Boeing Hit By WannaCry Virus, Fears It Could Cripple Some Jet Production

An anonymous reader quotes a report from The Seattle Times: Boeing was hit Wednesday by the WannaCry computer virus, raising fears within the company that it could cripple some vital airplane production equipment. Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, sent out an alarming memo calling for "All hands on deck." "It is metastasizing rapidly out of North Charleston and I just heard 777 (automated spar assembly tools) may have gone down," VanderWel wrote, adding that he's concerned the virus will hit equipment used in functional tests of airplanes ready to roll out and potentially "spread to airplane software." Indicating widespread alarm within the company at the potential impact, VanderWel said the attack required "a battery-like response," a reference to the 787 in-flight battery fires in 2013 that grounded the world's fleet of Dreamliners and led to an extraordinary three-month-long engineering effort to find a fix.

Re:They use windows on planes!

[PPH]

No. But they do use it on manufacturing equipment now. I was there when they got hit with the Code Red virus. Fortunately, in 2001 they were running Solaris, HP-UX and Linux on the shop floor. When management came running out in a panic about possible effects on production, we told them, "No problem. We don't run Windows."

Management's response was, "Why aren't we running Windows?" I guess now they'll find out.

Re:They use windows on planes!

[ArchieBunker]

I can't believe they removed the F8 safe mode function from Windows 10. Now you need to be in Windows to tell it to reboot in safe mode. Good job there. What if your install is fucked and won't boot?

Re:NSA

[guruevi]

NSA isn't the only one to blame, Microsoft knew about the exploits that were going to be released when the NSA lost their data and chose to only patch some of the malware that the NSA had held onto, only after ShadowBrokers released WannaCry in the wild did they release the emergency fixes. They released a patch for XP about 2 months after WannaCry went public.

Microsoft deliberately held back patches and fixes for Windows for god knows how long because it benefited the NSA.

What a difference 2 days makes

[Flexagon]

I'm very interested to hear what Boeing vice president Phil Musser has to say about this event given his reported comment just 2 days ago in response to the closure of the Russian consulate in Seattle 'that the company has “rigorous IT and security protocols.”'.

Re:What a difference 2 days makes

[thegarbz]

Probably very little given TFA said it took them half a day to contain and caused zero production loss as a result. Frankly that is quite a phenomenal IT response given how many companies were cut off at the knees for a whole week at a time.

Re:They use windows on planes!

[PPH]

applications which have efficient workflow the features needed for many situations

Interesting. Because it was the 'efficient workflow features' that we had to build on UNIX systems at Boeing which were simply unavailable on Windows systems. CATIA started out running on UNIX (AIX and Solaris at Boeing) and was finally ported to Windows NT when the Microsoft fanbois cried hard enough. The backend 'workflow management' was never ported to a Windows platform during my time there. We just couldn't buy enough NT servers that would handle the load a Sun system could handle.

Data integrity was (and still appears to be) a problem for Windows systems. We had a requirement to keep people from modifying datasets not a part of their scheduled workflow. The NT folks could never figure out how to implement that. And more than a decade later, this is fundamentally what the WannaCry virus does. Windows just isn't ready for enterprise use yet.

Not your grandpa's Boeing

Boeing used to be one of the world's most competent corporations.

Then they merged with McDonnellDouglas. They absorbed the McD defense products, and then the morons in the board room replaced a bunch of Boeing's old management structures with the McD people. The McD teams used to outsource more stuff, whereas the old Boeing people used to do stuff more in-house. This came to a head with the 787 program which ended up over budget and behind schedule in large part because Boeing, which used to do everything inhouse, was under the new management oursourcing parts all over the planet and bringing the parts into the Boeing facilities for final assy - a tactic the McD guys were used to but the boeing people and systems were not. The results were entirely predictable to anybody without an MBA degree.

The idea that the new & reckless Boeing management was running their internal systems on the super-crappy Windows operating system is both predictable and sad. These clowns should not be trusted with national security projects - they probably store all their stuff unencrypted in the cloud and run their Windows machines unpatched and without antivirus protections and hardware firewalls.

This is the company that has been charging billions of dollars per year for nearly a decade to convert a shuttle external tank into a 1st stage booster - which they MIGHT be able to fly manned 20 years after the design started. Incidentally, the SLS design was specifically chosen to re-use shuttle heritage hardware, including engines and engine plumbing stripped directly from working orbiters, in order to accellerate development time and save money [sigh]. While Musk at SpaceX has been moving to re-usable rockets, Boeing is actually regressing to throwing away expensive reusable shuttle engines on each SLS launch!

Same company that has been studying blended-wing-body airframes for 20+ years without builing a single manned example. The old Boeing could design a readically new aircraft and get a test article onto a flight line in MONTHS.

This virus incident is just the most-recent evidence that the federal government was completely incompetent when they allowed Boeing to absorb North American aviation, Rockwell International's aerospace division, Bell helicopter, McDonnellDouglas (itself a merger of McDonnell Aircraft, Douglas Aircraft, Convair and Consolidated) and others. Huge bloated incompetent defense contractors lose all interest in being efficient and competent as they become hooked on cost-plus government contracts combined with lack of competition resulting from the absorption of most or all competitors.

Re:Not your grandpa's Boeing

[l0n3s0m3phr34k]

I work as a network security analyst at a small airline, who has some DoD contracts. 800-171 compliance is my job, and our infrastructure team bases most of our decisions around it. Wannacry was patched last year; you have only 30 days to apply patches or your non-compliant. IMHO, Boeing should be brought before Congress and threatened with loosing all their DoD contracts and forced to go through a third-party audit and fined for anything found non-compliant.

The ONLY "Saving grace" for Boeing might be that they might be able to show that the systems hit with Wannacry are not covered under any DoD contract; ie not used for anything DoD related. However, it's also my opinion that ANYTHING relating to our "national aviation infrastructure" SHOULD be, at a minimum, 800-171 compliant; as should anything relating to electrical utilities, water and sewage, and medical.

If we actually "go to war", the USA is totally fucked on this front. I fully expect any transition to a "hot war" with, say North Korea, will immediately result in most of the electrical grid shorting out / shutting down, entire city networks being corrupted, and anything with a PC being pwned within 24 hours. We, as a country, are as about prepared for "modern warfare" as the Native Americans were to meeting the Europeans and their diseases.