By John Chirhart, Federal Technical Director, Tenable
The recent WannaCry attacks are a stark reminder that cyber- attacks don't always discriminate on its victims. The ransom amount ($300) is a sign that this attack targeted both citizens and businesses. Though expensive to the average citizen, the hidden cost of the attack is what really deserves notice. The NHS' hospitals were severely affected by the attack. Though no official reports have been produced, this attack could have very well cost human lives. The disruption of medical services even by minutes can make the difference between life and death. Even in combat, hospital facilities and medical personnel are off-limits. Article 14 of the Geneva Convention strictly forbids the attack of medical facilities and personnel.
It is rumored that the technology behind the WannaCry attack came from a leaked cyber capability created by a nation state. If proven true, this amounts to someone stealing a weapon from a military and using it against innocent citizens. This attack put lives at risk for financial gain. One could argue that this was a terrorist attack and possibly even a war crime. It will be interesting to see what legislation and/or international response will come (if any) about the attack. It would be a truly remarkable day if we can see a cyber-attack discussed/condemned before the United Nations Security Council.
Attack and IoT
The ransom amount ($300) was likely designed to target users desperate to retrieve their digital memories collected over the years. Though expensive to a regular user, the amount was "feasible" in terms of total potential loss. In a nutshell, it was a business decision. One area where this is not the case is Operational Technology (OT) devices. A big buzz word these days is IoT or Internet of Things. The security research teams at Tenable, affectionately refer to IoT and other similar technologies such as Industrial Control Systems (ICS) as OT.
The impact of WannaCry on OT is far greater than imagined. For example, medical devices such as Computed Tomography (CT) Scanners are connected to control systems. These control systems often run "legacy" operating systems such as Windows XP. Merely reloading the operating system on these controllers can cost thousands of dollars and leave the device down for service for days. A CISO for a major U.S. hospital chain recently confided that it costs $10,000 to "reload" the controller for one CT device. The total cost of the attack could easily reach levels previously unimaginable.