How WannaCry managed to infect industrial control systems
- Published: Tuesday, 27 June 2017 08:53
The Kaspersky Lab ICS Computer Emergency Response Team (CERT) has published a paper on how the global WannaCry ransomware attacks of 12 to 15 May, 2017 were able to successfully infect a number of ICS computers.
The experts hope that by sharing a checklist of the kind of oversights and errors that leave systems vulnerable to such incidents they will help businesses to mitigate future risk.
The WannaCry crypto-worm relied on the Internet for global distribution. Exploiting a Windows vulnerability, it would spread rapidly through internal networks, taking advantage of open connections and poor security.
In principle, it should be impossible for WannaCry to infect an industrial network via the Internet, both because of closed networks and because of strict firewalls and protocols. According to Kaspersky Lab researchers, scenarios that would facilitate a successful ICS infection include the following:
- Computers connected to several different subnets at the same time. For example, if the work-station of an industrial automation system engineer/administrator is connected both to the corporate network and the industrial network – creating an open door for malware to pass from one network to another.
- VPN networks connecting into the ICS. If the security and connections are not properly configured, VPNs can also act as a bridge for the infection. For example, if a contractor’s infected computer is also connected to the remote industrial network via VPN.
- Mobile devices connected to the ICS, such as smartphones and USB modems, can also transmit the infection if they have been mistakenly configured with a public IP address.
To protect against Internet-borne threats as well as other attacks, the Kaspersky Lab ICS CERT team recommends the following:
- Close vulnerable network services and restrict Internet connections on all computers connected to the ICS network and on the network perimeter; install the latest software patches.
- Ensure centralized, secure management of all automated systems, and monitor all data traffic between the ICS and other networks.
- Restrict access between systems that are part of different networks or which have different trust levels: isolating those that communicate with external networks. Eliminate any network connections that are not required for industrial processes.
- Further, bearing in mind that the threat landscape for industrial automation systems is continually changing, Kaspersky Lab recommends undertaking a deep audit and inventory of the ICS network, ensuring that all security detection, policies and practices are enabled and up to date.
For further information and advice on this threat and recommended security measures, read the report here.