[mrweasel]

I can see that being somewhat impractical in real life, but you’re not wrong.

In the ideal setup NotPetya would have been less of an issue for Mærsk should only have allowed whitelisted software to run on computers controlling critical infrastructure. It’s just a solution very few choose to deploy.

[brazzy]

How would that have helped? The finance software that started the breach was legitimately needed and would have been whitelisted.

[mrweasel]

One of two things:

Either the malware modifies the finance software, and is executed as part of the finance software, but the checksum for the software is now different and can't run.

Or: The executable malware code is separate and only triggered by the finance software, which will fail to execute it, because the malware isn't a whitelisted application.

At any rate, the malware would never be able to escape beyond the finance software computers. This means that yes you could have some issues with invoicing, new orders and so on, but you most likely didn't have to shutdown ports, because the computers there aren't allowed to run the finance software.

[jojobas]

NotPetya authors penetrated the accounting software vendor and planted their attack code in a regular update.