One year ago this week, NotPetya began its worldwide propagation tour from its original targets in Ukraine to over a dozen countries. When the dust finally settled, the worm was responsible for billions in damage, making it the most costly global cyberattack to date. It came just a month after the WannaCry ransomware attack, which also utilized EternalBlue to exploit a Windows’ SMB vulnerability that Microsoft had issued a patch for in March of last year.
Both NotPetya and WannaCry are seminal case studies for why it’s becoming increasingly difficult to classify some threats as merely IT or OT centric. Threats that initially target IT networks are rapidly “spilling over” to OT environments. Contrary to common perception, Windows systems aren’t just in corporate offices, they’re also in plants, factories, and other critical infrastructure sites. In addition, the IT and OT networks in these environments are not as segmented as they should be. The result is a higher opportunity for infections to spread from the IT network to industrial control systems which can lead to loss of view, operational downtime, and potentially dangerous physical conditions.
This is precisely what happened a year ago, when NotPetya — thanks to EternalBlue and its ability to steal credentials — made its way into production OT/ICS environments that were connected to compromised IT networks. With self-propagating malware like NotPetya and poor cyber hygiene, it doesn’t take much for this spillover effect to occur.
The other takeaway from the events of last year is that most of the victims of these types of cyberattacks were not the initial targets. We're generally not in the business of publicly attributing cyberattacks, but we do acknowledge credible attribution reports. In the case of NotPetya, the US, UK and Australian governments sourced the campaign to the Russian Federation. In addition to technical analysis, they no doubt considered the geopolitical context of the attack — namely the initial targets in Ukraine. It’s not known whether the perpetrator contemplated NotPetya’s collateral effects on such a global scale, but given the worm’s self-propagating characteristics, it’s reasonable to assume they had little expectation of containing it within the physical boundaries of Ukraine. Indeed, it did produce crippling collateral effects, infecting some of the world’s largest companies in their respective industries.
It would be naive not to expect these types of attacks to occur again in the future. The good news is that NotPetya was a major wake-up call for security practitioners and business leaders alike, largely because it demonstrated the tangible costs of cyber risk and the degree to which industrial control systems are not immune to conventional malware threats. For some of those who were victimized, the recovery process still continues a year later.
Although there is still a long way to go until industrial cybersecurity awareness and action reach that of IT security, industrial organizations worldwide are increasingly taking steps to prevent a repeat scenario. Adoption of OT-specific cybersecurity technologies has increased noticeably in the past year and organizations are increasingly prioritizing best practices like patching and network segmentation. I suppose the true measure of how far the industrial segment has progressed will come the next time it is tested by a wide-spread attack.