The American manufacturing sector continues to rank among the
most frequently targeted by cyberattacks.
As manufacturers continue to adopt smart technologies and
increasingly connected industrial devices known as
internet-of-things devices, manufacturing is anticipated to remain
a top target for the foreseeable future.
Manufacturers are high-value targets for several reasons
including their general importance within the economy, legacy
information technology and operational technology, and the value of
their data for the purposes of intellectual property or identity
theft.
Increased Incidents
Many manufacturing companies have seen an increase in
cyber-related incidents associated with the industrial control
systems used to manage their operations.
These systems can range from programmable logic controllers and
distributed control systems to embedded systems, special purpose
systems, industrial IoT devices, and systems that manage quality,
health, safety, and even the building or facility itself.
However, recent survey data indicates that while the
overwhelming majority of manufacturers have implemented
capabilities to detect cyber-events, very few extend that
monitoring into their OT environments.
The unfortunate reality is that cybersecurity is no longer
limited to certain departments or people within an
organization.
When every piece of equipment, component, employee, partner,
vendor, visitor, and electronic device represents a potential
vulnerability, cybersecurity awareness must be built into your
culture and every employee should be trained and empowered to
assist in your risk mitigation efforts.
Evolving Adversaries
The manufacturing sector is susceptible to a broad range of
cyberattacks targeting their operations, infrastructure, and
intellectual property.
Attacks commonly deployed by adversaries include:
Phishing: The attacker sends an electronic
communication—typically email—to one or more members of
an organization impersonating a trusted colleague or associate.
The email contains a malicious attachment or link, which opens
the network to intrusion when clicked or opened by the trusting
recipient.
Phishing attackers are now leveraging artificial intelligence to
eliminate the tell-tale phrasing and grammatical mistakes
frequently recognized by recipients as a sign of impropriety.
DDOS attacks: The attacker generates
overwhelming bandwidth loads to cause system disruption and/or
create opportunities for malware to be deployed.
As more IoT devices are introduced to the manufacturing process,
the risk of Distributed Denial-of-Service attacks increases.
Devices that consume significant bandwidth by their nature, such
as digital surveillance systems, are particularly susceptible to
DDOS attacks.
Malware and ransomware: These attacks are
common across IT networks in all industries. However, the
manufacturing industry remains a top target.
Cyber criminals use malware to cause economic or operational
damage by corrupting or stealing information, overloading networks,
or creating opportunities for further attacks.
Ransomware is a type of malware used by adversaries to deny
access to data or systems through encryption, then demand payment
for the key to restore the data or systems.
Supply chain attacks: Hackers commonly
penetrate networks by hacking a vendor who has a connection to the
manufacturer’s network, but does not have sufficient
security.
It is therefore important for organizations to assess the
security practices of vendors who are granted access to the
organization’s systems in advance.
Targeting Operations
Cyberattacks, like those described above, have become the
predominant means of intellectual property theft in the
manufacturing sector, which is often considered theft of the
manufacturer’s most valuable asset.
In recent years, attackers have demonstrated an increasing level
of sophistication in their technical and business acumen. It is a
criminal enterprise after all. Specialization is one such criminal
innovation.
Today, an ambitious attacker who lacks the skills to break into
a manufacturer’s network can purchase access on the dark web
from an “access broker.”
An access broker acquires access to organizations and sells this
access to other adversaries, including ransomware operators. Access
brokers are particularly skilled at avoiding detection.
Last year, the popularity of access broker services increased by
112% compared to the prior year as measured by the increase in dark
web advertisements for access broker services.
Advertisements for access to manufacturers’ networks ranked
among the top five sectors for access broker advertising.
Sophisticated Strategies
In addition, the manufacturing sector ranked among the top five
sectors targeted for interactive intrusion.
Interactive intrusions are defined as malicious activities where
an adversary actively interacts with and executes actions on a host
server.
Unlike automated malware attacks that rely on the mass
deployment of scripts and tools, interactive intrusions leverage
the ingenuity and problem-solving skills of human adversaries.
Human adversaries are able to function in ways that mirror
expected user and administrator activity, making them much harder
to detect and defend against with software or AI-driven tools
alone.
The key takeaway is the sophistication of the organization’s
adversaries.
Cybercrime—at its highest level—operates like a
business enterprise.
Unless a manufacturer implements an equally sophisticated
mitigation strategy, leveraging the strengths of its entire
business enterprise, the risk of catastrophic data and financial
loss as the result of a cyberattack increases substantially.
Managing Cybersecurity Risk
Although it may not be possible to prevent being victimized by a
cyberattack, there are several interventions manufacturing
organizations can deploy to mitigate the likelihood and impact of
an attack.
In addition to a comprehensive data and system backup strategy,
which is essential to the restoration of data held for ransom and
may spare leaders from the difficult conundrum of making a ransom
payment, manufacturers should consider the following mitigation
strategies.
