Experts’ insights on how to address Wanna Cry ransomware types of attacks in your industrial company

Last week Wanna Cry cyberattack infected tens of thousands of computers, from manufacturing to hospitals and big industrial organizations, a great opportunity for ICS players to talk about their products/solutions as there were no catastrophic damages yet. In the first phase, the majority of players expressed their opinion about the consequences that such an attack might have on OT. What is the solution to protect a factory/a hospital etc. in such situations and what's the first step a company should take? The most appropriate response is probably: “There is no silver bullet for preventing the Wanna Cry ransomware type of attack from impacting an industrial control system” (Eric Byres, Security controls expert).
There are as many solution as opinions; here are some steps that an industrial organization can take to protect their digital assets.

David Zahn, GM of the PAS Cybersecurity Business Unit explained for IIoT World: “For the longest time, facilities have trusted security controls like security by obscurity, system complexity, air gapping, and perimeter-based cybersecurity to protect ICS. WannaCry is another example of how these safeguards are not sufficient. Companies that rely upon industrial control systems (ICS) to operate need to implement solutions that help answer simple cybersecurity questions such as what are my cyber assets, where do I have vulnerabilities, has an unauthorized change occurred, can I recover quickly if a system is compromised, and more. Sadly, these are hard questions to answer as industrial process companies have limited visibility into nearly 80% of the cyber assets in an industrial process facility.

So, what should a company do? First, maintain an automated, complete inventory of all cyber assets in a plant including detailed configuration data. This inventory should include all distributed control systems, safety instrumented systems, programmable logic controllers, smart field instruments, workstations, routers, and more. With this evergreen data, companies can better perform risk assessments and allocate cybersecurity investments where risk is outsized. In regards to WannaCry, companies taking this approach would have identified the Microsoft vulnerability as soon as it was made public and had the opportunity to address – either through patching if there was a maintenance or turnaround window to do so or through adding a security control. Since this approach to inventory covers all assets in a facility, companies can comprehensively identify other non-Microsoft vulnerabilities with the same solution.”

Lior Frenkel from Waterfall Security shared his points of view in a blog post. He thinks that Unidirectional Security Gateways are the solution as “this technology makes industrial sites inaccessible via the external networks that monitor them, or via the cloud services with which it shares data. This effectively immunizes the network to this class of malware, and indeed to all fast-spreading worms for the foreseeable future(…). The gateways create a physical barrier to the propagation of malicious code and other online attacks back into the networks. One layer of gateways is the minimum that is needed to protect the control network.”

Security controls expert, Eric Byres, offered for Industrial Safety and Security Source four protection points:

  • Endpoint Management: Backup and recovery processes. “Setting up a system that enforces regular backups across all ICS devices and then automatically validates each backup,” said Bryes for ISSS.
  • Network Segregation
  • Event Monitoring: Watching your ICS
  • Staff Security Training.

Today, Forbes published an article about how to turn chaos into an advantage, offering four lessons for leaders to take away. Here is the full article. I am sure that many other opinions will follow. What is important to us, is to know that all of the critical infrastructure providers are aware of the IIoT risks and raise their security as the consequences of a massive cyberattack could destroy not only businesses but many human lives.