It happened. The ransomware known as WannaCry was confirmed this week as having made it into industrial process facilities. This should put all companies who rely upon industrial control systems (ICS) – particularly companies classified as critical infrastructure – on high alert. Why? Because the choices available to protect the systems within an industrial facility’s network are much more limited than those in a corporate IT network.
In a corporate IT network, cybersecurity professionals have the option of isolating traffic or entire systems if they are compromised. Personnel can also apply patches in real time with confidence that patching will not impact system performance and availability. In an industrial process facility, isolating traffic or systems is rarely an option. Those systems may have primary responsibility for controlling volatile processes or ensuring worker and environmental safety. System uptime is paramount.
Real-time patches are typically “no-nos” within a facility’s network. First, any Microsoft patch must have ICS vendor approval before deployment. Even with approval, patching usually occurs during maintenance windows and turnarounds when systems are offline – something that may occur only once or twice per year. It is also quite possible that a patch is not applied for years if there is a potential for process disruption. In these cases, asset owners may place additional security controls in front of the unpatched system to mitigate risk. This assumes that there is a closed-loop, enterprise-wide patch management process in place that can evaluate the steps required to mitigate risk; many companies are missing this capability. You can easily see why zero day vulnerabilities can sometimes become forever day vulnerabilities in the world of ICS.
Now, I said typically when I said real-time patches are no-nos in a facility’s network. WannaCry has caused some asset owners to respond in an atypical manner. We’ve had numerous customers canceling routine activities this week to focus on WannaCry risk mitigation. A segment of our customer is taking the step of applying patches outside of scheduled maintenance, which means they are taking down systems to do so.
So, it is great news that Microsoft stepped up and provided patches for older, unsupported versions of their operating system. Many critical infrastructure sectors will face challenges in their gated patching process while others will bypass those gates where they deem it necessary. As we watch WannaCry continue to proliferate and see new variants spring up, the risk to industrial process facilities remains high.