Thursday, May 25, 2017

WannaCry Ransomware Cryptoworm: What It Means To The Industrial World

By Chris Hamilton, Cybersecurity Working Group Co-Chair 

Many of you have heard about WannaCry, or WannaCrypt (Ransom:Win32/WannaCrypt) initially publicized by the DHS on May 12th. This worm is estimated to have affected over 150 countries and more than 200,000 assets in its short run to date.  It also has prompted Microsoft to release the first patch for Windows XP since end-of-extended-support (unprecedented) in attempts to curb the rampant spread of infection. The kill switch inadvertently discovered is only temporary as multiple iterations are expected, a la Conficker.


For Solutions Providers and those in Manufacturing and Critical Industry sectors, the biggest risk is generally not our base laptops – or surfing the web (although this is frequently the entry point), but un-patched and unsupported production systems and our development Virtual Machines (VMs) scattered across various storage devices.  Worms that spread through an automated process are particularly dangerous to our way of business due to the following factors:
  • Manufacturing systems are often not patched, potentially leaving every Server 2008 R2 and Windows 7/8 system vulnerable to this exploit!
  • Industrial systems frequently run out-of-support operating systems like Windows XP, Server 2003 and even Server 2000.
  • VMs on external drives are notoriously difficult to monitor and less patched over our IT managed systems
  • Specifically for WannaCry – client ICS networks without internet access will never receive the hardcoded kill switch. Once released WannaCry would spread unencumbered.

Call to Action:

Being a good cyber-citizen starts with ensuring your VMs are patched to avoid infection – or worse – spreading any malware across other networks. Additionally, it requires your company to have a critical update patching process to evaluate risk and successfully re-mediate vulnerable systems. The “It’s on fire” reactive approach to patching introduces drastically more risk and cost to your environment over having a planned and scheduled approach integrated with your business process.
Apply patches through Windows Update, or download Windows English language security updates:

Specific Actions:
  •     All: Work with your colleagues and partners to convey the immediate risk of ransomware today and work with them mitigate risks through project or support efforts to develop and ensure patching becomes a focus of your business.
  •     Plant Engineers and Solutions Providers: If you have a vulnerable VM in your possession please patch it immediately! (Snapshot it first and delete after verification)

Vulnerable Systems:

     Windows 2000 Server (There is no planned patch for this operating system.  Fast      track these systems for lifecycle in the immediate term)
     Windows XP (unprecedented patch release by Microsoft)
     Windows Server 2003
     Windows 7
     Window Server 2008
     Windows 8

Important links:

     US-CERT Alert:  TA17-132A
     Microsoft KBs: MS17-010 Security Bulletin
     Rockwell Automation Knowledgebase Article: 546987
     Rockwell Software Compatibility: MS Patch Qualification Lookup

About the Author 

Chris Hamilton
Sr. Technical Consultant, Manufacturing IT/OT
Grantek Systems Integration 

Chris started his professional career in web design, databases, and server management with a focus in security at every level, but grew up around process flow and P&IDs in Biochemical Pharmaceuticals.  In his roles at Grantek he has worked as a controls engineer, a systems engineer and an IT/OT consultant to bridge the gap between IT and Controls teams in order to help clients realize more efficient operations, leverage or implement standardized systems and most importantly understand the line between IT and OT and how it can and will shift with emerging technology and industry changes.  He specifically focuses on the OT side today providing network audits and road mapping a migration plan for a client’s legacy or inefficient hardware as part of a client provided, or jointly developed OSA (Manufacturing Operations Systems Architecture).

No comments: