The Wannacry work, which has hit the NHS in England and Scotland, highlights the growing menace of ransomware and the risks surrounding unpatched systems and unsupported operating systems, The risk to healthcare providers, and other critical national infrastructure, is evident. How can organisations better protect themselves? Richard Piggin, cyber security expert, IET, shares his thoughts.
The WannaCry or Wanna Decryptor malware has affected 150 countries, including the United Kingdom, United States, Spain, Russia, Taiwan, France, and Japan. Several variants have already been reported, all targeting Windows-based operating systems. Infections are expected to escalate, and could target similar network processes in other operating systems, such as Linux. Early indications suggested email phishing campaigns initially infected computers, using email attachments and malicious websites links have been confirmed. The worm then spreads across networks.
While assurances have been given regarding the loss of patient data, the malware provides backdoor access to victim’s computers – so data theft is a distinct possibility. Yet the issue isn’t just about the security of patient information, it’s also about preventing patient harm.
This is not an isolated incident. Similar incidents have already occurred in the healthcare sector, even in the UK. Only a few hospitals were affected, attracting limited publicity and concern. Many more medical facilities in the U.S. have also been targeted. The impact of such attacks features in a new BSI publication on Medical Device Cyber Security, which describes the convergence of safety and security risk, along with defensive principals.
Other sectors have also been impacted. It’s not yet clear to what extent production or services outside healthcare have been disrupted, but they include UK, French and Romanian car plants and the German rail operator. Spanish victims included telecoms and utilities companies. Critical infrastructure asset owners have been impacted by ransomware in the past, including several power utilities.
New forms of malware are being discovered at an ever-increasing rate – and those responsible for the security of critical national infrastructure security need to address the evolving risk with regular reviews.
Cyber security is still a journey and all cyber security governance regimes will need to reflect on the lessons learned from the WannaCry crisis once the dust settles.
In the meantime, there are some basic steps that will help organisations avoid potential reputational damage, disruption, loss of information, financial loss – and impact on patient, or customer, wellbeing:
1. Back up systems – and exercise the plan for incident response and restoration of compromised systems
Patch and update systems, although this can be a challenge for Cyber Physical Systems (controlling physical processes), with 24-7 operation 365 days a year, coupled with long lifecycles. So compensating measures must be put in place for occasions when timely patching and updating is unachievable. Network architecture implementations that protect and segregate vulnerable systems with anomaly detection are common approaches, along with disabling unused services/protocols.
2. Address phishing as the route to initial infection
Educating staff will reduce the number of successful attempts, but is unlikely to protect against habitual clickers or well researched, and crafted, targeted spear-phishing. So other technical measures are needed to prevent malware being downloaded or malicious sites visited. Raise awareness amongst employees, particularly to operational and engineering staff, of recent threats and attacks.
3. Manage the supply chain
Address the security of embedded systems that may have long lifecycles. What is the security model and how will this continue to offer proportional risk-based defence? Asset owners should stipulate their security requirements. Vendors should offer these by default, and they may even become a product differentiator in the short to medium term. Expect them to be included in future procurement specifications.
5. Visit the “No More Ransom” website, and please pass on the recommendation. The initiative seeks to help victims of ransomware retrieve their encrypted data without having to pay the criminals. It also offers prevention advice.