I received a
few interesting comments on my Saturday post
on the Wannacry worm, which I would like to share with you.
First, an
auditor wrote me regarding the Public Service Announcement from Lew Folkerth of
RF, that I included in this post. That announcement pointed out that there is
now a patch for Windows XP, Vista and Server 2003. If you have Medium or High
impact BES Cyber Systems and have BCS or PCAs running one of those OS’s, you are
now on notice that a security patch is available for them (for the first time since
support was discontinued, I believe). You’re required to install that patch per
the schedule in CIP-007 R2. But you should really install it ASAP, not wait 35
days. This isn’t required by CIP, but it should be required by common sense, and reading the news
reports.
However, the
auditor also wants me to point out that NERC entities that have any systems with one of the three
discontinued OS’s running on their OT networks – say, systems in Distribution
substations or perhaps Low impact generating stations – should also quickly
patch them. For one thing, you shouldn’t want Distribution outages any more
than you want Transmission ones (even though the latter are the only kind that
might involve CIP violations). But for another, even if your only concern were
Transmission assets and you in theory have these wonderfully isolated from the
Distribution and corporate networks, if for some reason you’re wrong and there
is a connection you didn’t know about between your Distribution and
Transmission networks, a Wannacry infection on the former could lead to real
disaster (both for your utility and your NERC peers) on the latter.
This observation
does point out to me an implication for the Big Picture in NERC CIP. And since
I’m a Big Picture sort of guy, I’d like to elaborate on that. However, I’ll
spare you this elaboration until my next post.
Second, a
security manager for the High impact Control Centers of a large utility pointed
out an interesting caveat regarding the section of the post entitled “Not a
Public Service Announcement, but still Interesting”. This referred to the fact
that there is a “kill switch” embedded in the code for the worm, which requires
it to look for a certain domain name on the web; if it finds something at that
domain, it de-activates itself. An unknown cyber security researcher found this
domain name wasn’t registered, registered it, and linked it to some existing
system. That act killed the worm and probably prevented a lot of further
damage, especially in the US.
The security
manager pointed out that at his Control Centers he has disabled DNS recursion and
forwarding (I would imagine he’s not alone, when it comes to Control Centers
with High or Medium BCS). Of course, this is normally a very good thing, since
if a machine at the Control Center becomes infected with almost any other
malware and starts trying to phone home to a command and control server, it won’t
be able to get through.
However,
this does mean that, assuming he doesn't take any other precautions, if any of his machines within the Control Center do get
infected with Wannacry, this security measure
would in theory end up enabling the
worm to run. The worm would try to locate the domain name in question, but of
course it would receive a message saying it can’t be found. But that means the
kill switch would be ineffective, and the worm would proceed on its merry way
to try to infect all of the machines in the Control Center. Of course, that won’t
happen since the machines are fully patched against Wannacry, and he has beefed up his antivirus DAT files to be sure to catch Wannacry if somehow it does get into the ESP. But it does show how
you have to think these things through.
Finally,
this is a comment I received from myself, regarding the final section of the
post titled “Also not a Public Service Announcement, but also still Interesting”.
This regarded the nation-state whose security services are suspected of being
behind the Shadow Brokers, the group that stole hacking tools from the NSA and
dumped them online. That same nation-state was (by far) the biggest victim of
Wannacry (at least as of Saturday). I want to point out that the Good Book,
which isn’t normally my number one source of information on cyber security
issues, has this one nailed: “…whatsoever a man soweth, that shall he also
reap.”
However, that
quotation also needs to be applied to another large country that was severely
impacted but with a one day delay – the biggest impact in that country was
today, Monday. The country has a lot of pirated Windows software that of course
isn’t receiving regular patches. As a result of that lack of patching, systems
across that country booted up today and found their files had been encrypted.
But before I
get on a high horse and start being smug about other countries bringing their
troubles on themselves, I do want to point out that the Original Sin in all of
this is the fact that a serious software vulnerability was discovered by a
government agency in the US, but not reported to the vendor. If it had been
reported, it could have been patched before the bad guys also discovered it. Instead,
the aency used the vulnerability as the basis for a potent cyber weapon. Sounds
like a great idea at first glance, but that assumes knowledge of the
vulnerability will never leave your control. Unfortunately, that’s exactly what
happened here.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
No comments:
Post a Comment