alphaspirit - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How WannaCry malware affects enterprises' ICS networks

WannaCry malware has been plaguing organizations across the world. Expert Ernie Hayden explains how this ransomware threatens ICS networks and their security.

There has been substantial discussion in the media and on the internet about the ransomware called WannaCry.

This malware type, which blocks access to data until a ransom is paid, has been destructive. It has caused financial consequences, as well as extreme inconvenience for critical businesses across the globe, such as the National Healthcare Service in the United Kingdom, which was one of the first and most significant victims of the attack. A total of 300,000 computers in 150 countries were locked by WannaCry by the end of May 2017.

With the initial receipt of the WannaCry news, some in the industrial controls industry did not see it as a threat; however, as you examine the WannaCry targets and realize it is focused on unpatched Windows-based systems, you can see the threat to industrial control systems (ICS) is significant -- even a small number of U.S. critical infrastructure operators were reportedly affected.

ICS threat vectors

ICS has often been viewed as an air-gapped network, using serial-based protocols that cannot be affected by the outside world's viruses, worms and other malware. In the early days of ICS, when relay racks as big as panel trucks were used in factories, that may have been true, but that just doesn't stand up to today's situation.

For instance, the ICS systems are being upgraded with TCP/IP-based systems and network controls. It is commonplace to find engineering workstations and servers on the ICS networks using Windows operating systems. These systems are susceptible to WannaCry and other attacks on the Wintel operating systems.

Because of a company's need for rapid information on production and shipping, its ICS systems are often attached to the enterprise resource planning (ERP) system via a jump host or even a direct connection to the enterprise IT system. This could also be a means for malware to jump from the IT network to the ICS and cause damage.

Basically, as the ICS systems evolve from the old days, old ways to the newer, more sophisticated networks and components, they're looking more and more like the IT systems in the enterprise.

Houston, we have a problem.

The problem

On the IT side of the business, IT managers are trying to reduce their vulnerabilities by means of patching and antimalware products. Patching can usually be done during off hours because the availability of the IT system enables some off time or reboots. Unfortunately, ICS patching practices are problematic when viewed with this IT perspective.

ICS patching is normally done during plant shutdowns and line shutdowns -- which may occur as rarely as once every 12 to 18 months. Basically, this means that the ICS system manager may have a literal stack of patches to install into the ICS components -- including the Windows systems waiting for the next outage. So when Microsoft issued patch MS17-010 on March 14, 2017, the patch was probably placed into the stack on the ICS manager's to-do list for the next outage.

This deferral of the MS17-010 patch left the Windows-based systems unprotected from WannaCry in the environment.

WannaCry and ICS

WannaCry is ransomware, and it is really intended to attack individuals and businesses to extract money -- a ransom. It is highly doubtful WannaCry was designed to shut down industrial operations. However, the WannaCry malware can enter the ICS via:

  • The internet, if the ICS is connected either directly or inadvertently;
  • The enterprise IT system, if data flow is permitted from enterprise IT (like the ERP or email) to the ICS system; or
  • USB drives used by employees or vendors that are connected to the ICS.

What would the consequences be to a process system if the human-machine interface -- often a Windows machine -- were to be blocked and all the files encrypted? The line operation and management could be paralyzed. And what if this production line was processing a volatile fluid that could result in fatalities or wreak environmental havoc if not properly managed?

To date, there have been a handful of cases where manufacturers with extensive ICS systems were infected, though it's unclear if the ICS systems themselves were hit directly. But there are opportunities for WannaCry to locate and encrypt an unpatched Windows system in any ICS.

Recommendations to consider

Here are six basic recommendations to ensure that ransomware, such as WannaCry, doesn't endanger your production line and operations:

  • Make sure your ICS is separated from the enterprise IT network and from the internet where the WannaCry malware could migrate.
  • ICS operators, engineers and security personnel should make it a high priority to patch the Windows systems as soon as is practical to reduce the risk and impact of the WannaCry malware. You need to train your ICS staff to understand this threat to better understand the priority.
  • ICS operators should ensure that any portable media, such as USB drives, laptops or test equipment capable of carrying the WannaCry malware, or any malware, is checked for known malware before the portable media even comes into contact with the ICS and its components.
  • Ensure that ICS operator email systems cannot transmit malware to the ICS network. Also, ensure that human-machine interface and control room systems do not have any direct connections to the internet or email.
  • Be sure to train your ICS operators and technicians on malware and viruses and how their systems are not immune to attacks.
  • ICS operators, engineers and security personnel should make it a point to closely monitor the U.S. ICS-CERT alerts and advisories or to subscribe to their mail alert.

Simply stated, WannaCry malware can impact ICS and susceptible components. It takes hard work and constant, 24/7 due diligence to stay on top of the security of your ICS. Assuming the risks of a breach or successful attack should be a mantra and should always be at the top of everyone's minds.

Next Steps

Learn a few ways to handle industrial control systems security

Find out if Conficker malware infections of ICS or SCADA systems are a threat

Discover why ICS security training is necessary to boost awareness

This was last published in July 2017

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What has been your experience with WannaCry ransomware?
As you stated, giving ICS practitioners the ability to identify/view where they're most vulnerable, is a huge step forward. 

For me, I am observing the trend of ICS practitioners investing technologies that support rapid recognition and mitigation of ICS cyber intrusions. I think the WannaCry attack, as well as the more recent Petya and Industroyer attacks, support this growing trend. 

So many ICS practitioners / cybersecurity stakeholders understand that malware is always changing, and therefore '100% prevention' isn't the most realistic goal. Most innovation is happening in the rapid recognition of malware and the mitigation of it. 

As someone who works in the ICS cybersecurity field, I prefer technologies that integrate well together across once disparate network environments - ones that bridge the OT/IT gap. If aa solution can leverage non-intrusive approaches to network monitoring / anomalous activity recognition on the OT-side, the ability to integrate with enterprise firewalls and SIEM goes much more smoothly. 

As industrial operations (across various industries) grow more connected, I think cybersecurity strategies that leverage some form of learning automation, combined with a non-intrusive way of monitoring legacy industrial networks, will be the most successful.
Identifying potential vulnerabilities is indeed a huge step forward, the next one should be to eliminate those.

Here, utmost care in bridging the OT/IT gap needs to be taken, otherwise that approach could prove to be counterproductive. Extending the scope of traditional IT tools into the OT realm could actually make OT more vulnerable, eg. there are also a good number of vulnerabilities in IT security software products, and IT people typically don't understand the OT world good enough.

Another approach could be to ban systems running Windows or Linux from OT, replacing those with more robust systems that are not susceptible to buffer overflows, keeping data and code strictly separate. Not a cheap solution when considering the already existing software investments, but probably the most realistic approach to protect OT. It is very hard to see how IT could ever become secure again, when holding on to the current mainstream.