Possibly the biggest cybersecurity news item to come across the wires sinceStuxnetwas last week’s news about WannaCry. WannaCry is a type of malware referred to as ransomware because it blocks access to the infected computer’s data until a ransom is paid to regain access. It began infecting Windows-based computers worldwide on May 12 through phishing emails and a self-propagating worm feature in the malware.
同一天晚些时候,Malwaretech的一名研究人员通过利用WannaCry代码中的杀戮开关来帮助减慢危险的发展,该密码涉及注册从WannaCry代码样本中获得的Web域。这样做的效果是使恶意软件的流量生成以传播其代码。尽管此杀戮开关可能会捕获恶意软件产生的互联网流量,但它不会阻止恶意软件传播其代码。
Patrick McBride, chief marketing officer atClaroty, noted that because “many ICS [industrial control system] networks are closed off from the public Internet, the kill switch may not trip if the malware initially launches inside a closed network. The irony is that organizations that follow the best practice of having closed ICS/OT networks may remain at risk. In addition, some organizations inadvertently fueled the spread of the virus in their networks by blacklisting the kill switch URL.”
Though the first news items about WannaCry highlighted its impact on the British National Health Service, it affected more than 230,000 computers in 150 countries. Among the sites affected by the malware are the production operations of Nissan, PetroChina and Renault.
Claroty的联合创始人Galina Antova表示,由于WannaCry并非专门针对操作技术(OT)网络而设计,因此制造商很容易将其驳回。她说:“但是……我们有一方面的知识,即蠕虫影响了OT网络并关闭了生产。”
Although agreeing that malware like WannaCry is a threat to OT networks, Eddie Habibi, CEO ofPAS, stressed that WannaCry should not cause manufacturers to panic. “This is one case where proprietary systems have an inherent defense mechanism against a widespread cyberattack like WannaCry,” he said. “Proprietary layers of OT that include Level 0 through Level 2 are generally immune to malware like WannaCry. The reason for this is that WannaCry is a Microsoft Windows vulnerability that, by design, cannot execute on traditional proprietary layers of the OT. This is important for the public as well as the authorities to know in order to not create unnecessary panic.”
Despite this Level 0-2 immunity, increasing links between IT and OT systems across industry hold the potential to dramatically impact industrial operations. McBride noted several key weaknesses that ICSs have in the face of malware like WannaCry, such as:
- Industrial networks are often not well segmented between IT/OT, so an infection in the former can easily spread to the latter.
- Microsoft Server Message Block is present within ICS environments that rely on Windows machines supporting HMIs, engineering workstations, historians, distributed control systems and more. WannaCry malware exploited a vulnerability present in Microsoft Server Message Block.
- Many Windows machines inside ICS environments are not fully patched and are often either outdated or unsupported.
Though the worst of the initial WannaCry seems to have passed, experts warn that a new version—without a kill switch—might already be circulating.
“Regardless of whether there is a new version in the wild, we expect copycat variants soon,” McBride said. “It is trivial to create a variant. All the required code is open sourced and the Conficker worm, which went through multiple transformation and infection cycles, serves as a good reminder” of this possibility.
Weak Spots
尽管WannaCry可能并不是OT网络引起警报的巨大原因,但它是一种威胁,并且已经影响了全球的制造运营。因此,制造商应意识到他们需要解决的特定漏洞来保护其网络。
Though the “hard real-time control systems, such as PLCs and embedded DCS controllers, have not moved to a Microsoft environment, almost all other parts of process control systems have moved to Microsoft Windows servers, MS SQL databases and Windows desktop operating systems," noted Barak Perelman, CEO ofIndegy。“控制系统的这些部分可能容易受到威胁,对其控制过程的影响不同。”
控制系统的其他部分包括HMIS,工程工作站,历史学家,标签服务器,统计过程控制(SPC)和实验室信息管理(LIM)系统,工业网络安全服务和销售总监Bryan Singer说IOActive。In other words, “pretty much the entire body of knowledge to operate the OT environment and all the associated regulatory data is at risk,” he stressed.
托马斯·努斯(Thomas Nuth),产品和解决方案营销总监Nozomi Networks, pointed out that supervisory control and data acquisition (SCADA) and manufacturing execution systems (MES) are the points of highest vulnerability on any OT network becuase of their proximity to conventional IT functions and Internet access. “The average SCADA or MES often lacks the capability to actively monitor the industrial network for anomalous activity, making the identification of cyber threats in real time almost impossible," he said. "Furthermore, as SCADA and MES become more advanced and connected to the cloud, they become more vulnerable to innovative cyberattacks. While maintaining firmware and software updates is important, operators may fail to do so on time and every time. This means that SCADA and MES serve as a gateway for OT attacks, and therefore should be a top focus of any manufacturer’s industrial cybersecurity strategy.”
Are You Protected?
In the aftermath of this attack, and facing the certainty that more attacks like it are on the way, manufacturers of all sizes need to address the vulnerabilities in their OT systems.
The first step is to conduct a rapid inventory of all Microsoft machines in your network, Nuth said. “Quickly identify all computers that have access to your Layer 1 and Layer 2 networks and patch them with the most recent patch available from Microsoft,” he said, adding that specific patches are available for legacy operating systems that date back to Windows Server 2003.
