Alert
AL00318 - WannaCry Ransomware Attack FAQ
2017-05-17

Summary

This alert addresses common questions and concerns regarding the WannaCry (AKA WannaCrypt, WannaCrypt0r 2.0 or Wanna Decryptor) Ransomware attacks and the action that should be taken to protect your PI Systems.

These attacks exploit vulnerabilities in Microsoft's implementation of the Server Message Block (SMB) protocol.

Note that  PI System core functionality does NOT require SMB. ​However, SMB is a default feature of the Windows operating system and may be enabled in your environment. 
 

What should you do to protect your PI System from WannaCry and similar variants?

OSisoft's advice for PI System servers allowing SMB is as follows:
  1. Maintain routine Windows updates. In particular, be sure MS17-010 has been applied. Guidance on patching procedures can be found in KB00457.
  2. Remove or disable SMB v1 by following the MS support article: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server.  The exploits leveraged by the WannaCry malware target SMBv1 specifically.
  3. Limit access to shared folders on PI servers by specific users, groups, or computers
  4. Enable Application Whitelisting rules on PI System servers to prevent execution of unauthorized software.  For implementation guidance with AppLocker, please see KB00994.
For guidance on preventative measures, see the section "Recommended Steps for Prevention" in the ICS-CERT bulletin Indicators Associated with WannaCry Ransomware or the Microsoft article Customer Guidance for WannaCrypt Attacks.

What PI System functionality requires SMB?

The core functionality of the PI System does not require SMB.  See KB01162 for a complete list of ports utilized by products; port 445 (SMB) is only used for the actions below.  If none of these use cases apply to the system, then access to port 445 can be blocked without impacting the PI System.
  1. PI Vision (formerly PI Coresight): import folders for PI ProcessBook displays in PI Vision.
  2. PI Interface for Universal File and Stream Loading and PI Connector for UFL: consume input files from a shared folder.
  3. PI Interface for Performance Monitor: collect Windows performance counters from remote computers.
  4. PI UniInt Interfaces: failover synchronization file.
  5. PI Collective Manager: initializing a secondary member of a PI Data Archive collective.
  6. PI SMT and PSE: remotely creating a PI Identity/Mapping to a non-domain based Windows user or group on a PI Server. 
Notes:
  • ​Prioritize the MS17-010 update for machines hosting shared folders or performance counters that are accessed by PI System components described above.
  • Items 5 and 6 are administrative tasks, which should only need to be performed infrequently, so the port can be enabled for maintenance windows and closed when maintenance is complete.
 

Has MS17-010 passed compatibility testing? 

Yes, MS17-010 was included in the patch compatibility tests for Windows Server 2012 R2 and Windows Server 2016.  

Although the targeted patch compatibility testing program for Windows Server 2008 R2 has ended, OSIsoft incorporates all supported Windows operating systems in our daily development and test environments. No PI System issues have been identified or reported with the MS17-010 update.  Please see our MS Security Patch Compatibility program for more details. Furthermore, the MS17-010 patch is deemed compatible with the PI Server by default, as SMB is not required by any PI Server version. More specifically, the OSIsoft patch compatibility program has no functional tests for SMB. 
 

How do I know if the patch is applied? 

Check with your IT team to verify that the KB containing MS17-010 for the server OS is installed.   
 

Will my PI System break if I disable SMBv1, specifically? 

No. PI System software does not requires the use of SMBv1.