The recent WannaCry ransomware attack was the biggest global attack of its kind. It affected more than 300,000 victims and 10,000 organizations in 150 countries and caused major inconvenience and disruptions at industrial giants like Renault-Nissan.
Given the sheer scale of the attack and its blinding speed, WannaCry almost certainly affected hundreds of industrial organizations overnight. However, the extent of the damage to those organizations will never be known as regulatory requirements do not force them to report such incidents.
Although WannaCry did not directly target industrial control system (ICS), ransomware could easily threaten and compromise industrial facilities such as manufacturing plants, water and power utilities and other critical infrastructures. Cybersecurity researchers at the Georgia Institute of Technology recently demonstrated a form of ransomware that was able to take control of a simulated water treatment plant.
After gaining access, the researchers were able to command programmable logic controllers (PLCs) to shut valves, increase the amount of chlorine added to water and display false readings.
The simulated attack was designed to highlight vulnerabilities in the control systems used to operate industrial facilities such as manufacturing plants, water and wastewater treatment facilities and building management systems for controlling escalators, elevators and HVAC systems.
So, what can industrial organizations, critical infrastructure operators, as well as state, regional and local utilities learn from WannaCry to better secure their operational systems from cyberattacks?
Connectivity has erased the old air gap
The growth of the inter-connected world — which blends Industrial Internet of Things (IIoT), Industry 4.0 and smart devices into both IT and OT networks — is generally praised for its benefits.
This new world enhances connectivity between networks and devices; and the cloud and the data center. It also improves the efficiency of manufacturing processes and supply chain logistics, while providing better predictive analysis.
However, there is a dark side. Greater connectivity has wiped out the traditional air gap that protected the industrial network from the IT network, and sealed it off from the outside world, notably the Internet. Now, cracks and holes are everywhere, paving the way for cybercriminals to attack industrial networks with malware and other threats.
Industrial control systems are difficult to patch
To prevent cyber attacks and infections from ransomware and other malware that target Windows-based servers and workstations, industrial organizations need to patch these systems. Easier said than done.
Many OT vendors insist that organizations do extensive testing before they patch any Windows-based machine, as untested patches disrupt or crash these systems. Consequently, industrial organizations find they cannot implement fixes in a timely fashion, and are forced to expose their systems to threats while they test any new patch.
Patching is even more problematical for operational technologies such as PLCs, RTUs and DCS controllers — specialized computers that make logic-based decisions to control industrial processes. These devices control processes in environments, especially critical infrastructure plants, that must run 24/7. Therefore, taking a gas or oil pipeline offline for a few hours to install a patch may not be possible. Money is not the only concern. Organizations worry about operational safety and the stability of these systems and the processes they control.
How to protect ICS networks
Where possible, industrial organizations should patch all their Windows-based software to ensure they are up-to-date and secure against all common malware threats. The problem is, (as already mentioned) patching is not straightforward in ICS networks. To deal with this reality, organizations have to consider alternatives.
The best security option for most organizations is to have a layered approach that extends from the perimeter into the control network, and drills into each critical asset. For decades, most ICS environments have lacked any tangible security beyond the perimeter, thereby leaving themselves exposed to cyber attacks.
With new threats targeting industrial controllers, like the recently exposed CrashOverride malware, organizations may soon be scrambling to protect themselves — and the potential damage could have been many times worse than that inflicted on IT networks.
To protect ICS networks and critical assets such as PLCs, RTUs and DCSs, organizations need to embrace real-time visibility and monitoring which can give early indication of reconnaissance activity as well as alert in real time on malicious acts. This requires visibility into the proprietary control-plane protocols used to make changes to control devices. They also need to enforce security and access management policies that govern who is allowed to make what changes, when and how.
This is the only way to detect unauthorized activities, including cyber threats, insider attacks and human error, before widespread outages and damage can occur.
Barak Perelman is CEO of Indegy, an industrial cybersecurity firm. Before founding Indegy, he led several multimillion dollar cybersecurity projects at the Israel Defense Forces. A graduate of the elite Talpiot military academy, Perelman has over 15 years of hands-on experience in cybersecurity and protection of critical infrastructures.