Security Updates

Security Updates

  • Add to My Bookmarks
  • SHARE 
 

Bad Rabbit

A new ransomware outbreak has been identified as “Bad Rabbit” and is currently known to infect targets by utilizing a fake Adobe Flash installer that is presented to the user to download and install via a “drive-by attack” when visiting a website that is distributing this malware. Once infected, this malware utilizes a known vulnerability in SMBv1 to infect additional targets on the network. This ransomware encrypts the full disk, modifies the Master Boot Record (MBR) and forces a reboot at which point the node will prompt the end user to pay the ransom. 

It is recommended that you follow the best practices described on this page under “Honeywell Recommends Steps to Mitigate Threats Posed by Malware,” including installing the latest qualified Windows patches. For more information about this specific ransomware, see the report issued by the United States Computer Emergency Readiness Team (US-CERT) at https://www.us-cert.gov/ncas/current-activity/2017/10/24/Multiple-Ransomware-Infections-Reported.


Goldeneye / Petya Malware

A recent ransomware outbreak is utilizing a known vulnerability in SMBv1 to infect targets. This ransomware encrypts the Master File Table (MFT) and forces a reboot, at which point the node will prompt the end user to pay the ransom. Currently it’s being reported to be spread via phishing attacks and once the ransomware enters a network, it attempts to spread through the use of WMIC and PSEXEC allowing the ransomware to impact machines that otherwise would not be vulnerable to the SMBv1 exploit vector. It is being reported that the email address used to facilitate unlocking of an infected machine has been shut down and therefore paying the ransom will no longer work.

It is recommended that you follow the best practices described on this page under “Honeywell Recommends Steps to Mitigate Threats Posed by Malware,” including installing the latest qualified Windows patches. For more information about this specific ransomware, see the report issued by the United States Computer Emergency Readiness Team (US-CERT) at https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported. Also see the Alert issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01B.

CrashOverride/Industroyer Malware

Malware currently referred to as either “CrashOverride”  or “Industroyer” is an industrial control system attack platform that is gaining attention due to the nature of its target platforms in addition to its modular design. The variant currently known to the security industry targets four protocols - IEC101, IEC104, IEC61850 and OPC DA - and is specifically designed to target industrial control systems used in electricity generation. We are actively monitoring threat intelligence platforms to determine potential risk and deterrence mechanisms. Please refer to Honeywell Recommends Steps to Mitigate Threats Posed by Malware below to mitigate threats posed by malicious software agents.

WannaCrypt Ransomware

On May 12, 2017 it was widely reported that many businesses were infected by ransomware. If you have a concern about your Process Control Network, it is recommended that you follow the best practices described on this page under “Honeywell Recommends Steps to Mitigate Threats Posed by Malware,” including installing the latest qualified Windows patches. For more information about this specific ransomware, see the report issued by the United States Computer Emergency Readiness Team (US-CERT) at https://www.us-cert.gov/ncas/current-activity/2017/05/12/Multiple-Ransomware-Infections-Reported.

WannaCrypt is the one of many names that have gained traction for the ransomware that has had devastating effectiveness in spreading and infecting machines across the globe. It is taking advantage of an SMB exploit within Windows versions starting in Windows Vista (earlier versions may be impacted but they are no longer supported by Microsoft and were omitted from the announcement) and up to and including Windows 10 / Server 2016. Microsoft released a patch for this vulnerability that has been qualified in the SUIT image in the March ISO. McAfee and Symantec have also released emergency Signature (DAT) files that Honeywell has qualified. Customers should immediately:

  1. Ensure they have the latest SUIT patches installed

  2. Ensure they have the most up to date DAT files installed

Malware and Antivirus support

 
Honeywell supports the use of McAfee and Symantec antivirus packages as part of our industrial control solutions. McAfee and Symantec continuously monitor emerging cyber security threats and update their software to address threats.

 
Honeywell Recommends Steps to Mitigate Threats Posed by Malware

 
The following steps are recommended to mitigate threats posed by malicious software agents.
  1. Ensure that your antivirus software is up to date with the latest qualified packages.

  2. Ensure that host platforms are up to date with the latest qualified patches.

  3. Ensure that there are no e-mail clients on any nodes of your process control network.

  4. Use a firewall and DMZ for the business network to process control network interface.

  5. Use Honeywell's High Security Network Architecture to lock down the nodes in your system. 

  6. Restrict and monitor all I/O devices on your process control network. (IE, USB, CD/DVD drives) 

  7. Review the Experion Network and Security Planning Guide for additional guidance on securing your installation.


 
Additional Security Information

 
Honeywell Process Solutions publishes Security Notifications in the event that a product has a security vulnerability that has been resolved. Please subscribe to security notifications in order to ensure that your Honeywell products are up-to-date.

 
To report a security vulnerability against a Honeywell product, please visit

 
For more information about cyber security products and solutions please visit www.BeCyberSecure.com.

 

National Cybersecurity and Communications Integration Center (NCCIP) Guidance


 

Honeywell also recommends that customers review the Destructive Malware white paper issued by the National Cybersecurity and Communications Integration Center (NCCIP) at https://ics-cert.us-cert.gov/sites/default/files/documents/Destructive_Malware_White_Paper_S508C.pdf

​​​​​​​ ​​​​

Finding the information you need is important to us.

Did you find what you were looking for today?

  Yes      No

How likely are you to recommend HoneywellProcess.com to a colleague?

  • 0
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

Not at all likely

Extremely likely

How can we serve you better?

Your email:

Your email address will help us get in touch with you to resolve your query/ concern.