Now that servers and clients are back up and running, production systems like control, visualization and batch systems have resumed their activities, and plants are once again producing goods, it’s time to reflect on recent events.
I remember very well how this all started. Headlines across the web started to read “Ransomware!, manufacturing companies with systems down, production halted!”
Not something you want to wake up to on a summer morning.
The culprit was a piece of malware called Nyetya or NotPetya. First believed to be ransomware, NotPetya turned out to be a wiper virus with worm-like methods of propagation. We’ll call it a WiperWorm from now on.
Teams with a plan chose their actions carefully and executed them with purpose. An effective response typically involved following a process like that referenced within the Computer Security Incident Handling Guide (National Institute of Standards and Technology Special Publication 800-61).
First, assessing the magnitude of the impact and analyzing what was causing it allowed for appropriate steps to be taken to contain the event. But in many cases, this wasn’t possible.
For some, just about every Windows computer connected to the industrial control system network was hit by the NotPetya WiperWorm.
With prospects of recovering infected systems looking slim, the next logical step was to start going over existing system backups and attempting to recover.
If backups didn’t exist, all production systems would need to be rebuilt from scratch, a costly and time consuming predicament.
For those lucky enough, backups offered hope, but a disciplined approach to recovery still involved making sure recovered systems were placed on an isolated network to prevent reinfection.
NotPetya has several mechanisms that are used to propagate once a device is infected:
— From the Talos writeup on NotPety
Quick action by excellent cyber security researchers and engineers provided key intelligence on how to prevent re-infection.
On the path to recovery, some faced challenges as some of the WiperWorm’s propagation methods also served as key functionality for production applications, so disabling it or restricting access to it wasn’t always a viable option.
The takeaway? The most effective preventive measure against a WiperWorm is adherence to sound security practices: “the basics,” if you will. Countless articles exist on the subject, but a few key points are:
Key support services can help you implement these sound security practices within an industrial control system environment.
These kinds of subscription services can deliver the latest validated windows patches for your industrial compute environment. For example, we validate ours in a robust test environment to minimize risk of application impact. Patches are made available by connecting your Windows Server Update Services (WSUS) server to our managed cloud-based WSUS.
After the patches are available on your WSUS, you can apply patches to your systems according to your own schedule. Network and security services can also help you develop/modify in-house industrial patching policies and procedures as needed.
These kinds of services help mitigate risk associated with falling behind on Windows patches and anti-virus definitions, as well as the risk associated with an improper patching procedure.
For example, we establish a secure remote connection to your industrial compute environment to monitor the health of infrastructure and images, while administering changes to the environment.
We then work with you to establish a patching and anti-virus update cadence and procedure that tests the functionality of images and applications before putting them back into production.
Finally, this kind of service helps mitigate risk associated with not having backups and/or remote access to expertise to aid in the rapid restoration of services. The service provides robust backup capability to monitor backup integrity and perform restoration. As an example, ours can:
When defending against a WiperWorm, RansomWare, or most other malware outbreaks; the most effective strategy remains to be prepared!
Patch and harden your systems to prevent the outbreak, and if you can’t prevent, then make sure you are prepared to restore critical production systems from a backup.
Being prepared could mean the difference between being up and running and having to completely rebuild your production systems.
Help protect your operations against security threats with our industrial security services.