On 12th May 2017 the WannaCry ransomware affected over 200,000 victims and infected more than 300,000 computers worldwide.
Among the victims were the NHS, who were forced to run some services on an emergency-only basis during the attack. A second major attack struck several large organisations again last month, using ‘Petya’ type ransomware. Both attacks involved self-duplicating network worms, which rapidly spread using the EternalBlue vulnerability in Microsoft Windows. The cyber-attacks spread across the world, crippling hundreds of businesses from shipping companies to advertising firms.
The hacks can cause major disruption to global infrastructure, and while the threat of repeat attacks looms, the real issue is how to avoid falling victim to them in the future. IT and Engineering departments who have been paying lip service to cybersecurity risk mitigation are waking up to a priority re-think.
Blame game
Part of the blame for the WannaCry attack was apportioned to the US intelligence agencies CIA and NSA, who were accused of stockpiling the software code for their own use, instead of reporting the issues to Microsoft. Others find the affected companies at fault for not updating their unsupported systems – or for not installing the patches supplied by Microsoft as they were released.
It was revealed the new state of the art £3.5 billion HMS Queen Elizabeth aircraft carrier is running on Windows XP, and Britain’s nuclear submarines are also still believed to run on XP. XP is still more widely used than Windows 8.1 (released in 2013) or any version of Apple’s Mac OSX or the open-source Linux OS. Although Windows XP, Windows Server 2003 or older systems are most at risk, many victims of the WannaCry attack were running on Windows 7, and the recent attack on the Ukraine is believed to have been seeded through a software update mechanism built into an accounting program.
Some researchers claim the recent spate of cyberattacks (which uses malware structured differently to the original ‘Petya’ code) are merely masquerading as ransomware, as the hackers put little effort into designing an effective payment system. This raises questions over possible motives for purely malicious and destructive attacks, which could be political rather than money-orientated.
The advice
For end users of Automation Systems however, the who and whys are largely irrelevant. Astec Technical Director Chris Barlow comments,
There will always be someone looking to spoil someone else’s party for money, vanity or more sinister motivations. I have witnessed numerous people in the IT and Engineering domain squabbling over who knows the most, and who has the best advice. Better to rise above it and simply do all you can to reduce the ever-present risks presented by cyber security.
Remediation activity can start with the following steps:
- Ensure all operating systems are currently supported by the vendor
Develop an obsolescence plan for any systems running on Operating Systems older than Windows 7 or Server 2008. Then plan ahead for the phasing out of support for Windows 7 and 2008. Windows NT, 2000, XP or 2003 are not acceptable platforms on which to run your business. - Check you have the right patching regime to ensure supported systems are up to date
Typically, users of Automation Systems avoid patching of real-time systems so as not to threaten production. However this is unnecessary, as any risks associated with patching can be easily mitigated by the implementation of test systems and/or redundant architectures. - Check your network is as secure as it can be
Although it is wise to only have ‘open doors’ for the communication methods employed by active systems, securing your network is not about isolating the system from other internal networks – or even from the internet. A well-managed and protected connection to the internet can actually be what saves a site from a cyber threat. It can be used to obtain operating system or antivirus updates, as well as issuing email or SMS alerts to warn of impending production system component failure. - Isolation is no guarantee of protection
Isolation of systems should never be reason for complacency, as many issues arise from local engineering laptops or operators using USB ports to charge phones. Air gaps do not provide inherent protection, despite being given as a popular reason as to why a system does not require updating or patching. - Use Anti-Virus software
Engineering departments continue to be wary of implementing antivirus software within Automation systems, but this does not need to be the case. All antivirus engines can be configured to enable systems to function correctly. - Back it up
Finally, as a fail-safe contingency, a well-managed and monitored backup strategy will enable the system to be rebuilt and restored if all goes wrong. - Understand the risks, have a plan and start to implement it!
About Astec
Astec Solutions has been delivering automation and production software solutions into Manufacturing, Utilities and Broadcast sectors for over 17 years. Core capabilities are focused on the provision of Manufacturing Execution Systems, Batch Execution and true Supervisory Control and Data Acquisition (SCADA). The Astec team is passionate about exceeding expectations, combining deep technical knowledge with extensive marketing experience to work with customers throughout their improvement journey.
For further information on how Astec can assist with building your cyber security strategy please contact +44 1543 888134 or email enquiries@astecsolutions.com.