By Chris Gebhardt
With industrial equipment becoming more sophisticated in an integrated operational environment, the potential for a CyberSecurity incident increases. The recent WannaCry Ransomware threat resulted in emergency services and hospitals re-routing patients because equipment was non-functional. How long could you sustain suspended operations while a cyber cleanup was in progress?
Ransomware is a form of software that is surreptitiously installed on computers and electronic systems with the purpose to encrypt contents until the owner pays a bounty for the decryption tool. Recent variants like WannaCry also incorporate a spreading agent called a worm wherein network attached systems can be infected without any user involvement. Often, the spread and activation of Ransomware is affected by out-of-date operating systems with known vulnerabilities.
Your exposure to Ransomware is larger than you may perceive. It is easy for technology staff to locate laptops, desktops, and servers. These are normal assets in the technology domain. However, more and more pieces of industrial equipment are using controllers that include technology components. Some may be micro-computers like Windows-on-a-Stick, a small USB/HDMI device no bigger than a cellphone. Others include hardened mini-desktops slightly larger than a paperback book. These systems often fall outside the purview of technology staff yet they can be infected just like their larger and standard cousins.
Some equipment may have what is called embedded operating systems; an operating system like Microsoft Windows that is included directly into the equipment without a computer per se. Vendors will split components of a traditional computer inside their equipment but still use a traditional operating system. Again, these systems are just as susceptible to infection when connected to a company local area network.
When activated, Ransomware does not distinguish between desktop, laptop, miniature, or embedded systems. It infects those systems that are susceptible. For industrial equipment, the results could be devastating resulting in long periods of outage. An organization may need to wait on a vendor representative or new software to return the piece to operational status.
Preventative measures are the best insurance to avoid a Ransomware outbreak. Numerous software vendors provide no-cost protection against Ransomware. While the software itself is free, the staff time implementing it is not. Yet, the cost in downtime and maintenance to fight an outbreak will far exceed the invested staff time.
Another preventative measure includes isolating network connections and resources. Network segmentation including virtual and physical barriers will stop the spread of the outbreak and reduce potential targets.
Mitigating an outbreak of Ransomware in your environment can range from the simple to the highly complex. Backups of all data and systems are paramount to the success of restoring operations. Absent backups, the complexity increases dramatically. Paying the bounty or ransom is not always the best choice as organizations globally have had mixed results in receiving decryption directions. It is best to consult a CyberSecurity third party with expertise in Ransomware infections.
VCI has a CyberSecurity Management and Assessment practice to evaluate your threat and vulnerability landscape. We help you assess your strengths and weaknesses while delivering a plan for efficient and safe implementations of security assets and policies.