
Ransom
> While so far there is no indication that Norsk Hydro has any plans to pay the ransom
Depends on how afjordable it is.
Norwegian power and metals giant Norsk Hydro is battling an extensive ransomware outbreak on its computers. The biz, one of the world’s biggest makers of aluminum with sites in 50 countries, said on Tuesday that file-scrambling malware had infected its IT systems in the US and Europe. This cyber-intrusion forced a shutdown of …
They cut costs in IT to save money? IT departments are always seen as unimportant for some reason. When nothing is happening they are accused of "Not being required. Everything runs fine and you never seem to be doing anything" or "we keep having outages since cutting your budget so we'll outsource you".
Anyone know of an example?
Will will know in the next TheRegister installment of "To Pay or not to pay -- Insurance escapes (again) paying out Cyber Insurance claim".
I would thnk so. Ransomware is a pretty well established risk. Before the insurance pays out you need to have taken all reasonsable steps to avoid the incidnt in the first place. If they'd done that then almost certainly they wouldn't have an incident in the first place.
Usual suspects -
No money for training of staff on phishing or spotting other malware
Basic AV only
Internal network flat because reconfiguration would cause downtime
Servers and desktops unpatched for the same reason
No internal IT staff other than screwdriver techs
Backups either unprotected so encrypted as well or non-functional because they've never been tested
If any of that is the case they'll get fuck all money. Still not to worry it's still IT's fault somehow.
"No money for training of staff on phishing or spotting other malware"
should that really be a factor?
we have 8000 totally I.T illterate doctors and nurses. busy ones.
There is no way in hell one of the 8000 isnt going to click on a dodgy email, no matter how much training you force feed them.
"Cyber insurance" sounds like premium quality snake oil. I assume that any payouts would be in some obscure and valueless blockchain currency?
(Also, a pet peeve of mine: "cyber"-anything really does not mean what most people think the word means. It's one of those annoying stupid phrases from around 1995 that should really have gone away to "surf the web" long long ago, with an anchor (boat, not HTML) chained to its ankle...)
“Phil Neray .. told The Register that it was inevitable hackers would look to get ransomware onto networks at manufacturing and power giants, given how valuable system uptime is in those environments”
Then why not connect your valuable system environments using VPNs runing on read-only embedded hardware. If you don't know how to do that then maybe you're not tempermentally suitable for a career in IT.
-------
19.01.2019
Cyber Attack Against the Hydro Network
Please do not connect any devices to the Hydro Network. Do not turn on any devices connected to the Hydro Network.
Please disconnect any device (Phone/Tablet etc.) from the Hydro Network.
Await new update.
- Security
"Then why not connect your valuable system environments using VPNs runing on read-only embedded hardware."
What?
Your embedded hardware will be logging data from the equipment, even if they're read only, they need to send information somewhere. And VPN's generally don't help as you will likely be in full control of your network - adding a VPN on top will just mean the virus/malware propagates via encrypted tunnels rather than directly over the wire within your buildings.
Traditionally, good practice has been to fully isolate SCADA-type systems from office LAN's as they tend to receive less frequent patching (i.e. once or twice a year managed by the vendor) and often won't have AV installed due to either vendor recommendations or conflicts with fragile applications. As management of those systems is centralised or outsourced, the desire for more connectivity makes them harder to protect.
Having said that, it sounds like the SCADA-type systems aren't affected but have been isolated as a precaution. Based on previous organisations experiences with ransomware, if you aren't patched against the vulnerability it uses to spread, your only hope is shutting down the network until you have a solid plan for containment and rebuilding. And that solid plan better include isolation of any networks that you're unsure of - something that is often easier said than done when management of the devices is off-site.
"Traditionally, good practice has been to fully isolate SCADA-type systems from office LAN's as they tend to receive less frequent patching (i.e. once or twice a year managed by the vendor) and often won't have AV installed due to either vendor recommendations or conflicts with fragile applications."
This may have been the case in the past but these days many departments within an organisation need access to data from the process control systems for their day-to-day duties. I work for a large automation supplier where the typical system architecture consists of various layers (Plant/Process Control/Operator HMI/Servers/DMZ/Business LAN) separated by firewalls. Most modern control systems (rightly or wrongly) are windows based these days so there is a server that regularly rolls out Hotfixes, Windows Updates, and Virus Definitions.
