Combating the menace of ransomware in critical infrastructure

Richard Piggin | 19 May 2017 | Comments

The WannaCry worm, which has hit the NHS in England and Scotland, highlights the growing menace of ransomware and the risks surrounding unpatched systems and unsupported operating systems. The risk to healthcare providers specifically, and critical national infrastructure (CNI) more broadly is evident, so how can organisations better protect themselves? Richard Piggin shares his thoughts.

The WannaCry or Wanna Decryptor malware has affected 150 countries, including the United Kingdom, United States, Spain, Russia, Taiwan, France, and Japan. Several variants have already been reported, all presently targeting Windows-based operating systems, including embedded versions. Further variations, which could target other operating systems such as Linux, are anticipated. Early indications suggested email phishing campaigns initially infected computers, using email attachments and malicious websites links have been confirmed. The worm then spreads across networks.

While assurances have been given regarding the loss of patient data, the malware provides backdoor access to victim’s computers, so data theft is a distinct possibility. Yet, the issue isn’t just about the security of patient information, it’s also about preventing patient harm.

This is not an isolated incident. Similar incidents have already occurred in the healthcare sector, even in the UK. Only a few hospitals were affected, attracting limited publicity and concern. Many more medical facilities belonging to the U.S. MedStar Health provider were severely disrupted last year. The impact of such attacks also feature in a new BSI publication on Medical Device Cyber Security, which describes the convergence of safety and security risk, along with defensive principles.

Other sectors have also been impacted  including UK,  French and Romanian car plants and the German rail operator. Spanish victims included telecoms multinational Telefonica, and utilities Iberdrola and Gas Natural. Critical infrastructure asset owners have been impacted by ransomware in the past, including several power utilities.

WannaCry screenshot

Organisations with unsupported operating systems or ineffective patching programmes will continue to be vulnerable. At best, it’s a race to patch against the inevitable malware opportunists, and remove specific network services. So, what can be done to avoid potential reputational damage, disruption, loss of information, financial loss, and impact on customer [patient] wellbeing? The mantra must be to be to get the basics right:

1. Backup systems, and exercise the plan for incident response, and restoration of compromised systems. Patch and update systems, although this can be a challenge for Cyber Physical Systems (controlling physical processes), with 24-7 operation 365 days a year, coupled with long lifecycles. Compensating measures must be put in place where patching and updating cannot be achieved in a timely fashion.  Network architecture implementations that protect and segregate vulnerable systems, with anomaly detection are common approaches, along with disabling unused services/protocols.

2. Address phishing as the route to initial infection. Education of staff will reduce the number of successful attempts, but is unlikely to protect against habitual clickers or well researched, and crafted, targeted spear-phishing. Therefore, other technical measures are needed to prevent malware being downloaded or malicious sites visited. Raise awareness amongst employees, particularly to operational and engineering staff, of recent threats and attacks.

3. Manage the supply chain. Address the security of embedded systems, that may have long lifecycles. What is the security model and how will this continue to offer proportional risk-based defence? Asset owners should stipulate their security requirements. Vendors should offer these by default, and they may even become a product differentiator in the short to medium term. Expect them to be included in future procurement specifications.

4. The UK’s National Cyber Security Centre has published specific guidance for administrators and home users that should be acted upon.

5. Visit the “No More Ransom” website, and please pass on the recommendation. The initiative seeks to help victims of ransomware retrieve their encrypted data without having to pay the criminals. It also offers prevention advice too.

Finally, new forms of malware are being discovered at an ever-increasing rate. CNI security postures needs to address the evolving risk with regular reviews.  Cyber security is still a journey, not a destination. Governance regimes need to reflect the salutary lessons identified when the dust settles.

Image of WannaCry screenshot in banner image provided by Kaspersky.