9 July 2017
“Germany’s BSI federal cyber agency said on Friday that the threat posed to German firms by recent cyber attacks launched via a Ukrainian auditing software was greater than expected, and some German firms had seen production halted for over a week.” The report “Germany says cyber threat greater than expected, more firms affected” published in the Reuters Technology News on 7 July 2017 is worth reading.
But the big question is: Why is the industry such vulnerable against WannaCry and NotPetya style attacks?
In my opinion, the main reasons for this are
- the aging IT infrastructure, and
- the built-in features of the Windows operating system.
Aging IT infrastructure
||Introduced with Version
||Year of Release
||Windows XP / 2003 Server
||2001 / 2003
||Windows Vista / 2008 Server
||2007 / 2008
||Windows 7 / 2008 Server R2
||Windows 8 / 2012 Server
||Windows 10 / 2016 Server
||2015 / 2016
Table 1: SMB Versions
The source of today’s problems, SMB V1.0, was introduced with Windows 2000. With the end of the extended support for Windows XP on 8 April 2014, and Windows 2003 Server on 14 July 2015, Windows XP/2003 Server became a big security issue.
Nevertheless, systems with XP or Windows 2003 Server are still operated in data centers and industrial networks. Since these systems must exchange data with other Windows-based systems, SMB V1.0 cannot be just switched off. Even Windows systems which support SMB V2.0 or higher must allow SMB V1.0 for data exchange with older versions.
The big question is: Why takes it so long to shut down Windows XP/2003 Server? The answer is easy: Software and hardware manufacturers have not sufficiently cared about the software life cycle, at least in the past. Let me illustrate this with an example.
A package unit in Healthcare industry is a large machine with lots of inbuilt computers. Since package units are very expensive, they are operated for many years and extensively changed to support new products. With this, a package unit delivered in 2008 with embedded Windows XP control units may still be in use 24 hours a day in 2017.
The hardware of the computers is designed to control a high-speed packaging process. To ensure sustained high operational quality the manufacturer often allows neither the installation of anti-malware software nor service packs for the OS, not to mention the upgrade to newer versions of the Windows OS.
Since the MES (Manufacturing Execution System) copies files to and from the packaging unit through files shares on the embedded Windows XP control stations, the MES must communicate through the SMB V1.0 protocol. The same is true for computers used in remote maintenance. With this, a single Windows XP machine reduces the security level of an entire network.
The big challenge is to design maintenance-friendly industrial computer systems: An exchange of hardware and software components, which are near End-of-Life or which have reached technical limits, must be easily possible. This requires a change in the design of software in industry. In addition, hardware should be dimensioned such that basic security features like anti-malware protection could be operated.
Manufacturers were often not aware of the software lifecycle and its impact on cyber security and integrity of product and production in the past. A change is desperately needed, in particular with regards to the increased use of IIoT devices.
Have a great week.