1. Perform a risk assessment. The foundation of
an effective and robust cybersecurity program is identification of
risk and evaluation of the organization’s cybersecurity
practices and ability to recover from an attack.
It is important to understand the manufacturing environment and
the assets that comprise it to design and implement mitigating
controls.
Cybersecurity assessments can be self-conducted or facilitated
by cybersecurity professionals. By conducting an assessment, an
organization gains a better understanding of its cybersecurity
position, where vulnerabilities exist, and what actions are
required to address them.
This empowers manufacturers to prevent or mitigate the
consequences of a cyberattack.
Further, it affords the organization the opportunity to develop
a prioritized mitigation strategy and roadmap that can be shared
with executive leadership and, where appropriate, the board to
address risks that are commensurate with the organization’s
resources and risk tolerance.
2. Review incident response and
business continuity plans. Responding to a cyberattack can
cause a tremendous amount of stress on an organization.
This is not the time for developing, fine-tuning, or deep
thinking with respect to how your organization will contain the
attack and restore operations.
Organizations that maintain a thorough and well-documented
cyber-incident response plan and business continuity plan will be
significantly better positioned to navigate the chaos and minimize
the disruption.
This is an iterative process, and the importance of practicing
through simulations or table-top exercises cannot be
overstated.
It is important to walk through each plan to identify and
resolve flaws and other problems beforehand. After each practice
session, a debrief is recommended for sharing lessons learned and
revising the plans accordingly.
3. Implement a framework. The adoption of a
cybersecurity framework facilitates cybersecurity assessments and
other cybersecurity measures.
The U.S. Cybersecurity and Infrastructure Security Agency
recommends the National Institute of Standards and Technology
Framework for Improving Critical Infrastructure Cybersecurity
because it provides a prioritized, repeatable, and cost-effective
approach to managing cybersecurity risk.
The NIST framework applies across all organizations, regardless
of size or cybersecurity sophistication.
It was developed by consolidating many existing standards,
guidelines, and best practices across industries. In general, the
NIST framework identifies five core functions designed to help
mitigate cybersecurity risk.
- Identify: Manufacturers employ a variety of
internal control systems to monitor, automate, and control critical
physical processes in addition to a variety of IT systems and
networks in their day-to-day operations. Identifying, assessing the
criticality, and prioritizing each asset and system is the
foundation of the framework. - Protect: In this phase, protective
cybersecurity measures are implemented to protect from various
types of cyberattacks. The criticality determined in the
identification phase will decide the level of security measures
that should be implemented for each asset or system
identified. - Detect: Protective measures may not be enough
to prevent or mitigate a cyberattack. Therefore, the ability to
detect cyber intrusion activity, misuse, or negligence is critical
to containing the activity and ensuring an appropriate response
level. In this phase, detection technology and procedures are
implemented to discover abnormal conditions with IT systems and
networks using a strategy of continuous monitoring and
detection. - Respond: In the event of a cyber-incident, the
organization takes appropriate action in response to the detected
cyber incident. Cybersecurity response activities may include
executing a response plan and mitigating newly identified
vulnerabilities. - Recover: Recovery activities may include
executing a recovery or business continuity plan, managing public
relations, and communicating recovery activities to internal
stakeholders and executive and management teams. Several important
steps in the recovery phase include root cause analysis, collection
of information and evidence, determining the impact of the
incident, notifying impacted individuals and government agencies
under applicable data breach notification laws, and recommending
improvements to the systems and the incident response plan.
Depending on one’s industries and customers, certain
cybersecurity certifications, such as the Department of
Defense’s Cybersecurity Maturity Model Certification, may be
required, many of which rely on a strong cybersecurity
framework,
4. Create a cybersecurity culture. Begin
building cybersecurity into all future project planning –
designing and including security controls at the front end of
projects.
Important controls to consider include use of secure network
segmentation models, deployment of passive monitoring solutions (to
provide visibility of networked assets and activity while
minimizing the risk of disruption), secure remote access, control
of removable media, improved management of privileged access, and
executing consistent backup processes (especially for critical
systems and configurations).
Every employee with access to a manufacturer’s network
can—and should—play a role in protecting the
organization from potential cyberattacks.
Manufacturers should provide regular training and education with
respect to appropriate use of their network infrastructure,
cybersecurity awareness, and best practices (now referred to as
“cyber hygiene”).
Consider approaching cybersecurity like other significant
corporate initiatives and be creative in developing postings and
other educational collateral, playing games, awarding prizes, or
other provide other incentives to the staff who serve as your first
line of defense.
Cybersecurity is everyone’s job, but they may not be aware
of it yet.
This article first appeared on CBIA’s website and is published here with
permission.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.