当。。。的时候WannaCry ransomwareattack hit Windows-based computers worldwide last month—debilitating the British National Health Service and affecting hundreds of thousands of computers worldwide—it was a big headline. But in the month and a half that’s passed since then, it seems to have become just another day in the news. Attack after attack is coming through, and it should be very clear—because it apparently wasn’t clear enough already—that manufacturing operations of all shapes and sizes need to make sure they’re protected.
The latest big attack, dubbed NotPetya, came yesterday through a data-scrambling ransomware similar to WannaCry that struck Europe, South Asia and the U.S. It hit the Ukraine and Russia particularly hard, including the Ukraine’s power grid, railways and communications, and Russia’s Rosneft oil company. Drugmaker Merck and foodmaker Mondelez International were two of the companies affected in the U.S.
关键基础设施可能不是预期的目标,但仍受到广泛影响。PAS工业控制系统(ICS)安全总经理David Zahn评论说:“诸如此类的攻击并不能区分地理或行业。”“像WannaCry攻击一样,关键的基础设施也被杂交的头发捕获,早期的报道将石油和天然气和权力确定为受害者。银行和制药也经历了问题。”
Called NotPetya because it bears some resemblance to the Petya ransomware but with significant differences, it would appear that this latest malware is designed primarily to wreak havoc. Though the motive at first seemed to be financial—demanding $300 in Bitcoin to unscramble data—there’s reportedly no way to pay the ransom and no way to restore your documents with a key.
If the motive were not financial or general havoc, the consequences could potentially be much more serious, Zahn said. “Within critical infrastructure companies, such as chemical processing, there are proprietary industrial control systems responsible for production reliability and safety. Compromising these systems could impact the environment, cause injury or disrupt production,” he said. “It’s also possible the effect would be less noticeable. Imagine the process at a pharmaceutical plant being altered instead of halted.”
的言论在上周的霍尼韦尔Users Group (HUG) Americas symposium was that Honeywell has only been able to get about 10 percent of its users to actively do something about their security position. Too many companies assume that nobody would want to attack them, commented Vimal Kapur, president of Honeywell Process Solutions (HPS).
但是,无论您是否特别是目标,不是真正的目标,尤其是攻击可以从一个位置传播到另一个位置的速度和随机速度。
HPS网络安全技术专家Seth Carpenter说:“看看其中一些攻击。”他指出,WannaCry勒索软件是如何从健康行业开始并遍布整个英国的如何开始的,感染繁殖到可以访问的任何计算机。“恶意软件不在乎。它看到了一个系统,并开始扩散。”
Like WannaCry, the NotPetya ransomware spread across the globe using EternalBlue, a hacking tool developed by the U.S. National Security Agency (NSA) and leaked in April by hacker group Shadow Brokers.
“Let’s face it—when the Shadow Brokers leaked the NSA’s hacking tools, they let the genie out of the bottle and there’s no putting it back in,” said Nir Giller, chief technology officer of cybersecurity company CyberX. “We should expect to see all kinds of cyber adversaries playing with and building on top of them.”
Combined with purpose-built malware like Crash Override, the new attacks could spell real trouble for critical infrastructure and other industry operations. “Some of us in the ICS cybersecurity community are braced for the worst—mainly that some creative hacker will find a way to cross-pollinate elements of WannaCry/Petya with the destructive payloads of the ICS-specific Industroyer/Crash Override malware,” said Giller, who previously was part of an elite and highly specialized Israeli Defense Force (IDF) cybersecurity unit tasked with protecting critical infrastructure. “If that were to happen, then we’re playing a whole new ballgame.”
Crash Override(也称为Industroyer)只是破坏物理系统的第二种恶意代码构建的案例,这是第一个是Stuxnet。根据网络安全公司Eset和Dragos本月发布的一份报告,恶意软件可以自动化大规模停电,并可以适应不同的电力公用事业。
“It would seem we have arrived at the dawn of the age of the ICS attack,” said Bryan Singer, director of security services for IOActive, and previous chairman of ICS security standards body ISA-62443/ISA-99. “For the past 10 years, any attacks to industrial control systems have been one-off, specifically targeted attacks by insiders, or otherwise had very limited visibility. For instance, we still talk about Vitek Boden from 2001 and Stuxnet in 2010. But it seems like over the last few weeks we have hit a new era: It is now impossible to say, ‘That can't happen to us’ anymore—this will act as a real wake-up call.”
“唤醒电话”是经常使用的短语,而关键的基础架构,实际上所有制造商都可以很好地回答。“关于Crash Redride的最新消息是我们需要在网络安全基础上变得更好的一个警钟,大多数工业公司今天都在努力做到这一点 - 了解您拥有的ICS网络资产(从智能现场仪器到控制器到工作站), identify and managing vulnerabilities, detect when an unauthorized change occurs, and ensure backups are available,” PAS’s Zahn said.
“这是容易睡而忽视se kinds of wake-up calls, especially when attacks happen in other countries and regulatory compliance receives such a strong focus within power,” Zahn added. “This is not a path we as an industry can sustain. Flipping the script on prioritizing good cybersecurity over good compliance is a step down a better path."
The first thing to do to avoid being impacted by NotPetya is to apply the Server Message Block (SMB) patch that Microsoft released in conjunction with WannaCry, advised Ken Spinner, vice president of field engineering for Varonis, a data protection company focused on insider threats and cyber attacks. (See David Greenfield’s覆盖WannaCryto learn more about applying the SMB patch.)
Spinner说:“重要的是要使用最新的补丁进行更新,以解决短期安全修复程序。”“但是从长远来看,组织需要查看其安全政策,并确保他们适应当今的威胁环境。这意味着锁定敏感数据,维护最小特权模型以及监视文件和用户行为,以便他们知道他们受到攻击的那一刻。”
根据61个端点防病毒软件中,只有16个能够检测到这种勒索软件的压力。病毒Spinner说:“这突显了对基于非签名的防御和数据安全的分层方法的需求。”
Spinner补充说:“未能采取适当的步骤解决现代恶意软件会产生全球影响,从而影响从政府到业务再到运输的一切。”“这些攻击有潜力使世界停滞不前。我们必须主动计划攻击者违反第一线防御措施并更新安全惯例,以保护内部数据,以便何时进行外围安全性。”