By Pascal Ackerman, senior consultant of Industrial Cyber Security, Rockwell Automation
Now that servers and clients are back up and running, production systems (such as control, visualization and batch) have resumed their activities, and plants once again are producing goods, it’s time to reflect on recent events.
I remember very well how this all started. Headlines across the Web included, “Ransomware!” and “Manufacturing companies with systems down” and “Production halted!” This was not something you wanted to wake up to on a summer morning.
The culprit was a piece of malware called Nyetya or NotPetya. First believed to be ransomware, NotPetya turned out to be a wiper virus with wormlike methods of propagation. We’ll refer to it as a WiperWorm.
Teams with a plan chose their actions carefully and executed them with purpose. An effective response typically involved following a process similar to that referenced within the Computer Security Incident Handling Guide (National Institute of Standards and Technology Special Publication 800-61).
The first step was to assess the impact’s magnitude and analyze what was causing it so that appropriate steps could be taken to contain the event. However, in many cases, this wasn’t possible.
For some, the NotPetya WiperWorm hit almost every Windows computer connected to the industrial control system network. With prospects of recovering infected systems looking slim, the next logical step was to start going over existing system backups and attempting to recover. If backups didn’t exist, all production systems would need to be rebuilt from scratch, a costly and time-consuming predicament.
The malware NotPetya has several mechanisms used to propagate once a device is infected:
Source: Talos write-up about NotPety.
For those lucky enough, backups offered hope, but a disciplined approach to recovery still involved making sure recovered systems were placed on an isolated network to prevent reinfection. Quick action by excellent cybersecurity researchers and engineers provided key intelligence on how to prevent reinfection. Here’s what was necessary:
On the path to recovery, some faced challenges because some of the WiperWorm’s propagation methods also served as key functionality for production applications, so disabling it or restricting access to it wasn’t always a viable option.
The takeaway? The most effective preventive measure against a WiperWorm is adherence to sound security practices — “the basics,” if you will. Countless articles exist on the subject, but a few key points are:
When defending against a WiperWorm, ransomware or most other malware outbreaks, the most effective strategy remains to be prepared. Patch and harden your systems to prevent the outbreak. If you can’t prevent it, then make sure you’re prepared to restore critical production systems from a backup. Being prepared could mean the difference between being up and running and having to completely rebuild your production systems.
Learn about Rockwell Automation Industrial Security Services.
The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.