Cyber Threats: Is Your Current Industrial Security Strategy Enough?

Ransomware Attacks: Are Your Operations Safe?

Now that servers and clients are back up and running, production systems like control, visualization and batch systems have resumed their activities, and plants are once again producing goods, it’s time to reflect on recent events.

I remember very well how this all started. Headlines across the web started to read “Ransomware!, manufacturing companies with systems down, production halted!”

Not something you want to wake up to on a summer morning.

The culprit was a piece of malware called Nyetya or NotPetya. First believed to be ransomware, NotPetya turned out to be a wiper virus with worm-like methods of propagation.  We’ll call it a WiperWorm from now on.

Webinar: Protect Your Plant and Enterprise from Ransomware with Security Solutions. Join us Tuesday, August 10, 2017 from 12:00 p.m. - 1:00 p.m. CT.

Teams with a plan chose their actions carefully and executed them with purpose. An effective response typically involved following a process like that referenced within the Computer Security Incident Handling Guide (National Institute of Standards and Technology Special Publication 800-61).

First, assessing the magnitude of the impact and analyzing what was causing it allowed for appropriate steps to be taken to contain the event. But in many cases, this wasn’t possible. 

For some, just about every Windows computer connected to the industrial control system network was hit by the NotPetya WiperWorm.

With prospects of recovering infected systems looking slim, the next logical step was to start going over existing system backups and attempting to recover.

If backups didn’t exist, all production systems would need to be rebuilt from scratch, a costly and time consuming predicament.

For those lucky enough, backups offered hope, but a disciplined approach to recovery still involved making sure recovered systems were placed on an isolated network to prevent reinfection.

NotPetya has several mechanisms that are used to propagate once a device is infected:

  1. EternalBlue - the same exploit used by WannaCry.
  2. EternalRomance - an SMBv1 exploit leaked by "ShadowBrokers"
  3. PsExec - a legitimate Windows administration tool.
  4. WMI - Windows Management Instrumentation, a legitimate Windows component.

— From the Talos writeup on NotPety

Quick action by excellent cyber security researchers and engineers provided key intelligence on how to prevent re-infection.

  • Patching the MS17-010 vulnerability prevented EternalBlue and EternalRomance exploits from successfully compromising a system.
  • Disabling wmic.
  • Implementing a registry fix that shuts off all administrative shares like C$ and ADMIN$ to cut off one of the propagation vectors.

On the path to recovery, some faced challenges as some of the WiperWorm’s propagation methods also served as key functionality for production applications, so disabling it or restricting access to it wasn’t always a viable option.

The takeaway? The most effective preventive measure against a WiperWorm is adherence to sound security practices: “the basics,” if you will. Countless articles exist on the subject, but a few key points are:

  • Harden systems before putting them in production
  • Run with restricted user accounts where possible
  • Patch your systems and invest in a competent anti-virus or endpoint security solution

Key support services can help you implement these sound security practices within an industrial control system environment.

Validated Windows Patch Subscription

These kinds of subscription services can deliver the latest validated windows patches for your industrial compute environment.  For example, we validate ours in a robust test environment to minimize risk of application impact. Patches are made available by connecting your Windows Server Update Services (WSUS) server to our managed cloud-based WSUS.

After the patches are available on your WSUS, you can apply patches to your systems according to your own schedule. Network and security services can also help you develop/modify in-house industrial patching policies and procedures as needed.

eBook: Industrial Security: Protecting networks and facilities against a fast-changing threat landscape.

Remote Patch and Antivirus Management

These kinds of services help mitigate risk associated with falling behind on Windows patches and anti-virus definitions, as well as the risk associated with an improper patching procedure.

For example, we establish a secure remote connection to your industrial compute environment to monitor the health of infrastructure and images, while administering changes to the environment. 

We then work with you to establish a patching and anti-virus update cadence and procedure that tests the functionality of images and applications before putting them back into production.

Remote Backup Management

Finally, this kind of service helps mitigate risk associated with not having backups and/or remote access to expertise to aid in the rapid restoration of services. The service provides robust backup capability to monitor backup integrity and perform restoration.  As an example, ours can:

  • Deploy a backup appliance in the industrial compute environment, configured to meet the backup frequency and retention requirements of your system
  • Perform remote monitoring of the health of the appliance and backups
  • Perform remote restoration services on-demand to restore images to previously-known “Good” status

When defending against a WiperWorm, RansomWare, or most other malware outbreaks; the most effective strategy remains to be prepared!

Patch and harden your systems to prevent the outbreak, and if you can’t prevent, then make sure you are prepared to restore critical production systems from a backup.

Being prepared could mean the difference between being up and running and having to completely rebuild your production systems.

Help protect your operations against security threats with our industrial security services.

Pascal Ackerman
Posted July 14, 2017 By Pascal Ackerman, Senior Consultant of Industrial Cyber Security, Rockwell Automation
  • Contact:

Blog

We want to keep you up to date with what is happening in your industry to help you get ahead in the future. The Rockwell Automation Blog is a platform for our employees and guest bloggers to share technology and industry-related topics.