Thoughts on the wake-up-call (another one) called “WannaCry”

“But as soon as we find out that it’s state-sponsored, or there may be state actors involved, we back away from that.” – Interpol digital crime centre director Sanjay Virmani

Seems that the WannaCry incident should appear on anyone’s short list of notable cyber incidents of 2017 (so far). Some reports in the press have referred to this as a “wake-up call” (1). Since Stuxnet in 2010 there have been other such wake up calls but it seems many remain in deep sleep and instead of an alarm a good shove and yell in the ear of the sleeper may be in order. In terms of WannaCry and the cybercrime threat reaching industrial control systems, I found two articles written before May 12 that predicted this would happen. One article which was published in December 2016 has recently been republished.(2) Another report comes from a recent ICS conference in Singapore.(3)

From the other reports I have read about WannaCry since May 12 and judging from the published screen shots the infections were limited to the office side IT and did not make it to the OT side. Public screens displaying train schedules were disrupted but no trains were caused to derail.

German Railroad Information Screen showing effect of WannaCry infection

Enough FUD apparently was generated to cause some manufacturers and operators to shut down or reduce their operations out of caution (4). Thought that the control system world could go on without having to worry about attacks from cyber criminals but things have changed. Now what can be done about it? If cyber criminals start switching their targets from hospitals to manufacturing and sectors of critical infrastructure then we can refer to law enforcement and international cooperation (there is the European Council Convention on Cybercrime and other legal instruments to apply) to catch and prosecute the perpetrators.

A new problem appears however. What to do if states backed up with their impressive resources decide to engage in this malicious activity? If one can believe the reports that, the warhead part of WannCry came from the cyber arsenal of a state then this idea is not far-fetched. Calling this state activity a cybercrime and going after the perpetrators using law enforcement may not work out very well. I have a quote somewhere from the director of Interpol who stated that if the cybercrime investigation leads to evidence of state involvement they drop the case (5). Wake up calls have been ringing for both the hi-tech engineering and international security policy communities for some time. Both need to get together and start discussing ways to manage this before the next “wake-up-call” happens.

Proposals for norms of state behavior in cyberspace have been on the table for some time (6). They need to be taken up and seriously considered now. Perhaps this will also generate enough support for self-restraint and for more aggressive international cooperation to keep cybercriminals from thinking placing ransomware on a control system is worth the risk.


1 Microsoft warns ransomware cyber-attack is a wake-up call
15 May 2017

2 Ready for Ransomware? (originally published in December 2016)
May 16, 2017 by Sean Lyngaas – Contributing editor
* *

3 New SCADA Flaws Allow Ransomware Other Attacks
By Eduard Kovacs on April 27, 2017

4 Ransomware and control system cyber security
Submitted by Joe Weiss on Tue, 05/16/2017 – 00:42

5 Inside Interpols digital crime centre
By Andrew Sadauskas on Oct 21, 2015 11:00AM

6 For the latest see: “Microsoft Outlines Cyber Geneva Convention Proposal”, Marks, J., April 24, 2017.

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) and is member of ISA 99 Workgroup 13 that is developing Micro Learning Modules on the ISA 62443 Industrial Automation and Control System Security Standard and Workgroup 14 on security profiles for substations.