Why WannaCry Was a Wake Up Call for Critical Infrastructure Security

Many OT Networks are Susceptible to Threats Like WannaCry

The WannaCry ransomware attack impacted more than 10,000 organizations in 150 countries, including manufacturing and industrial organizations like Nissan, Renault and Dacia, Spanish Telefónica and Deutsche Bahn. It’s likely that a fair number of industrial organizations have been impacted, but haven’t reported the incidents since they are not required to do so by regulatory requirements. 

While WannaCry did not directly target industrial control systems, cyber security researchers have demonstrated that Ransomware can be designed to compromise industrial controllers used to operate industrial facilities such as manufacturing plants, water and power utilities and critical infrastructures. Let’s consider what the industry sector can learn from this attack when it comes to protecting their operational systems from cyber threats?

Air Gap has been Erased by Connectivity

Today, most OT networks are susceptible to threats like WannaCry because these networks are increasingly exposed to the internet and external world. Trends like IIoT, Industrie 4.0 and connected industry are driving this connectivity. Although  it provides many benefits like enabling better predictive analysis, improving supply chain logistics and increasing the efficiency of manufacturing processes, this connectivity also exposes these environments to cyberthreats.

Patching Industrial Systems is Hard

One of the problems that industrial organizations face in preventing ransomware infections is patching their windows-based end-points. While patching windows-based machines is a standard best practice in IT networks, in OT environments this isn’t always possible. 

For example, some OT vendors do not recommend patching servers, HMI and engineering stations before rigorous tests are performed since  applying untested patches may render the operational system or software unstable or unavailable. This can make a bad situation worse. As a result, industrial organizations might not be able to patch systems in a timely manner and therefore remain exposed.

The situation is even worse for operational technologies like PLCs, RTUs and DCS controllers. These purpose-built computers execute code and control-logic to manage and ensure the safety of industrial processes. Not only are these critical assets vulnerable and lacking basic security controls, they are also very difficult to patch. As a result it is much harder to protect industrial environments against these type of threats. 

In addition, many industrial environments operate continuous processes that can’t be stopped. Oil and gas companies, for example, can’t take a pipeline or turbines off line in order to patch supporting systems. In addition, concerns around operational safety and stability can hinder patching in these environments.

What Can be Done to Protect ICS

The first thing industrial organizations should do is patch all the computers that can be patched. This is a standard best practice in all environments. However, as explained, in OT environments it isn’t always possible. Therefore, organizations should take a hard look at systems that can’t be patched and consider other ways to protect them. 

Defense in depth is the best approach for protecting any company, which requires multiple layers of security. Starting with perimeter defenses, and network defenses, right down to protecting each and every critical asset. The problem in OT environments is that for decades organizations haven’t deployed defense layers beyond the perimeter. We can no longer ignore the fact that threats can find a way into these networks and the critical assets like PLCs, RTUs and DCSs must be protected.

WannaCry is the latest example of what happens when  a global cyber attack occurs. These incidents  often create a sense of urgency around industrial cyber threats and their fallout. Justifiably so. If WannaCry had targeted industrial controllers, it would have been much more difficult to protect them and the damage would have been much more widespread.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference