By Gregory Hale
You can see the fallout already occurring from the WannaCry ransomware attack. Yes, it seems more manufacturers will implement security procedures because they want protection against these types of attacks – and that is a good thing.
WannaCry hit over 200,000 computers, from manufacturing to medical, in at least 174 countries starting Friday and through the beginning of this week and this ransomware attack could easily have been prevented if manufacturers just follow some basic steps.
The malicious code relied on victims opening a zip file emailed to them and from there the ransomware package used a patched flaw in the Microsoft operating system software to proliferate. Microsoft did release the patch for the vulnerability in March, but like most patches – especially in the manufacturing automation sector – patching is infrequent, or it takes time to validate, or does not happen at all.
Security against these types of attacks is important, so was securing against a Stuxnet-like attack where malicious code was able to sneak in an air-gapped system via a USB drive and damage a nuclear enrichment facility.
Security with Blinders
But that is a myopic view of security where they focus on the incident at hand. That constant react and repair mentality has got to end.
How about implementing a security mindset where there is a holistic security program that allows for visibility into the network and employs technology that can point out, react and repair issues that arise time and time again.
While that is still no silver bullet, that kind of approach would not only solve issues the industry has gone through, but it would also protect manufacturers against the next Zero Day attack that no one has an idea what it will be, but you know is out there.
Think about it for a moment, for those folks that think they are either too small or too obscure for any kind of attack, WannaCry changed that mindset.
“That argument went out the window,” said Patrick McBride from network monitoring firm, Claroty. “If your answer is security through obscurity because you don’t think somebody is going to target you, well, you are vulnerable even if they don’t target you. They will have an impact. That was proven beyond a reasonable doubt over the weekend. It did impact stuff. It could have been worse if the kill switch didn’t happen. We are sure this one will be back. It is not like all plants went back and patched their Windows systems over the weekend. This will come back like Conficker came back. It is still out there eight years later.”
There are solutions out there.
“The solution to these attacks is deploying a holistic strategy that follows an ICS security management program like the one defined by the ISA/IEC-62443 standards,” said security controls expert, Eric Byres. “Now platforms can automate version management, patching, backup, backup validation, A/V updating and even whitelist management from a single dashboard. And they can do it for more than just Windows computers. The best industrial management platforms coordinate the endpoint management of all your equipment, including devices like PLCs and RTUs.”
“It still comes down to the fundamentals of basic ICS cybersecurity,” said John Cusimano, director of industrial cybersecurity at aeSolutions. “It comes down to having a good handle on your assets. Having a good asset management program so you know what computers you have out there and what operating systems and what patch level they are operating on and having some kind of patch management program.”
“There are products out there now that integrate patch management, antivirus, whitelisting, back up and recovery in a security platform,” Cusimano said. “It may take a while, I think it is where the industry is going because it is getting too much for people to manage all these tools. They can’t keep up with all the different tools so bundling all that together into a single console is a really good idea.”
The response to implementing a holistic security plan must start at the top and there needs to be complete buy in throughout the company.
“Starting with the C-suite you have to step back and take a look at the risk equation for your organization and ask yourself what can change. What is the realm of plausibility and reality? It is always people, process and technology. The C-suite better take this seriously and if you are a CISO you better be pulling together a board-level presentation that talks about how the risk changed and things we have to do,” McBride said.
React and repair only means you will fix today’s problem. But why not get a good handle and get a firm grasp on any unknown future attack.