By now the ‘Air gapping’ myth should be expunged from every ICS/SCADA manager on earth. SCADA networks have been hacked on several known occasions and made the need for advanced SCADA security solutions crystal clear. But this weekend we learned that even non-targeted malware can pose a serious risk to our physical plants when the WannaCry/WannaCryptor ransomware found its way into several automotive manufacturing plants, telecommunication companies, and a metro rails system.
Ransomware lead to factory shut down
At least two car manufacturing plants shut down operations over the weekend due to the ransomware attack. The fact that a cyber attack that spreads via the internet was able to bring factory operations to a halt is a startling wake-up call the ICS/SCADA managers. OT teams are very focused on keeping operations up and running smoothly, and therefore security rarely makes it to the top of the priority list for busy OT teams. This latest ransomware serves to remind us all that security is a foundation of operational continuity.
Microsoft products common in ICS environments
The EternalBlue vulnerability exploited in this attack is one of the Microsoft exploits leaked in the last year by the Shadow Brokers group. Since Microsoft products are commonly found throughout ICS environments, including HMI stations and Historian database servers, ICS networks are at considerable risk. The difficulty is cataloging and updating all the Microsoft products with the latest security patches means that vulnerabilities abound in OT networks.
3 ways ransomware can damage SCADA networks
If WannaCryptor or one of its variants penetrates an organization with a SCADA network that runs unpatched Windows on its HMIs it could do the following damage:
- Freeze SCADA configuration and management abilities – HMIs would go into passive mode losing the ability to implement configuration changes.
- Damage HMIs ability to monitor and send commands to the controllers – This wouldn’t actively cause malfunction, but you would lose the ability to detect machinery or controller malfunction and therefore be forced to shut down operations until fixed.
- Paralyze Historian-dependent operations – Historian database servers are used to store all historical controller data from the SCADA network and this data is essential to run processes such as oil refineries. If a ransomware infection locks Historian DBs up with encryption, you may be forced offline until the ransom is paid.
Will copycats target ICS/SCADA next?
Even if IT managers and security vendors manage to put an end to the WannaCryptor ransomware rampage soon, the astounding impact of this attack will not go unnoticed and copycats are likely to emerge. This ransomware attack could easily be tweaked to penetrate SCADA networks and encrypt resources critical to OT functions that could force entire factories or plants offline until ransom is paid. In the case of ransomware targeted specifically at SCADA we would expect extremely high ransom demands as the financial impact of halting operations for even one day is astronomical.
Security starts with network visibility
ICS/SCADA managers face a particularly difficult challenge keeping up with security patches and securing protocols since typical networks are several decades old and included not only IT components but also a wide variety of physical components, each with its own protocols. Therefore the first step ICS/SCADA managers can take right away is to scan the entire network to produce a complete and details network map.
Learn more about Cyberbit SCADAShield network mapping capabilities
ICS/SCADA Ransomware Response Checklist:
- Patch Windows SMB: Security Update for Microsoft Windows SMBv1 Server (4013389)
- Block SMB ports (139 and 445) that connect IT/OT networks
- Disable unnecessary SMB ports
- Update SMB ports in Firewall blacklists
- Backup and shadow critical systems and databases
Daniel Cohen-Sason is SCADAShield R&D Lead at Cyberbit