Imagine a scenario where you wake up late as the smart coffee pot and alarm combo did not wake you up. To make it worse, the coffee isn't made. The shower is cold as the preset thermostat didn't kick in at 6 am. The internet is down. On your walk to the metro, you discover that the traffic lights are out, and police are everywhere, attempting to control traffic by hand signals. The metro is closed as the ticket machines won't work, the barriers won't open and besides, the autonomous trains can't operate. You try to order an uber but the phone lines are jammed and you can't get through. You try to get money out of the ATM to buy a coffee somewhere but the machine is broken. You then receive an SMS from your boss telling you that the computers won’t work and there's a popup message on the screen asking for bitcoin in exchange for data and "oh and do we still have a fax machine somewhere in the basement?"
This in the future scenario is perhaps a stretch of the imagination (that sounds a bit like something out of The Walking Dead sans zombies), but since last Friday many people have thought more about cybersecurity than they ever needed to before. In short, over 50,000 organizations and 150 countries were hit by the WannaCry ransomware attack. In the UK, the National Health Service (NHS) was affected with staff unable to access patient records, some phones went down and operations were canceled. In Germany, digital display boards at Deutsche Bahn train stations were inoperable. In Spain, internal computers were down at telecommunications provider Telefonica.
Fortunately, the attack was halted when cybersecurity experts MalwareTech found and inadvertently activated a “kill switch” in the malicious software, although its repercussions continue in some industries. But it brings to mind two main questions: what do we need to know about these kinds of attacks to halt their reoccurrence, and how do we stop them from spreading to systems like smart city infrastructures where critical infrastructures such as city traffic systems, power, transport, and health care are connected to the internet?
What Are the Particulars of The WannaCry Ransomware Attack?
In the first instance, this was an attack that was opportunistic in nature. It wasn't targeting a specific organization or type of organization, but, rather, companies with outdated software. It appears that WannaCry ransomware leveraged a Windows vulnerability that became apparent in April when a cache of hacking tools was leaked on the Internet and used by a hacker group called Shadow Brokers. (The code can be found on Github). Security researchers believe the hacking tools came from the USA, including a product called EternalBlue that makes hijacking older Windows systems easy.
It specifically targeted the Server Message Block (SMB) protocol in Windows, which is used for file-sharing purposes. Microsoft has already patched the vulnerability, but only for newer Windows systems. Older ones, such as Windows Server 2003, are no longer supported, but still widely used among businesses, including hospitals who are looking to cut costs on IT infrastructure. (Microsoft has since released patches called KB4012598 for Windows 8, XP, Vista, Server 2008 and Server 2003 to protect against "WannaCry" ransomware).
Secondly, this attack was about making money, according to many security experts. I spoke to Adam Dean from GreyCastle Security and he explained:
"People deploying ransomware are looking for industries that are particularly weak. Hospitals is a popular one because they're much more open, and they have a lot of doctors and nurses that are not tech savvy. You’re looking to find that hole where you can make your money."
However, the hackers failed rather spectacularly at their efforts to rake it in, netting only a mere $30,000 USD fo their efforts.
What About Other Infrastructure Attacks?
IoT has been connected to two of the most well know attacks over the last year, Mirai and Hajime. However, even before these, we've seen some attacks that have impacted important city infrastructures.
A ransomware attack occurred last year on San Francisco's transit system. Monitors in station agent booths were seen ablaze with the message "You Hacked. ALL data encrypted,” and the culprit allegedly demanded 100 Bitcoin (about $73,000). In a statement the SFMTA (otherwise known as Muni) stated:
"On Nov. 25, the SFMTA was a victim of a ransomware attack. This cyber crime disrupted some of our internal computer systems including email. Transit service was unaffected and there were no impacts to the safe operation of buses and Muni Metro. Neither customer privacy nor transaction information were compromised."
Muni says it turned off payment machines and opened the gates as a precaution meaning that the attack was, fortunately, brief and contained. It's not the first attack on public transport. In 2008, in the Polish city of Lodz, four trams derailed and several others were forced to make emergency stops, leading to 12 people injured when a teenager hacked the tram system by using open-source information and trespassing into tram depots, taking control of a vehicle and the points system. Then in 2014, the Chinese national train reservation system was targeted by hackers who stole customers’ personal data. All of this suggests that with the right know-how, public transport is a relatively accessible target, perhaps as much about brag factor as financial reward.
Healthcare Is Common Target for Cyberattacks
Cyber security company SecurityScorecard, that provides cybersecurity assistance specifically to the healthcare industry in the US, notes that many companies have simply paid small ransoms rather than publicize that they have had glitches. In 2016, California’s Hollywood Presbyterian Medical Center was hit by a ransomware attack that meant their networks were offline for over a week, including CT scans, documentation, lab work, and pharmacy needs. The hospital ultimately decided to pay a ransom, and in a statement, President and CEO of Hollywood Presbyterian Allen Stefanek stated:
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
Research undertaken by SecurityScorecard revealed that:
- Over 75% of the entire healthcare industry has been infected with malware over the last year.
- 88% of all healthcare manufacturers have had malware infections.
- 96% of all ransomware affecting the healthcare industry targeted medical treatment centers.
It's worth noting that attacks on health care services can have multiple purposes that extend beyond ransomware. In particular, electronic health records can be stolen and the data collected to create a new product, e.g. insurance cards, driver’s licenses, or even come up with entirely new identities. Cyber criminals can use the prescription information to procure drugs, Medicare insurance IDs, offer medical insurance, and obtain Social Security numbers to create fraudulent tax returns. This, of course, is a whole area of cyber crime that warrants deeper analysis and I'll be covering it in a future article.
Where to Now for Securing Critical Infrastructure?
While a fully comprehensive analysis of cybersecurity strategies is beyond the scope of this article (and my knowledge) there are some easy things that people working in infrastructure can do to prevent cyber attacks.
The American Public Transportation Association released a white paper in 2014 that recommends "hardening digital infrastructure to be more resistant to penetration and disruption and working with allies on international norms of acceptable behavior in cyberspace, strengthening law enforcement capabilities against cybercrime, and deterring potential adversaries from taking advantage of remaining vulnerabilities."
It's easy to forget that public transport, smart city infrastructure, and healthcare services are still managed by people (we're not at the stage where machines do all the work). Organizations can reduce their vulnerability by:
- Educating staff members on the basics of cybersecurity and risk management, including how to identify suspicious emails and what to do if they receive one.
- Good firewall and spam filtering.
- Knowing where their data is. Most organizations have a poor understanding of where their sensitive data is stored. By understanding this, security teams can be sure sensitive data is not stored in an unauthorized location, and implement the maximum amount of security around the most critical systems and information.
- Utilization of services such as Shodan, a search engine for IoT that allows users to find devices that are publicly accessible on the internet, and which may be vulnerable to hackers.
- Using good, tested, reliable backups that include off-site and off-line copies
Ultimately, for security to be robust, reliable, and effective, it needs appropriate investment in time, money, and energy, appropriate skilling and training of staff and an effective action plan in place if and when an attack occurs. I haven't touched on the issue per se of the insecurity of connected health devices (for yet another article soon) but needless to say, a robust security needs to cover all aspects of tech, not just email and administrative and backend systems. This won't be the last of these kinds of attacks as attackers expand their knowledge and exploit our weaknesses.