When the WannaCry ransomware attack hit Windows-based computers worldwide last month—debilitating the British National Health Service and affecting hundreds of thousands of computers worldwide—it was a big headline. But in the month and a half that’s passed since then, it seems to have become just another day in the news. Attack after attack is coming through, and it should be very clear—because it apparently wasn’t clear enough already—that manufacturing operations of all shapes and sizes need to make sure they’re protected.
The latest big attack, dubbed NotPetya, came yesterday through a data-scrambling ransomware similar to WannaCry that struck Europe, South Asia and the U.S. It hit the Ukraine and Russia particularly hard, including the Ukraine’s power grid, railways and communications, and Russia’s Rosneft oil company. Drugmaker Merck and foodmaker Mondelez International were two of the companies affected in the U.S.
Critical infrastructures might not have been the intended target, but they were widely impacted nonetheless. “Attacks such as these do not discriminate between geography or industry,” commented David Zahn, general manager of industrial control system (ICS) security for PAS. “Like the WannaCry attack, critical infrastructure was caught in the cross hairs with early reports identifying oil and gas and power as victims. Banking and pharmaceuticals also experienced issues."
Called NotPetya because it bears some resemblance to the Petya ransomware but with significant differences, it would appear that this latest malware is designed primarily to wreak havoc. Though the motive at first seemed to be financial—demanding $300 in Bitcoin to unscramble data—there’s reportedly no way to pay the ransom and no way to restore your documents with a key.
If the motive were not financial or general havoc, the consequences could potentially be much more serious, Zahn said. “Within critical infrastructure companies, such as chemical processing, there are proprietary industrial control systems responsible for production reliability and safety. Compromising these systems could impact the environment, cause injury or disrupt production,” he said. “It’s also possible the effect would be less noticeable. Imagine the process at a pharmaceutical plant being altered instead of halted.”
One of the comments made at last week’s Honeywell Users Group (HUG) Americas symposium was that Honeywell has only been able to get about 10 percent of its users to actively do something about their security position. Too many companies assume that nobody would want to attack them, commented Vimal Kapur, president of Honeywell Process Solutions (HPS).
But whether you’re specifically a target or not really isn’t the point, especially with how quickly and randomly the attacks can spread from one location to another.
“Look at some of these attacks happening,” said Seth Carpenter, a cybersecurity technologist for HPS. He noted how the WannaCry ransomware started in the health industry and spread across the UK, the infection multiplying to any computer it could access. “Malware doesn’t care. It sees a system and it starts spreading.”
Like WannaCry, the NotPetya ransomware spread across the globe using EternalBlue, a hacking tool developed by the U.S. National Security Agency (NSA) and leaked in April by hacker group Shadow Brokers.
“Let’s face it—when the Shadow Brokers leaked the NSA’s hacking tools, they let the genie out of the bottle and there’s no putting it back in,” said Nir Giller, chief technology officer of cybersecurity company CyberX. “We should expect to see all kinds of cyber adversaries playing with and building on top of them.”
Combined with purpose-built malware like Crash Override, the new attacks could spell real trouble for critical infrastructure and other industry operations. “Some of us in the ICS cybersecurity community are braced for the worst—mainly that some creative hacker will find a way to cross-pollinate elements of WannaCry/Petya with the destructive payloads of the ICS-specific Industroyer/Crash Override malware,” said Giller, who previously was part of an elite and highly specialized Israeli Defense Force (IDF) cybersecurity unit tasked with protecting critical infrastructure. “If that were to happen, then we’re playing a whole new ballgame.”
Crash Override (also known as Industroyer) is only the second known case of malicious code purpose-built to disrupt physical systems—the first being Stuxnet. The malware can automate mass power outages and could be adapted to different electric utilities, according to a report released this month from cybersecurity companies ESET and Dragos.
“It would seem we have arrived at the dawn of the age of the ICS attack,” said Bryan Singer, director of security services for IOActive, and previous chairman of ICS security standards body ISA-62443/ISA-99. “For the past 10 years, any attacks to industrial control systems have been one-off, specifically targeted attacks by insiders, or otherwise had very limited visibility. For instance, we still talk about Vitek Boden from 2001 and Stuxnet in 2010. But it seems like over the last few weeks we have hit a new era: It is now impossible to say, ‘That can't happen to us’ anymore—this will act as a real wake-up call.”
“Wake-up call” is a phrase often used, and one that critical infrastructure and in fact all manufacturers would do well to answer. “The latest news about Crash Override is one more wake-up call that we need to become better at the cybersecurity basics, which most industrial companies struggle doing today—know what ICS cyber assets you have (from smart field instruments to controllers to workstations), identify and managing vulnerabilities, detect when an unauthorized change occurs, and ensure backups are available,” PAS’s Zahn said.
“It's easy to hit the snooze button and ignore these kinds of wake-up calls, especially when attacks happen in other countries and regulatory compliance receives such a strong focus within power,” Zahn added. “This is not a path we as an industry can sustain. Flipping the script on prioritizing good cybersecurity over good compliance is a step down a better path."
The first thing to do to avoid being impacted by NotPetya is to apply the Server Message Block (SMB) patch that Microsoft released in conjunction with WannaCry, advised Ken Spinner, vice president of field engineering for Varonis, a data protection company focused on insider threats and cyber attacks. (See David Greenfield’s coverage of WannaCry to learn more about applying the SMB patch.)
“It’s important to keep systems updated with the latest patches to address short term security fixes,” Spinner said. “But in the long run, organizations need to take a look at their security policies and make sure they’re adapting to today’s threat environment. That means locking down sensitive data, maintaining a least privilege model, and monitoring file and user behavior so that they know the moment they’re under attack.”
Only 16 out of 61 endpoint antivirus software is able to detect this strain of ransomware, according to VirusTotal, “which underscores the need for non-signature-based defenses and a layered approach to data security,” Spinner said.
“Failure to take the appropriate steps to address modern malware has a global impact—affecting everything from government to business to transportation,” Spinner added. “These attacks have the potential to bring the world to a halt. We’ve got to be proactive in planning for attackers breaching the first line of defenses and update security practices to protect data from the inside, for when perimeter security fails.”