Yesterday’s
events were a real eye-opener to me. And I think they should be an eye-opener
for anybody involved in critical infrastructure security. Here are some initial
thoughts:
- This was an infrastructure event, not just a bunch of
individual computers that fell prey to ransomware. Sure, reports say up to
a billion dollars may need to be paid in ransom, but that isn’t what’s
significant, IMHO. What is significant is the fact that at least one
critical infrastructure, that of the National Health Service in the UK,
was severely impacted[i].
If nobody lost their life because of this, it will be a miracle. But there
were certainly a lot of people whose health will suffer in various ways
due to their lack of access to care yesterday.
- As far as I know, all ransomware until yesterday has infected
only individual machines (some were servers, of course, which impacts many
users). And in all cases, what was affected was data. It was of course painful
to pay the ransom, but that restored the data (in most cases), and there were
few if any further direct effects. Even a successful ransomware attack on
a US electric utility last year didn’t have any impact on operations.
- Compare this to yesterday’s events in the UK, in which
surgeries and regular doctors’ appointments had to be cancelled, people
were turned away from the ER, patient records and test results couldn’t be
accessed, etc. Even though it wasn’t intended as such, this turned out to
be an attack on the UK health care infrastructure. This is all due to the
fact that WannaCry (and there have been some variants appearing as I write
this) is a worm[ii]
and a very fast-spreading one at that[iii].
- Now suppose that other critical infrastructure in the UK,
such as the power grid, water systems, traffic systems, etc. had also been
successfully attacked by WannaCry. If a lot of people had been sickened by
impure water, or had traffic accidents when the stoplights in London
suddenly went out, where would they have gone for treatment? And with the
lights out and the Underground shut down, how would they have gotten there
anyway?
So I’d say
there are at least two major lessons from this, for the critical infrastructure
community. First, an infrastructure attack doesn’t have to be deliberately
caused – it can be a side effect of an attack with another purpose.
Specifically, a worm-based ransomware attack can have a huge CI impact, even
though it was never intended to do this.
Second, the
need for coordination among critical infrastructures – both locally and
nationally – is greater than ever. In fact, I’m beginning to think that it’s
now becoming an unaffordable anachronism to have separate cyber regulatory
structures for the Bulk Electric System, electric power distribution, natural gas
pipelines, natural gas distribution, water treatment, health services[iv], etc.
Maybe there should be a single organization – perhaps under DHS – that regulates
cyber security of all critical infrastructures.
Public
Service Announcement
Lew Folkerth of RF emailed
me this afternoon to ask me to point out that there is now a security patch for
Windows XP, Vista and Server 2003 (Microsoft released
the patch yesterday). As Lew points out (and this applies to all NERC regions,
not just RF), “This means there IS a patch source for those
systems, and entities need to identify the source, assess the patch for
applicability, and install the patch (or create/update a mitigation plan[v]).” Of
course, this only applies to High or Medium impact systems running this
software.
Not a Public
Service Announcement, but still Interesting
You’ll notice the Binary Defense link I just
provided thanks “MalwareTechBlog” for initiating the kill switch that shut the
worm off. It points out that this move undoubtedly saved lives. I think the
idea is that by shutting the malware off early (US time) on Friday morning,
this move greatly inhibited its spreading here, since most workers weren’t in
their offices yet and able to open the phishing emails that spread the worm.
But it turns out that the unnamed person
behind MalwareTechBlog didn’t actually know he was killing it – you can read
the story here.
Of course, he still deserves lots of accolades (if he were willing to come
forward) and perhaps a Presidential Medal of Freedom. But it just proves an
adage I’ve repeated since I was a boy (20 years ago): “Rational planning is
good, but in the end there’s no substitute for dumb luck.”
Also not
a Public Service Announcement, but also still Interesting
The exploit that made WannaCry so effective
was one that had been stolen from the NSA and dumped online by the Shadow
Brokers group; this group has been linked to a certain country’s intelligence
services. And guess which country – as of today, anyway – is listed as the
number one victim of WannaCry? Hmmm…
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
[i]
Other infrastructure events included factories that had to be shut down, and multiple
government bodies in Russia that had to curtail operations.
[ii]
More specifically, it is delivered
on a “worm delivery system” built on the EternalBlue exploit.
[iii]
Although the all-time champ for speed of spreading has to be 2003’s SQL Slammer, which infected
its 75,000 victims worldwide within ten minutes. In fact, I read somewhere that
this figure was something like 85% of the potential victims (MS SQL systems
that hadn’t received a recent patch) worldwide. Talk about efficiency!
[iv]
When I speak about health services, I’m not talking about patient data privacy.
Cyber regulations like HIPAA in the US are already addressing that. What they
aren’t addressing now is the infrastructure required to keep the health system
running smoothly. Of course, individual hospitals, doctors’ offices, ambulance
services, etc. have a lot of incentive to protect the systems required for
their individual operations. But I don’t believe there’s any organization –
like NERC for electric power – that is specifically charged with regulating cyber
security for the purpose of maintaining reliability of the health care system.
No comments:
Post a Comment