It’s no secret that the manufacturing industry is one of the most targeted industries when it comes to cyberattacks. According to EEF, 48 percent of manufacturers have at some point been subject to a cybersecurity incident, and half of those organisations suffered financial loss or a disruption to their business. But why the sudden interest in targeting manufacturers?
Intellectual Property (IP).
Threat actors (the bad guys) are seeking to steal intelligence on any new product, process, or technology that a manufacturer creates, which can be anything from obtaining blueprints of confidential designs, secret formulas, or unique assembly processes. This information can then be used by adversaries to sell products at a lower price and cut both competitive advantages and margins.
In conjunction with the knowledge that manufacturers hold valuable sensitive information, manufacturers are an increasingly attractive prospect for threat actors because of how exposed their IT systems are to infection. This is because historically manufacturers have been concerned with securing their OT environment, often neglecting IT security almost entirely. Threat actors are therefore well aware that a manufacturers’ network is often left unprotected, and that the right cybersecurity tools and processes are not in place. Better yet, they know that a manufacturers’ supply chain is large and complex with vulnerabilities in abundance, and therefore the ideal environment to attempt an attack which can rapidly propagate across networks and infect various suppliers and businesses at ease.
It is evident then, that cybersecurity is not only a challenge for a manufacturer’s IT department, but for the operations and leadership teams too. More than a third of manufacturers report that they are not able to demonstrate good enough cyber security practices, which is a worrying statistic considering that it is becoming a vital requirement written within contractual agreements for manufacturers to have effective cyber security processes in place for their customers. In addition, with advances in legal requirements put in place by the European Union as well as individual countries, manufacturers will be under even more pressure.
If that isn’t serious enough, it’s worth remembering that if production goes down even for the shortest time, the impact can be irreparable - with millions in revenue potentially lost. This, combined with the risk to reputation that a manufacturer could face in the event of an effective cyberattack or data breach means that in order to survive and thrive in an interconnected digital age, many manufacturers must adopt a highly proactive mindset and approach to cybersecurity strategy…
…And this begins with understanding the threat.
Apart from professional cybercrime gangs, manufacturers are a very attractive target for hostile nation state actors. These are hackers who are suspected to work on behalf of a government to disrupt or compromise a target organisation to either gain access to valuable data or intelligence or create incidents to create economic or political unrest.
Nation state threats currently only comprise of ten percent of all attacks worldwide, but they are the most time consuming to resolve, and by far the trickiest. In fact, Secureworks research determined that on average it took 500 percent more time to fully evict a nation state attacker from a network in 2017 than in 2016. This increase is due to the often entrenched nature of these adversaries plus the necessity to fully understand the extent of the threat actor’s capability and access. If an organisation shows its hand too soon and attempts to evict an attacker without understanding how it got in, what it controls, and what it has changed, then the attacker can simply shift tactic or worse, infect or shutdown operations and machines.
By their nature, defence contractors and manufacturers are of particular interest to these nation states due to their access to government documents and sensitive information. One such organisation is the nicknamed BRONZE UNION a threat group suspected of operating for the Chinese government. In the past they have successfully compromised manufacturing and defence organisations specifically targeting life sciences, aerospace, manufacturing, defence, energy, technology and government organisations. The group specialises in identifying key data stores and selectively pulling out information of high value with a focus around defence, security, and political intelligence.
The group’s activities were observed on multiple U.S. based defence manufacturer networks, seeking information associated with aerospace technologies, combat processes, and naval defence systems. Analysis suggests that systemic issues in China’s defence technology industries could have influenced demand for this type of information due to a disconnect between what the country’s defence industries can supply and what its military needs. One infiltration technique that BRONZE UNION has relied on in the past is a strategic web compromise (SWC). This is a targeted attack which compromises users by infecting websites they usually visit and luring them to a malicious site.
Supply Chain attacks
Manufacturers also need to be aware of the threats they face from vulnerabilities and weaknesses in their supply chain. Although supply chain attacks account for a very small proportion of overall global attacks, they are often the most destructive.
Take the notoriously aggressive NotPetya attack. Trojanised updates via MeDoc software were used to carry out the attack, which infected PCs and organisations across the world. Compromising a legitimate software update and using it as a delivery mechanism like this indicates careful operational planning and pre-positioning, and considering the MEDoc accounting software existed on the networks of the majority of Ukrainian businesses, we can be confident that the attack was most likely carried out by a Russian nation state.
