Manufacturing is increasingly on the radar of cyber criminals that use ransomware for two reasons: Growing opportunity for criminals and the growing need to pay ransoms. To understand why criminals are targeting manufacturing companies, first you must understand ransomware. In its simplest form, ransomware is malware that encrypts critical resources for extortion.
Written by Michael Hamilton, former CISO of Seattle and CISO of incident response firm, CI Security
The reason manufacturing companies are increasingly vulnerable is that they are investing more in automation and robotics partially to compensate for the pandemic (looking for efficiencies and workers that don’t get sick).
Criminals are measuring the return versus the effort to compromise a network, and computer-assisted manufacturing checks all the boxes. Because a manufacturing operation can lose millions of dollars a day if disrupted there is an urgency to return to normal operations as quickly as possible - and paying the extortion demand is the fastest way to get back to work. Manufacturing accounts for a quarter of the ransomware incidents reported this year (so far). It's been reported that ransomware gangs even factor in the revenue of their targets to adjust the extortion demand to a level that’s 'appropriate'.
Prior to H2 2020, hospitals and local governments had been primary targets because of the criticality of the services they provide and the historical underinvestment in security controls - a winning combination to ransomware gangs. According to a recent IBM study, approximately 30% of victim organisations pay the ransom, and our adversaries are constantly looking for methods to improve their ROI.
However, the potential impact of attacking healthcare is that people can die, and this fact is not lost on criminals. In fact, once a hospital in Germany had operations disrupted as 'spill-over' from attacking a university, the actors immediately provided the decryption key to restore operations. Regardless, one person died as a result, and causing deaths is apparently a bridge too far.
A complicating feature of criminal tactics is 'double extortion', now becoming more prevalent. In this type of attack, the threat actors steal information before to disrupting operational capacity so they can get two ransoms: one for unlocking the system and a second for the return of the data.
Manufacturing operations, for the most part, have not considered or planned for compliance with state data breach reporting statues and additional regulatory scrutiny that comes with unauthorised disclosure of protected information. Records aside, manufacturers also possess intellectual property on optimising operations and lowering the cost of goods through proprietary methods. That’s all information that may be stolen and disclosed if the extortion demands are not paid.
An attack against manufacturing is like any other attempt at compromise. It usually starts with a person making a mistake, and that mistake usually ends in the disclosure of credentials (passwords) allowing a criminal to walk right into the network, lay the bomb, and set the fuse. Other tactics include breaking in through third parties - and this is an Achilles’ Heel for manufacturing. Supply chains are extensive, and enterprise resource planning to balance inventory and raw materials is a constant effort that often requires speedy decisions without a lot of deliberation. Criminals study supply chains and compromise through them is a growing and troubling trend.
Suppliers are frequently the 'unlocked window' through which criminals exploit networks of trust to gain access to the real target. Example incidents in the last few months include Blackbaud, a supplier to the health sector, charities, and philanthropic organisations, and Tyler Technologies - the number one service provider to local governments in the United States.
It is a reasonable assumption that a supplier of sheet metal or electronic components does not make the investments in security that either of these organisations do, yet they were carefully and deliberately compromised with the specific intent of using them in the technique known as 'island hopping'. Manufacturing suppliers can be an unwitting threat and should be treated as such.
Operational Technologies (OT) are another avenue. These systems are not 'Information Technology' in the sense that they are generally not under the purview of the CIO, CTO, or other technology lead. Based on personal experience, there is a poor delineation of roles and responsibilities regarding security on either side of the IT/OT demarcation, and policies are not consistently applied. Said another way, OT vulnerabilities can persist unchecked for long periods of time, and security controls can be lax.
In addition to OT, the newer addition of various types of 'smart' telemetry and control devices has expanded the attack surface and given rise to additional methods of entry. Networked cameras, thermostats and thermistors, and RFID readers are used in real-time data acquisition for use in automated decision making. Deployment of these devices should be done with care, as default configurations are very simple to exploit.
As briefly as possible, here is an actionable punch list:
Use security criteria in evaluating purchases from suppliers especially if they involve software and embedded systems. Demand technical test results conducted against a security standard by a third party.
Require vendors to 'show their papers' in terms of security controls regularly. This can be an audit report against a standard such as ISO-27001, SSAE-18 (SOC-II), or an assessment report by a third party, or provide a security controls questionnaire (these abound on the Internet). Let them know you’re serious.
In an ideal world, OT systems would be air-gapped. Use VLANs, netmasking, whatever you have to. Separate IT and OT networks. This may preserve the ability to continue production during an IT security incident.
Importantly, monitor IT and OT networks to detect aberrational behaviour and have a plan for when a security incident is confirmed. Monitoring, detection, and response capabilities should be resourced, adequate, and effective. Putting out the small fires as immediately as possible prevents the house from burning down. Small fires are now breaking out all over in manufacturing.
And, lastly, remember that most attacks come in through unsuspecting users. If you haven’t had every employee go through security awareness training this year, you should. After getting pissed off about the breaches at Tyler Technologies and UHS, I began offering free SAT on Fridays at 12pm (Pacific Time). Registration is here.