The Claroty Blog

OT/ICS News Roundup Week of 6.19.17

| Steve Ward

Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past few days: 

Reuters: Honda Halts Japan Car Plant After WannaCry Virus Hits Computer Network

Honda Motor Co (7267.T) said on Wednesday it halted production at a domestic vehicle plant for a day this week after finding the WannaCry ransomware that struck globally last month in its computer network.

The automaker shut production on Monday at its Sayama plant, northwest of Tokyo, which produces models including the Accord sedan, Odyssey Minivan and Step Wagon compact multipurpose vehicle and has a daily output of around 1,000 vehicles.

Our Take: We conducted extensive lab testing of the WannaCry virus in our Claroty Labs - detailing impact on a number of different products. Our findings pointed to some interruptions and to the potential of others if configurations were non-standard. Not having specific detail on what this victim is facing, we cannot say whether or not a new variant of WannaCry may be at play or if this is hold over from the original campaign. What we can say - and have said - is that ransomware attacks (whether targeted or spill-over) against ICS networks are coming. This is further evidence to support our views.

Washington Post: The NSA has linked the WannaCry computer worm to North Korea

Despite the Obama and Trump administrations’ efforts to deter North Korean aggression, the country does not appear to have been discouraged from launching one of the most wide-ranging cyberattacks the world has seen.

“What it really confirms is that . . . you don’t have to be the best in the business to cause a lot of disruption,” said Michael Sulmeyer, director of the cybersecurity project at Harvard’s Kennedy School. “And that’s what they showed they were willing and able to do.”

Our Take: While we do not believe there is evidence to suggest that the actors behind WannaCry (if the NSA analysis is accurate, North Korea) specifically targeted ICS networks, our analysis suggests that repurposing the malware to specifically target ICS systems is a trivial undertaking. As such, we strongly advise that owners/operators and security teams immediately take steps to harden defenses - not only against WannaCry, but in the broader scope. The red-lines that once detered nation-states from attacking critical infrastructure have been crossed multiple times now (Ukraine 2015 and 2016 show us this) and rogue nations such as North Korea are likely to use attacks against critical infrastructure as a component of their geo-political strategies. As tensions heat up, we expect to see a marked increase in attacks against ICS networks.

Electric Light & Power: What Trump’s Executive Order on Cybersecurity Means for the Electric Industry

The report on federal policies and practices to promote market transparency of cybersecurity risk management practices by critical infrastructure entities (with a focus on publicly traded critical infrastructure entities) could also be a double-edged sword. Information sharing and lessons learned can often streamline a path forward. However, appropriate care will need to be taken to ensure the risk management practices described and examined in the report, as well as the level of recommended market transparency, do not inappropriately identify vulnerabilities that can then be exploited, or otherwise publish information regarding risk management practices (whether cyber-related or not) that could arm adversaries.

Our Take: We believe that transparency is important - we also believe that there is such a thing as too much public transparency. Signaling to adversaries of all types exactly where the holes are, how big they are, and how they can be exploited is never a good thing and clearly not the intended outcome of the push for transparency. A delicate line must be walked between exposing weaknesses to drive accountability, and telegraphing those weaknesses to adversaries. 

Subscribe to the Blog