Earlier this year, the meat processing giant JBS fell victim to Russian hacker group REvil, disrupting the distribution of meat products for millions of people around the world. The ransomware attack ultimately led to the decision to pay $11 million to the cybercriminal group in order to get the company’s systems back up and running in full.
A decade ago, such manufacturing cyber security breaches were almost unheard of, yet today they are commonplace: ransomware experts estimate that at least 40 food processing companies have been targeted in the last year. This is part of an alarming trend of increased industrial cyber attacks, including the high-profile ransomware attack on Colonial Pipeline earlier this year, and the breach of the Norsk Hydro aluminum manufacturer in 2019. These attacks brought essential industrial companies to a standstill. While not all attempts are successful, it is sobering to consider that 50% of manufacturing companies reported having experienced a data breach or cyberattack in the past year, with 73% of attacks being financially motivated.
A new technological era and the changing face of cyber crime
Cybercriminals are cashing in on the fact that manufacturers cannot afford to be offline for any amount of time, and the success of recent attacks proves just how high the cyber risk for manufacturing has become.
Our own Chief Product Officer, Michael Langer, explains why this problem has mushroomed over the past five years. “The nature of cyberattackers is that they’re looking for weak spots. The financial and telecommunications industries are much more mature in their cybersecurity than manufacturing; they handle monitoring, control, and risk management better due to in-depth understanding of the landscape, and because of existing regulations and compliance requirements.”
Cybercriminals, therefore, have started to look at new targets – including manufacturers – which are more vulnerable.
Langer, who has over two decades of experience in the field of cyber security working in an elite unit of the Israel Defense Forces, warns that the current trend of cyber threats to the manufacturing industry is unlikely to ebb. “The maturity of ransomware – and monetizing ransomware – has become clear. Cybercriminals have evolved and their processes have become automated.”
The rise in industrial cybersecurity attacks can be attributed to specific changes in the way the industry operates; technological developments, including the convergence of IT/OT systems; the sensitivity toward downtime in these industries; and the lack of segmentation.
It is precisely the lack of segmentation which has enabled the most highly publicized manufacturing data breaches to cause so much damage. The spaghetti-like structure of the IT systems in multinational companies has become necessary in order to streamline processes and decrease overall costs, but this very structure has elevated vulnerability.
Global entities have found that once a ransomware virus has taken hold in one location, it is almost impossible to isolate it, and therefore it often causes unabated damage to the entire network. Such an attack brought Maersk Shipping, the largest shipping company in the world, to its knees in June 2017. The malware, upon entering the system, quickly spread to their international IT network. Maersk took the extreme measures of solving the immediate difficulties manually and reconfigured their entire IT system. This involved a ten-day long IT blackout, a period of time very few industrial companies would be able to tolerate.
COVID-19: more than a health threat/crisis
Langer explains how COVID-19 exacerbated the already considerable problem of OT vulnerability. “During COVID, the dependency on supply chains and remote access increased.”
In addition, social distancing necessitated remote access in unforeseen ways, opening a back door for cybercriminals.
For example, manufacturers often have a quality inspection system connected directly to the production line, so that machinery can be halted if there’s a quality problem. Additional checks are performed regularly by that system vendor to ensure the system is working properly and complying with regulations, but the pandemic meant that in-person visits were often impossible. It therefore became necessary to grant this quality system vendor and similar others remote access.
Langer points out the problem here: “If there are updates or bugs, they can be fixed via remote access. This means, however, that the vendor has access to the heart of its client’s industrial environment. From a cyber criminal’s perspective, why then attack the manufacturer? Attack the vendor instead, since that person likely has access to ten different manufacturing clients.” This classic supply chain attack tactic is becoming more and more common.
Preemptive strategies to mitigate risk
In order to cultivate cyber security in the manufacturing industry, Langer outlines the steps that manufacturers need to take:
- Perform risk management on an enterprise level from a cybersecurity perspective.
Extend the scope of cyber risk management to OT environments and their connectivity. Identify the most critical and vulnerable assets at each facility, and establish a security plan to manage risks and vulnerabilities.
- Introduce segregation of IT and OT.
- Implement network visibility in real time to discover an adversary in the network much earlier, empowering risk mitigation.
- Manage secure remote access mechanisms separated for OT networks (and implement a strong patching policy for these products as they have served as a primary attack vector for cyber criminals in recent years).
The National Institute of Standards and Technology (NIST) has created a guide to industry standards for implementing ICS using technologies that are widely available with the goal of improving security for OT systems worldwide.
Radiflow has created CIARA (Cyber Industrial Automated Risk Analysis) to enable CISOs to improve the ROI of their cybersecurity expenditure. This is done by generating a virtual map of the OT network and simulating cyber-attacks and breach attempts, in order to highlight weak spots while providing options for mitigating the detected problems. Radiflow’s CIARA is fully IEC 62443-compliant, so you can be certain that your cybersecurity risk report will be adequately comprehensive, and any vulnerabilities will be ranked, giving you the optimal plan of action to secure your network.
If you are ready to make your move against the threat of industrial cyber attacks, contact us today for a full OT security assessment and to learn how we can help.