Now that the servers and client equipment are back up and running, the control, display and batching systems are back to normal and the plants are producing items again, it’s time to reflect on what happened recently.

I remember very well how the problem started. Web headlines were filled with phrases such as: “Rammsomware, manufacturing companies’ systems are down, production has stopped! Of course, I’ve had better awakenings in the summer.

The culprit was a malware program called Nyetya or NotPetya. At first it was thought to be ramsomware, but NotPetya turned out to be a wiper virus with worm-like propagation methods. We’ll call it WiperWorm from now on.

The teams that had a strategy carefully decided what actions to take and set them in motion with an objective. Typically, effective responses to attacks of this type include some of the procedures mentioned in the Computer Security Incident Handling Guide, National Institute of Standards and Technology Special Publication 800-61.

First, assessing the extent of the impact and analyzing what was causing the problem allowed those computers to contain the threat. In many cases, however, this was not possible.

In some companies, the WiperWorm NotPetya reached almost all Windows computers connected to the industrial control system network. However, with little prospect of recovery of the infected systems, the next logical step was to try to restore the systems from the backups. In the absence of such copies, all systems in production had to be rebuilt from the outset, a very costly situation, both in monetary terms and in terms of the time needed to achieve it.

Those fortunate enough to have backups were hoping to recover their systems, even if they had to make sure to do so on an isolated network to avoid re-infection.

In this respect, the rapid response of the best cybersecurity engineers and researchers provided the keys to avoid it:

  • Apply the patch for the MS17-010 vulnerability that prevented EternalBlue and EternalRomance exploits from compromising the system.
  • Disable wmic.
  • Implement a fix in the Registry to disable all sharing such as C$ and ADMIN$ thus eliminating one of the propagation vectors.

n order to recover the systems, some companies had to face the difficulty that some of the WiperWorm propagation methods were also needed in key functions of the applications in production, so they could not always deactivate or restrict them.

Lesson learned? The most effective preventive measure against a WiperWorm is to follow recognized security practices: “the basic measures”, if you prefer. There are countless articles on the subject, but the key points are:

  • Reinforcing systems before bringing them into production
  • Run programs from user accounts with restricted rights whenever possible
  • Install patches on systems and invest in a good antivirus or client security solution

Our technical support services can help you implement these recognized safety practices in an industrial control system environment.

Validated subscription to Windows patches

These types of subscriptions can provide you with the latest Windows validated patches for your industrial environment. For example, at Rockwell Automation, we validate our patches in robust test environments to minimize the risk of application impact. Patches are available by connecting your Windows Server Update Services (WSUS) server to our managed, cloud-based WSUS.

When patches are available on your WSUS, you can plan when to apply them to your systems. If you need it, our Security and Network Services can help you develop or modify your own procedures and policies for this industrial patch application.

Remote antivirus and patch management

You can use these services to reduce the risk of not updating Windows patches or antivirus definitions and to avoid inappropriate patching procedures.

For example, we establish a secure remote connection to your industrial computing environment that monitors the state of your infrastructure and your images and, at the same time, manages necessary changes to the environment.

We then work with you to establish the periodicity and procedure for updating anti-virus and patches. This procedure will check the functionality of the images and applications before putting them back into production.

Remote backup management

Finally, you can use this service to reduce the risk of not having backups or not having a remote access service that allows experts to help you quickly restore services. With it, we monitor the integrity of the backups and perform the restoration. For example, our services can:

  • Install a backup device in industrial environments, configured to work according to your system’s backup frequency needs and retention requirements
  • Perform remote monitoring of device status and backups
  • Perform remote on-demand restorations to restore “correct” previous state images

The best strategy to defend against a WiperWorm, Ramsomware, or other malware threats is to be prepared.

Apply patches and strengthen your systems to prevent attacks, and if you can’t prevent them, make sure you can restore your critical production systems from a backup.

Being prepared can make the difference between continuing normal operation or having to completely rebuild your production systems.

Leave comment

Your email address will not be published. Required fields are marked with *.