A few specific examples of how the control system data is used are: Maintenance can interrogate or even re-calibrate field instruments from a workstation in the maintenance shop; Accounts can review tank inventories in real time; Process Engineers can optimise plant performance by reviewing data from the history servers; Corporate can compare production rates in real time between different plants all over the world.
Isolating a SCADA or Process Control System might seem like a good idea but even an air-gapped system can be susceptible e.g. as in the Stuxnet virus that could be introduced via a USB thumb drive.
At least am air-gapped system only has an intermittent and narrow channel to the rest if it's managed properly. That should exclude plugging in USB drives that haven't been checked, let alone plugging in the thumb drive you found lying in the car park. It would help to use more than one operating system, even if it's just on one extra box that you use for relaying between the two worlds.
This may have been the case in the past but these days many departments within an organisation need access to data from the process control systems for their day-to-day duties.
Eee, it meks y' wunder 'ow we did it before we filled t' place wi' computers, dunnit?
Totally agree but that's the connected world we now live in.
You could air-gap your home PC to protect yourself from online threats but that kind of makes surfing the web a little difficult.
Responsible home users can keep their software and AV up to date.
Because of the greater attack surface, responsible businesses have to take this to a whole new level https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
We aren't talking about home users or desktops, we are talking about control servers for vital national infrastructure.
I see no problem with airgapping such equipment, enabling one-way push to VERY locked down reporting servers for the shiny-brigade and requiring someone be on site to push in the moderator rods with their own fair hands (suitably gloved).
>How much do you want to bet they were using Windows 7 / 10 on Intel systems?
Instead of Norsk Data
Actually they might be, we had real time control systems in the late 90s running on Norsk data mini computers - with no plans to replace them.
Ever since Shodan came along, we will be seeing more of this in industrial settings. The big issue is the industrial controls that control material handling, processing, and manufacturing. These systems/networks MUST be air gapped (although that is not full proof as we have seen with the Stuxnet worm) to increase the difficulty level of performing a breach to very difficult to impossible for hackers, crackers, and state sponsored actors. Additionally, epoxy the USB ports and disconnect the optical drives so that nobody can slip something onto the network (not fool proof, but it does help).
Air gaped networks force an intruder to perform a up-front intrusion (they have to be on site). Physical security is another matter though.
They MUST be air-gapped - however the execs often demand network connection as when things are going well they can make a bit more profit by having faster response to changes - then they lose all that profit (and more) when things like this happen.
Having the control networks connected to the internet is like making more profit on ships by not having enough lifeboats (as on the Titanic).
"Having the control networks connected to the internet is like making more profit on ships by not having enough lifeboats (as on the Titanic)."
although correct thats the weakest analogy i've ever heard, the only thing the 2 have in common is "its a bad idea"
I'd have gone with:
"Having the control networks connected to the internet is like leaving your car permanently unlocked so your friends and family can easily access it."
And, with a truckload of luck, some other heavy-industry companies will take this as a heads-up and start moving their ass on the subject as well.
Yeah, it's gonna cost money. The only question is, are you going to pay that money before the enforced shutdown and cleanup, or after ?
I mean seriously, to be hit with Ransomware and to have that an effect on your production systems you must have been violating "best practices" a _LOT_.
It's not like such a thing or the cheap mitigations against it are new. Simply splitting your network and limiting what your clients have access to can bring a lot of additional security while only costing a few Euros per department.
If I was in the IT department of that company, I'd quickly try my best to fake notes I sent upstream to warn about this.
I cant see any indication that this was a wormable version of ransomware, so if they have had 000s of devices infected (rather than just the fileshares between the devices encrypted) then it implies they've been hit by a massive phishing campaign, failed to filter their email and been hammered for it.
Realistically, if they'd met the almost joke-like standards of Cyber Essentials, they'd probably have been ok.
LockerGoga is not a worm.
Norsk was hit by someone sh1t bombing their systems with it - possibly using AD logon scripts and/or their own patching system.
Unlikely to be mass emailing, but they were targeted by someone...
So its either an inside job or network penetration - both possible!
As part of the company’s digitalization strategy, security is a major focus for Hydro. In order to minimize risks to Hydro’s data and infrastructure, the Fujitsu Computer Security Incident Response Team (CSIRT) will provide global monitoring and response services to identify and stop security incidents around the clock. The services delivered by Fujitsu will include Security Information and Event Management (SIEM), vulnerability scanning, threat intelligence, and incident management.
http://www.fujitsu.com/fts/about/resources/news/press-releases/2017/emeai-20170120-fujitsu-to-provide-security-solutions-to.html