Boeing headquarters in Chicago.

 

On the morning of March 28, the Seattle Times reported the WannaCry ransomware had infiltrated aerospace manufacturer Boeing. The paper cited an internal memo from Mike VanderWel, chief engineer at Boeing. It's hard to imagine a memo more alarming: “It is metastasizing rapidly out of North Charleston and I just heard 777 (automated spar assembly tools) may have gone down,” VanderWel wrote.

But in a statement later that day on Twitter, Boeing pushed back on reports the attack had been extensive. “A number of articles on a malware disruption are overstated and inaccurate,” the statement said. “Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems. Remediations were applied and this is not a production or delivery issue.”

The ransomware exploited vulnerabilities in Windows XP, which Microsoft patched shortly after WannaCry started wreaking havoc. Why then didn't Boeing, one of the largest U.S. companies that has been the target of cyberespionage and attacks in the past, fix these well-known flaws in its systems?

Simply put, it may have been too costly for the company to update its systems. Chris Morales, head of security analytics at cybersecurity management solution provider Vectra, noted that for major manufacturers, “tampering with a system that is always running might have a larger impact than patching that system.” Some systems, therefore, are too essential to interrupt, even for cybersecurity protections.

It is also not uncommon to find large manufacturers such as Boeing to still using outdated systems such as Windows XP. “What I have observed across multiple manufacturing companies is that they end up using old systems, not because they want to, but because they built the software to control the robots” and other tools on those old systems, said Raj Rajamani, vice president of product management at SentinelOne.

Boeing officials were mum on the incident specifics. But experts believe they were dealing with a fast-evolving situation, and with systems that could not easily be updated and protected against the ransomware.

Boeing's “memo was sent while the attack was in progress, which to me actually speaks well to their ability to detect and respond to incidents,” Morales added.

The WannaCry ransomware first came on the scene in spring 2017. It targeted a host of worldwide organizations, including the U.K.'s National Health Service and law firm Shutts & Bowen, who was able to successfully protect itself from infiltration.

That Boeing got attacked by WannaCry is of little surprise to most cybersecurity experts. Despite reaching the apex of its infections last spring, WannaCry is likely still hidden around the internet and in IT devices.

“We will actually continue to see further WannaCry incidents in years to come as many systems will remain unpatched and the malware will be lurking on some USB sticks, hidden in emails or embedded on infected websites waiting for an unsuspecting victim to click on it,” said Joseph Carson, chief security scientist at password account management solution provider Thycotic.

But getting infected with WannaCry isn't always a major blow for a company. Should a company have segmented networks, for instance, it may be able to isolate the ransomware, explained Dimitri Sirota, CEO of compliance solutions provider BigID. “You quickly build a firewall around it so it can't go out and spread,” he said.

What's more, if a company has data recovery and backup procedures in place, it can triage the infected systems while getting up and running again with minimal business disruption.