WannaCry: Revisit (or Create) ICS Security Plan

Wednesday, May 31, 2017 @ 02:05 PM gHale


By Heather MacKenzie
The WannaCry ransomware broke onto the world scene May 12 when it infected over 200,000 computers in more than 150 countries.

Thankfully, the impact on critical infrastructure and manufacturing systems was relatively low. While WannaCry’s spread has been curtailed for now, new variants have been reported. Now, however, more than two weeks after the initial attack, this means critical infrastructure operators and manufacturers need to take measures to protect their Industrial Control Systems (ICS) from the WannaCry family of ransomware.

RELATED STORIES
Fighting for Holistic OT/IT Security
WannaCry Vulnerability Checker Released
WannaCry Decryptor Tool Available
Updated WannaCry Indicators
Agencies Amassing Zero Days
WannaCry Variants Tougher to Kill
How to Protect Against ‘WannaCry’

Immediate actions start with determining whether your systems are vulnerable by identifying computers and devices running Windows operating systems not updated with the latest security patches. You should also identify any devices communicating with the Windows SMB1 protocol, which is used to propagate the malware. If these situations exist, you need to execute a plan to mitigate and protect against these security weaknesses.

While we can take a deep breath that WannaCry did not shut down essential services such as power systems and water systems, the malware is certainly a very loud wake-up call. Let’s look at what can be done immediately, and over the longer term, to prevent and mitigate ransomware infections to industrial systems.

WannaCry Attack
WannaCry inserts itself into networks using email phishing campaigns and then self-propagates using a Windows SMB1 vulnerability. While OT systems should be protected from threats coming from the IT network, nowadays there are many pathways to industrial networks and incidents of transportation and manufacturing systems being infected with WannaCry have been reported.

To determine whether your ICS is at risk, identify which computers and other devices are running old versions of the Windows operating system. Also, identify which network connections are communicating using SMB1.

A way to do this is to use an ICS asset management and visibility tool which can quickly and automatically identify all assets with their operating systems/version numbers, and identifies all network connections and their communication method. This will focus your attention on the devices that need patching or other remediation measures. If you do not have technology that does this for you, you will need to consult with OT staff or use other manual methods to identify the vulnerable components of your systems.

While patching industrial devices or changing how they communicate has risks, you need to weigh those risks against the risk of what ransomware might do to your ICS. As part of your action plan, know that Microsoft has made available security patches for out-of-date versions of the Windows operating system.

Here are some resources to help you develop your plan (the first link takes you to the Microsoft free security updates):
• Microsoft.com: Microsoft Update Catalog
• Microsoft.com: Customer Guidance for WannaCrypt attacks
• US-Cert.gov: Indicators Associated with WannaCry Ransomware
• For technical details on WannaCry and risk management approaches for enterprise networks, see the FireEye article: WannaCry Ransomware Campaign: Threat Details and Risk Management

Based upon the level of risk to your systems and the impact and infection might create, you can consider a range of responses, from a planned patch/test cycle to the more extreme step of temporarily disconnecting OT and IT networks.

Improve resiliency. A foundational ICS security best practice is to have an updated asset inventory that includes information for each device such as its operating system, version number and known vulnerabilities. In the past, obtaining and maintaining this information for large, heterogeneous industrial systems was time consuming and difficult.
Today, there are solutions that do this quickly and automatically. The main point is to take whatever action is necessary for your organization to have a good asset management program, with real-time visibility and query capabilities.

Patch program. industrial systems are notorious for not being patched. There are some good reasons for not doing so, because patching may cause an application or an entire process to stop working. Or, the resource requirements to test and safely implement patches may be constrained. Whatever the reason, WannaCry, is a shout-out to revisit your patching program. Ideally you don’t want to have to explain how a process or manufacturing system was brought to its knees when a patch that would have prevented the problem was available.

Ensure visibility. Like asset management, historically it was very difficult to have comprehensive visibility and monitoring of large industrial networks and the processes they control. Now, there are new solutions that provide real-time industrial network visualization interfaces, including showing network connections, anomalies and the status of process variables.

In the case of WannaCry, such a system would facilitate detection and remediation in several ways:
• Detecting the anomalous DNS request the ransomware uses to verify whether it should continue with the attack or not. An alert should then generate that provides context about the DNS request and PCAP information to help analyze it.
• Identifying any network connections using the Windows SMB1 protocol. WannaCry communicates using this protocol, and by identifying devices using it, defensive decisions can be taken. For example, spread of the malware would be limited by stopping all SMB1 communications.

Review incident response plan. There’s nothing like a fast spreading, real-life malware to test your incident response plan. How well did it work in this case? What could have been improved? Is it time to initiate a process to update the plan? Did alert fatigue plague rapid response? Know that incident correlation and replay features are now available specific to ICS environments that will ease incident management and speed response to major cyber incidents such as those triggered by WannaCry.

In addition, how good are your forensic tools for analyzing cyber incidents? Do you have SIEMs or other solutions in place for identifying OT cybersecurity events and alerting the right people? Do you have tools that provide PCAPs and before/after ICS system snapshots for analyzing events and learning how to prevent them in the future? If not, now is the time to look for solution that give you these capabilities.

Implement standards. A watershed cybersecurity event like WannaCry will certainly draw the attention of executives and likely a review of current ICS security practices. Where does your organization stand with respect to implementing industrial cybersecurity standards like IEC-62443, the NIST framework or NERC CIP?
These standards help you deploy layered security measures (defense-in-depth) that work to stop and contain cyberattacks that, one way or another, get into the OT network.

Awareness and Training. It is an old adage that the weakest security link in an organization is people. WannaCry is widely believed to have entered systems by people clicking on attachments and/or links in phishing emails.

Ongoing training and awareness, tailored for different user groups is essential.

Like the Conficker worm of 2008, WannaCry 2017 should cause most organizations to re-examine their cybersecurity practices and defenses. While critical infrastructure systems and manufacturers were not significantly impacted this time, your organization’s cyber resiliency may need strengthening to defend against future attacks.

Heather MacKenzie is with Nozomi Networks. This is an excerpt from her blog.



Leave a Reply

You must be logged in to post a comment.