Together with Stuxnet, NotPetya is one of the attacks that changed (or should have changed) people perspective on cybersecurity. Stuxnet was a target attack, and the target was fully described in the attack code. Furthermore, it was one of the first attacks with a physical impact as it destroyed some centrifuges in an uranium enriched plant. NotPetya, instead, was a massive attack, designed as any ransomware to have an impact on each system it could reach. Hence, while Stuxnet a large diffusion but a low impact, NotPetya had huge impacts because it was designed to encrypt critical areas on a disk to prevent systems from booting. This resulted in a complete stop of several companies. Furthermore, no way to pay a ransomware was specified and recovering any encrypted information was impossible. Several companies have been completely blocked for weeks and someone could restore the information only because some where not connected when the attack occurred. The White House estimated at 10 billion US dollars the global cost of damages due to NotPetya. In the days of the attack everyone was speaking about the power of the attackers, the fact that only a state could conceive and implement such an attack. As an example, some insurance companies refused to pay the damage by classifying the attack as an “act of war” from another, unknown, state. Luckily some years late a more equilibrate point of view is arising that attributes most of the success of the attacks to weaknesses of the target systems. As an example, patches where available for the vulnerabilities NotPetya exploited, but they were not applied due to the huge number of patches to deploy and the lack of an effective scheduling strategy. Another weakness is the missing adoption of defence in depth in favor of a flat architecture where every node can interact with any other node. The adoption of a security-by-design strategy. The main security lesson here is that system robustness should be assessed and improved before the attacks and that waiting three years to discover the weaknesses that have simplified the attacker works is not.
Most OT systems include legacy equipment not designed to be connected to the internet nor defend against malicious cyberactivities. This is particularly