Will ICS be as lucky when the next ransomware campaign hits?

Co-authored with Shimon Modi

The WannaCry ransomware has been sliced and diced since it surfaced more than a week ago. While we won’t rehash that analysis, we continue to ask the question: Why the absence of highly-publicized instances wherein Operational Technology (OT) environments (e.g. Oil & Gas, Industrial Manufacturing) were affected by the ransomware? After all, the Conficker malware that originally spread as early as November 2008 is still detected in certain Industrial Control Systems (ICS) environments that must enable all SMB and NetBIOS services by default.

While initial reports claimed phishing as WannaCry’s intrusion vector, these were subsequently dismissed by security researchers. WannaCry wasn’t a highly-targeted attack, rather it targeted any SMBv1 service-enabled machine with internet access, following which it propagated agnostically. This SMB v1 service is commonly utilized, and frequently required, across many OT environment machines such as Human Machine interfaces (HMI), engineering workstations, and data historians.

Given the probability of some machines being internet-facing, organizations such as the American Gas Association (AGA) reported that no natural gas utilities were compromised by WannaCry. With the ICS-CERT raising alerts, many plants — such as those of Renault and Nissan in Europe — were shutdown to prevent spreading or being affected by the ransomware.

While the motives and actors behind the campaign are still being discussed we have tried to rationalize explanations for why ICS/OT infrastructures somehow managed to escape.

1. WannaCry was a targeted campaign, and excluded ICS. Evidence contradicts this assumption. Numerous enterprises and organizations across 150 countries, including approximately 200,000 machines, were affected. Research and findings thus far indicate WannaCry didn’t employ targeted campaigns, rather individual systems.

2. ICS/SCADA were resistant to WannaCry. As noted earlier, many ICS and OT environments require SMB and NetBIOS services be enabled to support critical functionality. Such systems have lengthy lifespans (~20 years), and are designed to fail-open rather than fail-safe — leaving them more vulnerable than average systems.

3. ICS/SCADA environments were patched in time. It is highly unlikely the MS17–010 patch was applied en-masse to production systems worldwide, given infrequent patch or maintenance windows in ICS environments andthe apprehension to lack of unavailability due to potential process disruption. It must be pointed out, however, that if WannaCry is a variant of the Eternal Blue exploit released as part of a NSA leak, it’s possible that the agency took precautionary measures to help major ICS environment operators proactively secure their environments.

4. Most OT environments were effectively air-gapped. While plausible, a simple Shodan search yields numerous publicly-facing ICS/SCADA systems, even though they all don’t have SMBv1 available. Furthermore, if an instance of the malware entered an air-gapped environment the impacts may have been more catastrophic since the kill-switch wouldn’t be detected/triggered.

5. Victims recovered systems upon paying ransoms. Current reports indicate that none of the victims who paid ransoms received decryption keys.

Until we know more about motives and actors behind the attack it will be difficult to rationalize why ICS/SCADA environments weren’t affected on a similar scale to the UK’s National Health Services and other organizations. What is clear though is WannaCry narrowly missed causing far more damage with repercussions extending into the physical world.

And it doesn’t seem like message has gotten through either: a quick search on Shodan showed a large number of machines running SMBv1 on port 445.

ICS and OT environments may very well be in the cross hairs going forward, as variants of WannaCry emerge or malicious actors create ICS-oriented ransomware as simulated by Georgia Tech. Basic hygiene, such as patching/network segmentation and whitelisting, has the potential to significantly reduce the impact of ransomware — and ICS infrastructure operators should treat it as necessity going forward.