Without a complete and accurate inventory of Microsoft machines on your network, “it becomes a guessing game,” Habibi explained. “The problem is that most companies do not have easy access to this data—particularly across an entire enterprise. One of the methods we see used most often is an email sent to each facility asking whether they have systems affected by a published vulnerability. This means that companies are relying upon manual spreadsheets or the memory of their OT subject matter expert to do the vulnerability audit.”
The right approach, according to Habibi, is to have “an automated, evergreen inventory of systems within the facility—not just for workstations and other IT-based systems—but for programmable logic controllers, distributed control systems, smart field instruments and more. With a comprehensive view of cyber assets, vulnerability identification is a simple, accurate query. This works for vulnerabilities such as the one used by WannaCry, as well as ones found in Levels 0 and 1 within the process control network.”
A patch from Microsoft addressing the vulnerability exploited by WannaCry was released a month ago, Antova noted. However, “it often takes vendors time to certify that the patches will work and not break other things,” she said, adding that they should work very fast to do this and get certified patches out to their customers. “Even then, many customers will have to either wait for a maintenance window or make a risk decision to stop production and apply the patch.”
见sub作为进一步预防措施,歌手gested that manufacturers should not allow mobile devices such as USB, 4G data modems, untested laptops and field equipment to be connected to their OT networks. “Also, check firewall configurations to ensure Windows SMB ports, SNMP and pretty much anything on an OT network does not have any sort of external access from the Internet,” he said. “This includes VPN tunnels.”
Applying the Patch
Since a patch addressing WannaCry is available, McBride recommended the following six-step process for manufacturers:
1. Apply the Windows SMB Patch as soon as possible. An emergency patch for unsupported versions of Windows, such as Windows XP, Vista, Server 2003 or 2008, is available for older systems as well. (SeeMicrosoft Security Bulletin MS17-010 – Critical).
2. Block SMB ports (139 and 445) between IT/OT networks.
3. On systems that don’t require use of SMB, disable it altogether (Microsoft instructions can be found这里) or block it using the endpoint firewalls.
4. On systems that might require SMB for services that are less important, consider disabling SMB 1 until patches can be applied.
5. Quickly review disaster recovery plans and determine which Windows-based ICSs have current back ups. Image or backup those systems as soon as possible to aid in rapid recovery if these systems become infected.
6. ICS security teams need to remain vigilant for new variants of the WannaCry.
佩雷尔曼说:“一旦更新了可以修补的系统,组织就应该仔细研究那些无法修补的系统,并考虑其他保护它们的方法。”“他们还应该记住,也应保护脆弱的系统,例如PLC和嵌入式DCS控制器,而不是基于Windows的DCS控制器。“
The upside to the WannaCry event for manufacturers is that it should serve as a wake-up call. Though most critical manufacturing systems were not affected—allowing manufacturing, in general, to dodge a bullet—the networks these critical systems are connected to are highly vulnerable if care is not taken to practice good cybersecurity hygiene.
Habibi说:“对于3级设备,[WannaCry]最坏的情况是,历史学家或高级应用程序服务器必须在补丁升级期间离线。”“好消息是,负责控制和安全的专有设备即使在Windows设备离线时也可以继续运行。我们的许多客户都在修补计划维护以外的Windows设备以处理WannaCry。”
除补丁外,公司还应“验证现有安全控制的可靠性,通过风险评估来确定新的安全性,警告人员冒险,刷新网络安全培训,并确保备份执行正确,以防万一需要快速康复,“ Habibi建议。”最后,如果不存在,公司应制定一项危机管理计划,以预测某些攻击情况。等待妥协的系统和降低生产情况是通过决策考虑和沟通要求进行思考的错误时间。”
提前计划
Regardless of how quickly and successfully industry addresses the WannaCry vulnerability, cybersecurity remains a moving target. There will always be new threats on the horizon.
保持尽可能多的领先possible, Singer recommended that companies follow industry-leading guidance from sources such as ISA/IEC 62443, NIST Cybersecurity Framework, SANS Top 20 Critical Controls and others. “If you have not conducted a cyber vulnerability assessment or penetration test for your network, schedule one,” he said.
佩雷尔曼说,深入防御是保护任何公司的最佳方法,并补充说,这需要多层安全,以解决周边和网络防御以及包括工厂中的所有关键资产。他说:“ OT环境中的问题是,几十年来,组织一直没有部署外围的防御层。”“我们再也不能忽略这样一个事实,即威胁可以找到进入这些网络的方法,并且必须保护诸如PLC,RTU和DCS之类的关键资产。”
Nuth adds that “with the advancement and introduction of things like Cloud SCADA and multi-site MES, it is no longer feasible to assume that industrial networks can remain separate and insulated from the Internet.”
This means that manufacturers must adapt their approach to cybersecurity. Historically, manufacturers have taken a “top-down approach that has attempted to industrialize IT approaches to cybersecurity,” Nuth said. “The problem with this approach is that firewalls, while beneficial, only go so far. Manufacturers need to invest in an ICS cybersecurity strategy that is engineered for their environment first. In other words, a bottom-up solution to cybersecurity is required to scale from the industrial node level to Level 3 firewalls. Manufacturers need to invest in new innovations within ICS cybersecurity that offer a comprehensive approach, from asset management and vulnerability assessment, to real-time monitoring and anomaly detection.”
WannaCry Resources
