Malware propagation between sites costs TSMC tens of millions

The CEO of TSMC – the manufacturer of key chipsets for Apple’s iPhones, and for many other global companies – reported Monday that the company was forecasting a drop of 2% in Q3 revenues, or about $160M, due to an infection of its manufacturing facilities by a variant of the Wannacry ransomware. The malware entered the manufacturing network when a new piece of fab tool equipment was installed. The malware appears to have spread rather quickly, as the CEO indicated that at the peak of the infection, 10,000 machines were impaired at several manufacturing sites. The CEO maintained that the attack was not targeted and that the Wannacry variant demanded no ransom.

Main two takeaways:

1)Even common malware can infiltrate and damage large, global enterprises with modern manufacturing facilities. They are not vulnerable only to high end, targeted nation state attacks.

2) Accessibility to manufacturing sites, or industrial sites in general, from the internet does not end well. Firewalls, VPNs and access control fail in preventing infiltration, intrusion detection systems (IDS) and similar technologies fail in detecting those intrusions.

Robust network perimeter protection is essential – TSMC could likely have saved tens of millions of dollars if Unidirectional Security Gateways had been deployed safely integrating IT and OT networks. Each plant could have been protected from malware attempting to compromise between sites via IT networks or other internal networks.

The time has come to stop taking half-measures on industrial security. Unidirectional Gateways are hardware-based, physical protection for industrial sites. No malware can propagate through the gateways, no matter how sophisticated current or future malware becomes, or how clever our current or future enemies are.

Details – Proper hygiene practices

An important conclusion to draw from the TSMC experience is the importance of separate, isolated test beds. Sites with secure industrial networks thoroughly inspect every new product, system or software before passing them across the physical perimeters. This inspection generally includes testing of the new components and information with anti-viruses, sand-boxes, vulnerability scanners, fuzzers, and other techniques. The purpose of the test beds is to identify all behavior that poses a threat to the correct operation of physical industrial processes – from malware attacks to safety issues to outright bugs that impair reliable physical operations.

The failure here is not that an AV scan was missed, but that a new piece of software was brought straight into a network connected directly or indirectly to the industrial network without first testing it on a test bed.

Details – Network perimeter

Wannacry spreads very quickly among unpatched equipment using the CVE-2017-0144 “EternalBlue” vulnerability. The TSMC CEO commented on Monday as to how difficult it is “to ensure that all of the company’s Windows 7 machines have been updated with the latest security patches, as the process requires collaboration with equipment suppliers and can only be performed during downtime.” Put these together and it is reasonable to assume that the Wannacry variant spread quickly through unpatched Windows 7 equipment on industrial networks at a number of connected manufacturing sites.

The important lesson here is not to “patch everything, now” – there will always be more vulnerabilities, known or yet unknown, in any product, system or software. The important lesson is that strong defenses are needed to prevent the spread of malware between industrial sites. If the infection had been confined to the first compromised site, TSMC could have saved tens of millions of dollars.

Many practitioners will assume that firewalls are the first line of network perimeter defense. But we assume TSMC had firewalls separating their sites; probably layers of firewalls. The real problem here is that firewalls are porous. All firewalls can be circumvented. All cyber-attacks which were made public in recent years were made possible because the attack was able to penetrate firewalls.

The robust solution is to deploy physical, hardware-based protection for industrial sites in the form of Waterfall’s Unidirectional Security Gateways. The gateways physically permit information to flow in only one direction – usually from protected industrial networks out to less-trusted IT networks. Operational data and other information can be shared by the OT networks to the enterprise networks, remote vendors monitoring facilities, or even industrial cloud services, but nothing – no virus exploiting any vulnerability – can get back into the industrial production network.

The bottom line

Cybersecurity incidents on industrial networks are expensive. Very expensive.

Companies are vulnerable to targeted, sophisticated attacks, but they are also vulnerable to common, run-of-the-mill viruses and other widespread malware.

A security program should be able to prevent cyber-attacks from happening, and from those which did, to contain and stop their propagation.

Waterfall Security’s Unidirectional Gateways were designed to tackle these types of attacks. They are widely used in many industries, across the globe.