News Updates

Rethinking Risk vs. ROI in the Wake of Wikileaks and WannaCry

• Published on May 16, 2017

Leader and visionary in industrial control systems cyber security

Note: I wrote this piece before the May 12th WannaCry outbreak.  While the content has been edited since to be more accurate, I tried to keep the original message of the story intact. Hopefully the unfortunate global attack only serves to catalyze any action on the points raised in my perspective below. Many have called WannaCry a wakeup call; but perhaps the bigger problem is our tendency to hit the ‘snooze’ button?

There’s always been an interesting dichotomy in those industries that depend on process automation: because a complex control system represents an extreme investment – in everything from planning, engineering, and equipment to facilities and training – it’s not surprising that companies want to get the most out of that investment. It’s also understandable why process operators are reluctant to “fix something that isn’t broken,” considering the highly complex and finely tuned nature of these systems. This leads to organizations with a purposeful desire to eek every last bit of return from their investments. In these environments, technology and infrastructure lifecycles are thought of in decades, with some systems remaining in production for 30, 40 or even 50 years. When thinking about this type of permanency in the context of financial returns on investment, things look pretty good. When thinking in terms of cyber security, this has always been problematic.

"Many have called WannaCry a wakeup call; but perhaps the bigger problem is our tendency to hit the ‘snooze’ button?"

The problem of course is that the intellectual property that makes up a particular process resides within a computing infrastructure that was designed to support a much shorter lifecycle, and as such it is often in need of a refresh. That’s fine as long as the process keeps working (and why shouldn’t it, if the process never changes?). It even justifies the added costs of maintaining a computing and network infrastructure that is sometimes so outdated that it’s no longer supported by the manufacturers. This is why many process control systems today still run on Windows XP. This has to stop.
Using unsupported versions of Windows has always carried extra risk: not only are older OSs more inheritably vulnerable, those vulnerabilities are also no longer patched. We know this, but with the Shadow Broker leaks of professional hacking tools, extremely powerful penetration utilities are now readily available via a convenient framework. WannaCry has shown the world exactly what we mean by ‘extremely powerful’, affecting 200,000 computers in more than 150 countries.

"Many process control systems today still run on Windows XP. This has to stop."

Those who read mainstream security blogs just rolled their eyes. Yeah, this is already old news now for most people. Microsoft has stepped it up, and new patches have already protected Windows 10 and other new OS versions from these exploits. In these special circumstances, Microsoft actually released a patch for Windows XP, Windows 8 and Server 2003 as well. But this should not be construed as making Windows XP safe or secure.
What ruined a lot of security professionals’ Easter weekend was quickly met with a collective sigh of relief, as this potentially damaging leak was quickly mitigated and the risk fizzled. Just shy of one month later, our weekends were upended once again by the largest ransomware attack ever seen: hitting hundreds of thousands of victims across 150 countries.
The problem is that many of these exploits were still perfectly effective against older, unsupported versions of Windows. Eternal Blue could remotely exploit XP systems via SMB and NBT vulnerabilities; Eternal Champion and Eternal System were still effective against Windows 8 and Server 2012; Eternal Romance could be used for remote privilege escalation attacks on Windows XP and Server 2008; and Eternal Synergy offered remote code execution up to Windows 8 and Server 2012. Will the patches solve this problem? This specific one, maybe (assuming you apply them), but WannaCry just proved to hackers that there’s financial value to targeting older OS’s. The same philosophy that’s prevalent in industrial automation now applies to the bad guys: when something works, stick to it.
All of these exploits are readily now available, and made even more dangerous by the introduction of the accompanying Fuzzbunch tool; a framework similar to metasploit that is tailored for these newly leaked exploits. In short, new weaponized exploits that are easily obtained and easily used just hit the mainstream, and you can bet these will continue to appear in the wild. With hackers newly-inspired to develop exploits against XP, and with the leaked exploits available as a foundation for more hackers to build from, you can bet that there will be a resurgence of highly capable zero-days in the near future.
If you’re using an older unsupported OS it just got a whole lot easier to compromise and control these systems. That means that if you’re using these old OS’ anywhere in your industrial automation and control systems, the integrity of your process is now only as strong as your perimeter defenses: one breached firewall, one clever side-channel or supply-chain vector, or one rogue insider is all that stands between your PCN and potential chaos. It’s not just “nation-state actors” anymore folks, the ability to compromise and cause harm to your legacy critical infrastructure is now freely available for download.  
It’s important that any industrial operator take a step back and look at their own networks.

“If you’re running an older control system that runs on unsupported versions of Windows, the reliability of your control system just took a direct hit…”

If you’re running an older control system that runs on Windows XP, Server 2003, Windows 8, or Server 2012, the reliability of your control system just took a direct hit. If your organization is focusing on ROI, consider applying some of that return to a modernization of your infrastructure, because Risk just sucker-punched ROI. In addition to the benefits of using newer process control system software, the security and reliability benefits of running a modern OS like Windows 10 on a modern network infrastructure are well worth the investment. Besides, an investment in new servers, new switches, new routers and new firewalls will almost certainly improve your productivity: the perfect solution for a strong return on investment.
Oh, and in the meantime: apply those patches.