As we are very certain by now you have heard all about WannaCry and its multitude of possible variants. What is maybe not so clear is what should you do about it. To cut to the chase the following should be investigated/executed at a minimum as soon as possible:
- Apply the Windows SMB Patch as soon as possible. Note an emergency patch for unsupported versions of windows including: Windows XP, Vista, Server 2003 or 2008 is available for older systems as well (See Microsoft Security Bulletin MS17-010 – Critical)
- Block SMB ports (139 and 445) between IT/OT networks (no connection between systems since uses data diodes)
- On systems that don’t require use of SMB, disable it altogether (Microsoft instructions can be found here) or block it using the endpoint firewalls
- On systems that may require SMB for services that are less important, consider disabling SMB until patches can be applied
- Quickly review disaster recovery plans and determine which windows-based ICS systems have current backups. Image or backup those systems as soon as possible to aid in rapid recovery if these systems become infected
- Additionally, ICS security teams need to remain vigilant for new variants of the WannaCry which may use new replication techniques.
Now that you have your marching orders here are a couple of other sources of information for you to review. The first article is one written by our very own Technical Director for EMEA based in the UK. His article ‘When Worms Attack Critical Infrastructure ‘can be found here.
Additionally our senior advisor and ‘godfather’ of ICS security Eric Byres helped out our friends at ISSource with his article titled ‘How to Protect Against WannaCry’.
And be sure to check back soon – very shortly we will be publishing a more detailed analysis about how an orchestrated tool like our Verve Security Center and its 100% visibility into your assets, their status and the ability to tune end points from our portal could speed future efforts like this. Stay tuned!