A Department of Homeland Security official told Reuters earlier this week that some U.S. critical infrastructure operators have been affected by the recent WannaCry ransomware campaign.
The official didn’t provide any further information, except to say that there have been no victims of the cyber attack within the U.S. federal government.
Dragos CEO Robert M. Lee told Forbes that his company is “aware of infections that occurred in the industrial control system community and had impact,” including small utilities and manufacturing sites in the United States — though he said “no one’s been hurt and no safety was at risk.”
The news should put all companies that rely on industrial control systems (ICS) on high alert, PAS Global CEO Eddie Habibi told eSecurity Planet by email, because the choices available to protect the systems within an industrial process facility are much more limited than those in corporate IT.
“In a corporate IT network, cyber security professionals have the option of isolating traffic or entire systems if they are compromised,” Habibi said. “Personnel can also apply patches in real time with confidence that patching will not impact system performance.”
A Challenge for ICS
But in an industrial process facility, it’s rarely possible to isolate traffic or systems. “Those systems may have primary responsibility for controlling volative processes or ensuring worker and environmental safety,” Habibi said. “System uptime is paramount.”
“Real-time patches are also no-nos within a facility’s network,” Habibi added. “First, any Microsoft patch must have ICS vendor approval before application. Even with approval, patching typically occurs during maintenance windows and turnarounds when systems are offline — something that may occur only once or twice per year.”
And patches may never get applied if there’s a potential for process disruption. “In these cases, asset owners may place additional security controls in front of the unpatched system to mitigate risk,” Habibi said. “This assumes that there is a closed-loop, enterprise-wide patch management process in place that can evaluate the steps required to mitigate risk; many companies are missing this capability.”
So while it’s great that Microsoft has issued patches for older operating systems in response to WannaCry, Habibi said that may not be enough for critical infastructure operators, which have limited ability to apply those patches.
“As we watch WannaCry continue to proliferate and see new variants spring up, the risk to industrial process facilities remains high,” he said.
Langner founder and CEO Ralph Langner told Forbes that a competent attacker could hit industrial targets and force a product halt. “We haven’t seen that on a large scale yet, but I predict it’s coming, with ransom demands in the six and seven digits,” he said.
Separately, an unidentified source in the healthcare industry provided Forbes with an image of a Bayer Medrad radiology device in a U.S. hospital infected with WannaCry ransomware.
A Bayer spokesperson told Forbes that it had received two reports of customers in the U.S. with devices hit by the malware. “Operations at both sites were restored within 24 hours,” the spokesperson said. “If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.”
The company said it will be deploying a patch for its Windows-based devices “soon.”
According to the HITRUST Alliance, medical devices from Siemens and other unnamed manufacturers have also been infected. “HITRUST is reaching out to healthcare organizations and trade associations to provide information to detect, prevent and remediate the threat and associated malware,” the organization stated.
“Select Siemens Healthineers products may be affected by the Microsoft vulnerability being exploited by the WannaCry ransomware,” Siemens stated in a security bulletin [PDF]. “The exploitability of any such vulnerability depends on the actual configuration and deployment environment of each product.”