Nearly a year ago, the world became aware of a new computer virus known as WannaCry. Many institutions were affected by the ransomware. It encrypted and locked a Microsoft Windows computing system and demanded payment. It spread through a Windows file and data-sharing system that is standard on all Windows machines. Damages were estimated at $4 billion.
WannaCry only affected systems that were not following known recommended security practices. Only systems with out-of-date, un-updated or un-supported operating systems (OS) were affected.
The attack highlights the need for better oversight and visibility into the standard operating procedures of an enterprise. Microsoft created and released a patch specifically for an OS they no longer supported months before the attack, which is an extreme atypical measure to avert an issue like this. The ability to prevent the spread and infection of this virus was available to any systems administrator who was following a standard patching and update cycle, even if they were using out-of-date operating systems.
Another virus, Mirai, was responsible for creating a botnet that ultimately attacked the US and took down major services like Netflix and Twitter for many users on the East Coast. This is now called the “DynDNS attack.”
Developers and manufacturers built devices and software on the back of a communication protocol that was known to be outdated and unsafe. That was broadly exploited by the Mirai virus and affected more than 1 million devices.
Learnings from these two attacks include understanding the need to have a verified update and patch management process.
Because it’s likely that most bad actors will come from outside of the organization, bolstering internal processes to defend against them is a great way to increase security and preparedness. It is also considered the first place to start an in-depth defense strategy.
Factory automation systems could be at high risk because they can have expired operating systems and be difficult to patch due to “always on” lifecycles. So best practices in OT and industrial networks are critical.
Here are some precautions manufacturers can take:
Security specifications. Establishing formal requirements and specs for third-party software products and components lets manufacturers set an internal precedent early in the vendor selection process. To streamline communication with vendors and immediately demonstrate your commitment to security, all requirements and specs should be referenced in, and provided with, every RFP and vendor pact.
Independent validation. Always seek suppliers that offer product security guarantees. But requiring an independent validation of third-party software is ideal.
Regular updates. Security teams may turn around fixes to zero-day exploits in a matter of days, if not hours. Being able to apply hotfixes, patches and updates in an agreed upon and safe method is critical to the security of the product.
Regular testing protocols. Thorough validation testing should be completed for all acquired software, and these tests should also continue throughout its use. Validations, which can often be automated to increase efficiency, help ensure continued compliance with security specs and will help to locate “rogue” devices.
Track and trace. A robust system to monitor the source of all software and components should be established. This can dramatically simplify the update process.
Need-to-know details. All critical software information should be maintained on a “need-to-know” basis. This will help ensure that only necessary parties have back-end access and can also help pinpoint the source of a security breach should issues arise.
Vendor policies. Develop clear performance policies for all software vendors. These policies should establish non-compliance consequences and clearly detail security specs, including limiting the use of unapproved software.