Patch or Perish: NERC-CIP and the Lesson of the WannaCry Worm

Last Friday and over the weekend, thousands of computers were infected with the Wana Decrypt0r 2.0 or WannaCry worm. The rapid spread of this malware was due to its ability to seek out other computers on the same network, be that at work or a cafe, and then infect those systems as well. Once a computer is infected, the user’s system files are encrypted and they are given the choice to lose their files or pay a bitcoin ransom of $300. The worm interface motivates the user by not only threatening the imminent loss of data, but also upping the ransom. Racketeering and extortion are now fully a part of life in cyberspace.

(Source: Securelist)

NERC-CIP Guidelines Work

Unfortunately, there is no equivalent of RICO on the Internet. However, for the electric utility industry, there are enforceable guidelines that are designed specifically to prevent this kind of event from affecting the stability of the grid. North American Electric Reliability Corporation (NERC) guidelines for Critical Infrastructure Protection (CIP)-007-6 R2 state the following:

“A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists.”

The policy further states:

“At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation.”

Cybersecurity Housekeeping

Over a month ago, Microsoft released a critical security bulletin update, MS17-010, which specifically stated, “This security update is rated Critical for all supported releases of Microsoft Windows.” The means to use this exploit effectively were freely available to hackers (and others) via information leaked from the National Security Agency (NSA).

The alert was issued by Microsoft on March 14 and the outbreak became widespread on May 12, indicating that all utilities could have reviewed and updated their patch management systems during the intervening period. Electric utilities were also protected by other systems that provide them with a defense-in-depth strategy.

NERC-CIP 007-R1 states that:

“Where technically feasible, enable only logical network accessible ports that have been determined to be needed … disabling or restricting (others).”

Researchers know that the initial component of the worm was designed to scan the local network for systems that have TCP port 445 open and are able to act as a gateway to the Internet using the DoublePulsar backdoor. This backdoor was used to retrieve the ransomware and install it on the local computer.

The CIP guidelines require that ports that are not necessary, as well as those that are known to be vulnerable, be blocked. It is common knowledge among cybersecurity practitioners that port 445 should be blocked at the firewall level as well as on the computer. Any entity that performed this basic level of cybersecurity housekeeping would have prevented infection of their systems.

Standards Frameworks Work, Too

Good cybersecurity is not just a product of having the latest firewalls and security systems in place; it is also the product of having a program in place, like adherence to CIP standards, that sets a policy and specific procedures that must be followed. Companies and organizations that do not adopt a standards framework, such as CIP, will increasingly be at the mercy of Internet racketeers and extortionists.