May 18, 2017

WannaCry ransom note (image credit: Wikipedia)

 

By Chris Hamilton, MESA Cybersecurity Working Group Co-Chair

Many of you have heard about WannaCry, or WannaCrypt (Ransom:Win32/WannaCrypt) initially publicized by the DHS last Friday May 12^th. This worm is estimated to have affected over 150 countries and 200,000+ assets in its short run to date.  It also has prompted Microsoft to release the first patch for Windows XP since end-of-extended-support (unprecedented) in attempts to curb the rampant spread of infection. The kill switch inadvertently discovered is only temporary as multiple iterations are expected, a la Conficker.

Due to the increasingly global and connected nature of today’s industrial systems it is imperative that everyone strives to be a good cyber-citizen! Do your part!

For Systems Integrators and those in Manufacturing and Critical Industry sectors, the biggest risk is generally not our base laptops – or surfing the web (although this is frequently the entry point), but un-patched and unsupported production systems and our development VMs scattered across various storage devices.  Worms that spread through an automated process are particularly dangerous to our way of business due to the following factors:

• Manufacturing systems are rarely patched, potentially leaving every Server 2008 R2 and Windows 7/8 system vulnerable to this exploit!
• Industrial systems frequently run out-of-support OSs like Windows XP, Server 2003 and even Server 2000.
• VMs on external drives are notoriously difficult to monitor and less patched over our IT managed systems
• Specifically for WannaCry – client ICS networks without internet access will never receive the hardcoded kill switch. Once released WannaCry would spread unencumbered.

Being a good cyber-citizen starts with ensuring your VMs are patched to avoid infection – or worse – spreading any malware across other networks. Additionally it requires your company to have a critical update patching process to evaluate risk and successfully re-mediate vulnerable systems. The “It’s on fire” reactive approach to patching introduces drastically more risk and cost to your environment over having a planned and scheduled approach integrated with your business process.

What to know:

• All: Work with your colleagues and partners to convey the immediate risk of ransomware today and work with them mitigate risks through project or support efforts to develop and ensure patching becomes a focus of your business.
• Plant Engineers and SIs: If you have a vulnerable VM in your possession please patch it immediately! (Snapshot it first and delete after verification)

Please feel free to reach out to Grantek if there are questions around downtime, roll-back process, risk/reward or other items with patching ICS workloads.  We’re here to help you and your clients feel comfortable with protecting legacy systems and not incurring unplanned downtime in the process.

Vulnerable Systems:

• Windows 2000 Server (There is no planned patch for this operating system. Fast track these systems for lifecycle in the immediate term)
• Windows XP (unprecedented patch release by Microsoft)
• Windows Server 2003
• Windows 7
• Window Server 2008
• Windows 8

What to do:

Apply patches through Windows Update, or download Windows English language security updates:

Windows XP SP2 x64,
Windows XP SP3 x86,
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 x86,
Windows 8 x64,
Windows Server 2003 SP2 x64,
Windows Server 2003 SP2 x86,
Windows Server 2008 for 32-bit Systems Service Pack 2,
Windows Server 2008 for x64-based Systems Service Pack 2

Important links:

• US-CERT Alert: TA17-132A
• Microsoft KBs: MS17-010 Security Bulletin
• Microsoft Updates: MS17-010, MS17-006
• Rockwell Automation Knowledgebase Article: 546987
• Rockwell Software Compatibility: MS Patch Qualification Lookup

 

About the Author

Chris Hamilton
Director, Industrial IT/OT and Cyber Security
Grantek Systems Integration

Chris started his professional career in web design, databases, and server management with a focus in security at every level, but grew up around process flow and P&IDs in Biochemical Pharmaceuticals.  In his roles at Grantek he has worked as a controls engineer, a systems engineer and an IT/OT consultant to bridge the gap between IT and Controls teams in order to help clients realize more efficient operations, leverage or implement standardized systems and most importantly understand the line between IT and OT and how it can and will shift with emerging technology and industry changes.  He specifically focuses on the OT side today providing network assessments and road mapping a migration plan for a client’s legacy or inefficient hardware as part of a client provided, or jointly developed OSA (Manufacturing Operations Systems Architecture).