IT disaster recovery, cloud computing and information security news

How WannaCry managed to infect industrial control systems

Details
Published: Tuesday, 27 June 2017 08:53

The Kaspersky Lab ICS Computer Emergency Response Team (CERT) has published a paper on how the global WannaCry ransomware attacks of 12 to 15 May, 2017 were able to successfully infect a number of ICS computers.

The experts hope that by sharing a checklist of the kind of oversights and errors that leave systems vulnerable to such incidents they will help businesses to mitigate future risk.

The WannaCry crypto-worm relied on the Internet for global distribution. Exploiting a Windows vulnerability, it would spread rapidly through internal networks, taking advantage of open connections and poor security. 

In principle, it should be impossible for WannaCry to infect an industrial network via the Internet, both because of closed networks and because of strict firewalls and protocols. According to Kaspersky Lab researchers, scenarios that would facilitate a successful ICS infection include the following:

  • Computers connected to several different subnets at the same time.  For example, if the work-station of an industrial automation system engineer/administrator is connected both to the corporate network and the industrial network – creating an open door for malware to pass from one network to another.
  • VPN networks connecting into the ICS. If the security and connections are not properly configured, VPNs can also act as a bridge for the infection. For example, if a contractor’s infected computer is also connected to the remote industrial network via VPN. 
  • Mobile devices connected to the ICS, such as smartphones and USB modems, can also transmit the infection if they have been mistakenly configured with a public IP address.

To protect against Internet-borne threats as well as other attacks, the Kaspersky Lab ICS CERT team recommends the following:

  • Close vulnerable network services and restrict Internet connections on all computers connected to the ICS network and on the network perimeter; install the latest software patches.
  • Ensure centralized, secure management of all automated systems, and monitor all data traffic between the ICS and other networks.
  • Restrict access between systems that are part of different networks or which have different trust levels: isolating those that communicate with external networks. Eliminate any network connections that are not required for industrial processes.
  • Further, bearing in mind that the threat landscape for industrial automation systems is continually changing, Kaspersky Lab recommends undertaking a deep audit and inventory of the ICS network, ensuring that all security detection, policies and practices are enabled and up to date.

For further information and advice on this threat and recommended security measures, read the report here.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

The Hunt for Hidden Risks
The Impact Tolerance Guide

Additional Resources

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.