alphaspirit - Fotolia


How WannaCry malware affects enterprises' ICS networks

WannaCry malware has been plaguing organizations across the world. Expert Ernie Hayden explains how this ransomware threatens ICS networks and their security.

There has been substantial discussion in the media and on the internet about the ransomware called WannaCry.

This malware type, which blocks access to data until a ransom is paid, has been destructive. It has caused financial consequences, as well as extreme inconvenience for critical businesses across the globe, such as the National Healthcare Service in the United Kingdom, which was one of the first and most significant victims of the attack. A total of 300,000 computers in 150 countries were locked by WannaCry by the end of May 2017.

With the initial receipt of the WannaCry news, some in the industrial controls industry did not see it as a threat; however, as you examine the WannaCry targets and realize it is focused on unpatched Windows-based systems, you can see the threat to industrial control systems (ICS) is significant -- even a small number of U.S. critical infrastructure operators were reportedly affected.

ICS threat vectors

ICS has often been viewed as an air-gapped network, using serial-based protocols that cannot be affected by the outside world's viruses, worms and other malware. In the early days of ICS, when relay racks as big as panel trucks were used in factories, that may have been true, but that just doesn't stand up to today's situation.

For instance, the ICS systems are being upgraded with TCP/IP-based systems and network controls. It is commonplace to find engineering workstations and servers on the ICS networks using Windows operating systems. These systems are susceptible to WannaCry and other attacks on the Wintel operating systems.

Because of a company's need for rapid information on production and shipping, its ICS systems are often attached to the enterprise resource planning (ERP) system via a jump host or even a direct connection to the enterprise IT system. This could also be a means for malware to jump from the IT network to the ICS and cause damage.

Basically, as the ICS systems evolve from the old days, old ways to the newer, more sophisticated networks and components, they're looking more and more like the IT systems in the enterprise.

Houston, we have a problem.

The problem

On the IT side of the business, IT managers are trying to reduce their vulnerabilities by means of patching and antimalware products. Patching can usually be done during off hours because the availability of the IT system enables some off time or reboots. Unfortunately, ICS patching practices are problematic when viewed with this IT perspective.

ICS patching is normally done during plant shutdowns and line shutdowns -- which may occur as rarely as once every 12 to 18 months. Basically, this means that the ICS system manager may have a literal stack of patches to install into the ICS components -- including the Windows systems waiting for the next outage. So when Microsoft issued patch MS17-010 on March 14, 2017, the patch was probably placed into the stack on the ICS manager's to-do list for the next outage.

This deferral of the MS17-010 patch left the Windows-based systems unprotected from WannaCry in the environment.

WannaCry and ICS

WannaCry is ransomware, and it is really intended to attack individuals and businesses to extract money -- a ransom. It is highly doubtful WannaCry was designed to shut down industrial operations. However, the WannaCry malware can enter the ICS via:

  • The internet, if the ICS is connected either directly or inadvertently;
  • The enterprise IT system, if data flow is permitted from enterprise IT (like the ERP or email) to the ICS system; or
  • USB drives used by employees or vendors that are connected to the ICS.

What would the consequences be to a process system if the human-machine interface -- often a Windows machine -- were to be blocked and all the files encrypted? The line operation and management could be paralyzed. And what if this production line was processing a volatile fluid that could result in fatalities or wreak environmental havoc if not properly managed?

To date, there have been a handful of cases where manufacturers with extensive ICS systems were infected, though it's unclear if the ICS systems themselves were hit directly. But there are opportunities for WannaCry to locate and encrypt an unpatched Windows system in any ICS.

Recommendations to consider

Here are six basic recommendations to ensure that ransomware, such as WannaCry, doesn't endanger your production line and operations:

  • Make sure your ICS is separated from the enterprise IT network and from the internet where the WannaCry malware could migrate.
  • ICS operators, engineers and security personnel should make it a high priority to patch the Windows systems as soon as is practical to reduce the risk and impact of the WannaCry malware. You need to train your ICS staff to understand this threat to better understand the priority.
  • ICS operators should ensure that any portable media, such as USB drives, laptops or test equipment capable of carrying the WannaCry malware, or any malware, is checked for known malware before the portable media even comes into contact with the ICS and its components.
  • Ensure that ICS operator email systems cannot transmit malware to the ICS network. Also, ensure that human-machine interface and control room systems do not have any direct connections to the internet or email.
  • Be sure to train your ICS operators and technicians on malware and viruses and how their systems are not immune to attacks.
  • ICS operators, engineers and security personnel should make it a point to closely monitor the U.S. ICS-CERT alerts and advisories or to subscribe to their mail alert.

Simply stated, WannaCry malware can impact ICS and susceptible components. It takes hard work and constant, 24/7 due diligence to stay on top of the security of your ICS. Assuming the risks of a breach or successful attack should be a mantra and should always be at the top of everyone's minds.

Next Steps

Learn a few ways to handle industrial control systems security

Find out if Conficker malware infections of ICS or SCADA systems are a threat

Discover why ICS security training is necessary to boost awareness

This was last published in July 2017

Dig Deeper on Threats and vulnerabilities