Is Your Cybersecurity Strategy Enough?

Is Your Cybersecurity Strategy Enough?

The best defense is a good offense with a prevention and response plan to protect industrial control systems from ever-increasing cyberattacks.

By Pascal Ackerman, senior consultant of Industrial Cyber Security, Rockwell Automation

Now that servers and clients are back up and running, production systems (such as control, visualization and batch) have resumed their activities, and plants once again are producing goods, it’s time to reflect on recent events.

I remember very well how this all started. Headlines across the Web included, “Ransomware!” and “Manufacturing companies with systems down” and “Production halted!” This was not something you wanted to wake up to on a summer morning.

The culprit was a piece of malware called Nyetya or NotPetya. First believed to be ransomware, NotPetya turned out to be a wiper virus with wormlike methods of propagation. We’ll refer to it as a WiperWorm.

Computer Security Plans

Teams with a plan chose their actions carefully and executed them with purpose. An effective response typically involved following a process similar to that referenced within the Computer Security Incident Handling Guide (National Institute of Standards and Technology Special Publication 800-61).

The first step was to assess the impact’s magnitude and analyze what was causing it so that appropriate steps could be taken to contain the event. However, in many cases, this wasn’t possible. 

For some, the NotPetya WiperWorm hit almost every Windows computer connected to the industrial control system network. With prospects of recovering infected systems looking slim, the next logical step was to start going over existing system backups and attempting to recover. If backups didn’t exist, all production systems would need to be rebuilt from scratch, a costly and time-consuming predicament.

How Does NotPetya Work?

The malware NotPetya has several mechanisms used to propagate once a device is infected:

  1. EternalBlue: the same exploit used by WannaCry.
  2. EternalRomance: an SMBv1 exploit leaked by "ShadowBrokers."
  3. PsExec: a legitimate Windows administration tool.
  4. WMI: Windows Management Instrumentation, a legitimate Windows component.

Source: Talos write-up about NotPety.

For those lucky enough, backups offered hope, but a disciplined approach to recovery still involved making sure recovered systems were placed on an isolated network to prevent reinfection. Quick action by excellent cybersecurity researchers and engineers provided key intelligence on how to prevent reinfection. Here’s what was necessary:

  • Patching the MS17-010 vulnerability to prevent EternalBlue and EternalRomance exploits from compromising a system successfully.
  • Disabling WMIC.
  • Implementing a registry fix that shuts off all administrative shares such as C$ and ADMIN$ to cut off one of the propagation vectors.

WiperWorm Recovery Challenges

On the path to recovery, some faced challenges because some of the WiperWorm’s propagation methods also served as key functionality for production applications, so disabling it or restricting access to it wasn’t always a viable option.

The takeaway? The most effective preventive measure against a WiperWorm is adherence to sound security practices — “the basics,” if you will. Countless articles exist on the subject, but a few key points are:

  • Harden systems before putting them in production.
  • Run with restricted user accounts when possible.
  • Patch your systems and invest in a competent antivirus or endpoint security solution.

Prepare, Prepare, Prepare

When defending against a WiperWorm, ransomware or most other malware outbreaks, the most effective strategy remains to be prepared. Patch and harden your systems to prevent the outbreak. If you can’t prevent it, then make sure you’re prepared to restore critical production systems from a backup. Being prepared could mean the difference between being up and running and having to completely rebuild your production systems.

Learn about Rockwell Automation Industrial Security Services.


The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.


Check Out the February Issue

The JOURNAL from Rockwell Automation and Our PartnerNetwork™ is a bimonthly magazine, published by Putman Media, Inc., designed to educate engineers about leading-edge industrial automation methods, trends and technologies.