If you were a technology journalist, you would have wanted to cry this week over how many WannaCry stories you would have had to write.
The ransomware hit a huge number of organisations and businesses worldwide, from the NHS in the UK to the Deutsche Bahn in Germany, with systems held hostage until operators paid the $300 bitcoin ransom.
Though ransomware is not new, for many it was the shock that made the risks feel real.
Fortunately, critical infrastructure such as power grids weren’t affected – in fact they couldn’t have been too badly damaged by this attack – but we should all still pay attention to the warning.
Why no utility tears?
In terms of sophistication, WannaCry was actually pretty basic stuff. The criminals behind the hack used an already-discovered vulnerability stolen from the NSA. It was known and already patched, but – as always – not all users had kept abreast of the latest updates.
Plus, although it spread far and wide and caused a lot of disruption (and a lot of suffering for some – such as NHS patients in the UK with vital operations cancelled), it wasn’t a huge success for the criminals in financial terms. You can track bitcoin payments and it looks like a return of just under $92,000 dollars (at the time of writing). Based on a reported ~230,000 machines affected so far, that’s about $0.40 per machine.
It was an indiscriminate attack that hit widely, but luckily not that deeply into critical systems.
And that’s why utilities weren’t too troubled by WannaCry. This was an attack targeted purely at IT systems, that didn’t spread any further. For utilities, the real worries start if a hack infiltrates the operational technology (OT) systems – the actual equipment on the ground.
If an OT system was infiltrated, a hacker could hold grid assets hostage. Maybe that’s the smart meter data concentrator, maybe it’s electric vehicle charging points, perhaps a substation. At this point, your choice isn’t pay or use your back-up data, as in an IT breach. It’s pay or have to replace the physical components.
Replacement could take an unacceptably long time at an unacceptably high cost. There will be much more pressure to bow to demands and pay the ransom – and at this point they may well be more than $300.
The good news is that this would need a considerably more advanced hack than WannaCry. The criminals would have to design ransomware that – probably – entered the system via an IT vulnerability, but was dormant until it found its way onto the OT side. Then, it would need to be able to recognise it was in an industrial control system (ICS) and activate the malicious behaviour.
That’s far more complicated than WannaCry – which is a relief and a worry at the same time. Relief, because utilities shouldn’t be greatly affected this time, but worry because this attack was at the simple end of the spectrum. There are people out there with the skills and motivation to try something more advanced.
What to do?
So, for utilities, WannaCry is a good reminder – just because significant ransomware attacks haven’t hit the energy sector yet, it doesn’t mean they never will or never can. Critical infrastructure is critical – we all have to take this seriously.
It’s impossible to give a comprehensive strategy to protect against ransomware in a short blog, but there are a few things to look at to start with:
Security architecture – think about zoning, and make it difficult for an outbreak to move between zones.
Device hardening – make sure protective measures are implemented in the systems and components you operate in OT.
Vulnerability management – don’t be the one that falls behind on patches!
Collaborate – security isn’t a commercial differentiator and hackers don’t work alone – so share knowledge and experience with peers in the industry – we can achieve more together than we can separately.