The targeting of digital certificates offered out by technology manufacturers in particular is becoming a common technique used by threat actors. Done properly, like NotPetya, it gives threat actors an improved chance to penetrate networks without being detected by impersonating legitimate products and inserting malware into updates of legitimate software.
What can manufacturers do to protect themselves?
Firstly, manufacturers are advised to undergo thorough security testing and assessments to identify and quantify where their network is at risk. Sourcing a cybersecurity specialist partner that can implement penetration testing, which subjects a manufacturers’ network to real world cyberattack scenarios in a safe environment, can be a useful first step to obtaining a thorough evaluation of the current organisational defences, security policies, and system architecture.
Implementing or enhancing logging, adopting multi-factor authentication (MFA), managing user privileges and integrating endpoint security capabilities are some of the specific measures that manufacturing companies can put in place to ensure they are protected from cyberattacks. Effective safeguarding control is paramount and should include multi-factor authentication for all public facing access. As a best practice, administrators’ access should use MFA and IP whitelisting from the corporate address space. Monitoring and reviewing user permissions, privileged activity and configurations on a regular basis is also paramount for strong cyber security defences.
Applying patches to affected assets as soon as they become available should become second nature for all IT departments. Patching is often overlooked due to concerns about business continuity but is absolutely critical. If patching is not an option due to potential disruption of production or business, or fear of breaking critical dependencies, companies must have alternative compensating controls. In addition , third party patches should be tested on isolated systems in a controlled way, prior to being rolled out to live environments.
Manufacturers must also remember that whatever technology and automatic measures and processes are put in place to protect, detect and respond to cyberattacks effectively - it is mostly always people that are the weak link.
Cyber criminals are always finding new ways to exploit human vulnerabilities. One such example is the case of Mia Ash. Last year, security researchers observed phishing campaigns suspected to be carried out by an Iranian based threat group nicknamed COBALT GYPSY, which targeted organisations (many of which were manufacturers) in the Middle East and North Africa. After unsuccessful generic phishing and targeted spear-phishing attempts, the group launched a highly sophisticated social engineering campaign. This entailed creating a fake social media profile called Mia Ash a London-based photographer to befriend employees at targeted organisations via LinkedIn. After weeks of interacting online with their target and gaining their trust, the group eventually sent an email containing a malicious attachment and the rest is history.
Manufacturers therefore must prioritise cybersecurity awareness amongst employees. At present many IT teams do not have the correct internal support to help them understand and successfully implement the necessary changes to strengthen their cyber defences and close the loop on human error. This is why specialist cybersecurity companies can prove an invaluable partner to any manufacturing company that is looking to improve its cyber defences and at the same time struggles to attract the right talent for the job. Specialists can help manufacturers adopt the best cybersecurity hygiene, and ensure critical technologies such as a resilient, offline back-up solution and processes such as developing and regularly exercising an organisational incident response plan are in place.
Protecting for the future
As we move into the next era of automation and the smart factory, we will likely continue to see nation state attacks proliferate. Threat actors will not only try to penetrate multiple new entry points offered by the implementation of IoT devices but try to create cyberattacks that have real life consequences. Just last year, a Saudi Arabian petrochemical manufacturer was targeted by malware believed to steal data and put a complete halt in operation, and to cause an explosion with potentially devastating consequences. The malware targeted the plant’s industrial control systems and was designed to stop any automated equipment from going beyond the safe operating conditions and to override the machine’s initial codes.
Today’s manufacturing plants have different sensors to monitor the machinery’s wear and tear, temperature, vibration or cooling to minimise downtime. However, this equipment is not intended to monitor for failed login attempts or data breaches and theft. Therefore, it is imperative that manufacturers start to ensure that the right security checks are put in place before this equipment is brought to the shop floor.
The technology industry, and therefore the threat, is moving faster every day, and manufacturing leaders need to catch up. Threat actors are constantly evolving, upskilling, and becoming better resourced, and manufacturers can no longer ignore the threat that is out to obtain high-reward IP, or to sabotage IT and OT infrastructure at any cost. The complexity of cyber awareness used as a defence when a major cyberattack occurs can no longer be accepted and manufacturers have to put the correct procedures in place to avoid hefty fines, delay in production, or loss of reputation and capital before it’s too late.
By Hadi Hosn, Global Consulting Solutions Lead.