety logic, reboot … I could go on. You could lose a critical layer of protection that is often your last line of defense between you and a potential incident.”
ABB safety expert Luis Duran understands it is a software-centric environment and WannaCry posed a Safety Instrumented System (SIS) dilemma.
“The concern is on the Windows-based software, which specifically to the SIS could be the engineering software or other Windows-based software related to the operations or alarms associated to the SIS, obviously that could be problematic,” said Duran, ABB’s product manager for safety systems.
“Maybe more important, the frustration and/or desperation (from the incident) could lead to actions that could compromise processes safety. That means training and response preparation are key. Common best practices such as malware protection, patch management and backup and recovery procedures are ways to reduce the likelihood of events as the ones described in this case, and also having a response plan,” Duran said.
“WannaCry could certainly affect the SIS engineering stations on safety systems if they were interconnected back to the basic control system,” said industry security expert, Eric Byres. “It would probably not affect the actual safety controllers themselves, as WannaCry’s spreading mechanism was dependent on Microsoft’s System Message Block (SMB) file sharing protocol. SMB is generally only seen on Windows-based platforms, though most Linux distributions also now include the useful smbfs package to access SMB file shares sitting on Windows servers. But the operating systems on any SIS controllers probably won’t support SMB and thus would not fall victim to WannaCry. Plus, the vulnerability was a Windows-only vulnerability.
“That said, I’m not sure what most companies’ safety protocol would be if their SIS engineering stations were clearly infected with a malicious worm. It might be to consider the entire SIS compromised and thus potentially unreliable and thus require a full shutdown. I know that in the military world this is often the case — If any one critical system is considered potentially unreliable, then the entire mission is scrubbed,” Byres said.
The manufacturing environment is further complicated by the disparity of systems covering the plant floor.
“We know it is a fantastic patchwork quilt of complexity,” Haward-Grau said. “There isn’t uniformity in the process We could have four or five vendors in a single process, what would happen if one of those vendors was suddenly taken off the grid? What would it do to the process?
“We are starting to see people are starting to think about it. They have to see what my response plan is to this. How do I know what my response capability is in the event a crisis happens? Do I have it incorporated? How would I recover from a complete critical loss of a system? What would that do? Would the safety systems kick in? Would I be able to put my hand of my heart and know my people are safe?”
Safety implications from a general attack like WannaCry which inadvertently shut down production at some manufacturing facilities are causing a ripple effect of concern across the industry.
“It is a wake up call for the industry,” McBride said.