“WannaCry” Malware Sparks Fears of Aerospace Cybersecurity Gaps
By Tom Risen|March 30, 2018
Analysts want more malware research, caution factory machines are weak links in cybersecurity to prevent property damage
Automated industrial devices, including sensors or robotic arms in airplane factories, can damage assembly lines if infected by malware, say U.S. cybersecurity analysts. They are sounding the alarm about what they view to be a lax cybersecurity culture in the manufacturing sector that includes insufficient sharing of information about malware.
I spoke to analysts after the Seattle Times, citing an internal Boeing memo, reported that the company experienced a “WannaCry” infection that began spreading from its facility in North Charleston, South Carolina, where Boeing 787s are assembled.
A Boeing spokeswoman confirmed in a statement that there was a malware incident, and said the company “quickly applied the appropriate fix with a software patch.” The statement did not identify the malware.
“It was limited to a small number of machines within our commercial airplane business,” the statement reads. “There was no interruption or impact to any aircraft production. We have made appropriate notifications to authorities and there’s no further follow-up requested or needed at this time.”
Analysts say there are risks of more serious incidences that could stop factory assembly lines in the U.S aerospace sector. “A lot of factory machines are leased and not owned,” says Jake Williams, a former U.S. National Security Agency cybersecurity analyst. Manufacturers including aerospace companies often rely on a third-party group to make security patches to update machines connected to their network and prevent them from becoming infected.
“Alternatively, a company owns a machine but they can’t patch it because that would void the warranty,” says Williams, now the president of Rendition Infosec cybersecurity consulting firm in Georgia. “In the manufacturing industry it is difficult to apply best practices.”
Microsoft stemmed the global infection of the WannaCry malware last May by releasing a series of security patches to fix the vulnerability that the infection exploits on Windows software. Williams has no information about the Boeing incident beyond news reports, but he speculates an infected machine could have spread the malware to other machines connected to the company’s internal network. Malware can flow through the internet far beyond its initial target, and Rendition has seen malware affect machines accidentally or through deliberate hacker attacks. Malware can “definitely can take a plant down,” including airplane factories.
A working group of engineers, established in December, has been trying to create cybersecurity standards for industrial automated machines and control systems. The group was established by the International Society of Automation, a nonprofit headquartered in North Carolina. Joe Weiss, a cybersecurity analyst and the head of this working group named ISA99, wants more software forensics data about how malware can affect industrial machines, including robot arms that are not directly connected to the internet but could be infected by connecting to other machines. Process sensors, actuators and drives that run industrial automated machines are not considered as part of a cybersecurity strategy, he says, adding “these insecure devices are critical to all commercial, industrial and defense applications.”
“To IT, cybersecurity means the network, not control systems,” Weiss says of devices including sensors that guide robots. “Can that network vulnerability affect the robot on the factory floor, the valve in the power plant or motor in a compressor station?”
The U.S. Department of Homeland Security’s National Cybersecurity Communications and Integration Center shares information about WannaCry and other malware threats with the Aviation Information Sharing and Analysis Center, a group formed in 2014 to represent aviation industry firms.
“This partnership ensures that industry members and the government are fully aware of threats such as WannaCry and the best practices for mitigating such threats,” said a statement from Aviation ISAC.
Government officials are also soul-searching about how much cybersecurity information they should share about software vulnerabilities that are in rare cases stockpiled by intelligence agencies that can make it easier for U.S. spies to break into a target’s computers.
The WannaCry infection took off last May after a group of hackers called the Shadow Brokers published a Windows vulnerability online last April called EternalBlue as part of a trove of software exploits that the leakers claimed to have stolen from the NSA.
White House Homeland Security Adviser Tom Bossert said last December during a press conference that North Korea was responsible for spurring the WannaCry attacks in May but indirectly acknowledged the NSA.
“The government needs to better protect its tools, and things that leak are very unfortunate,” Bossert said last December.
Williams did not confirm if EternalBlue originated from his former employer the NSA, but he says “there is no question” the EternalBlue code was used to create WannaCry and he expects that within government “there are some harder decisions being made” about cybersecurity data sharing.