Critical Infrastructure, Critical Risk: How Cybercrime Is Rewriting the Rules for Manufacturing Security
Table of Contents
Manufacturing has been at the forefront of the digital revolution, bringing the power of Industry 4.0 to the world. Industry 5.0 is now coming, with implications for cybersecurity as human-machine collaborations broaden. The digitization of Manufacturing has brought great benefits in terms of efficiency and productivity.
However, the digital transformation of our manufacturing processes has also opened up opportunities for cybercriminals to exploit. According to data from Statista, Manufacturing is the sector most targeted, with 26% of cyberattacks focusing on manufacturing industries.
Exploiting Vulnerabilities: How a Ransomware Group Stole Sensitive Employee Data
Yamaha Motor Philippines became the victim of a ransomware attack by the INC Ransom hacking group. The attackers exploited a vulnerability (CVE-2023-3519)in Citrix NetScaler ADC and Gateway. The vulnerability allowed hackers to gain unauthorized access, allowing them to install ransomware and commit data theft. The INC Ransom ransomware group then published stolen documents and data on its dark web site. The data included employee IDs, backup files, and corporate and sales information. INC Ransom typically uses exploits and stolen credentials to access a network, then escalates privileges using legitimate network tools until they have admin access rights.
Top Cybersecurity Threats to the Manufacturing Sector
The manufacturing industry covers many types of companies that manufacture the essential products in society, from cars to food to medical devices to chemicals, and so on. As such, Manufacturing provides a critical infrastructure that is needed for our economy; Manufacturing drives innovation, turning research into products and helping to build a strong economy on the world stage. It is the criticality of Manufacturing that makes it such an attractive target for cybercriminals.
Threats against the sector include ransomware, data theft, DDoS attacks, and criminal damage to IT/OT resources. The advent of AI is driving the increase in threat volume and capability. Generative AI is used to create highly personalized phishing. AI-generated malware is used to develop adaptive and polymorphic malware with evasive capability, and AI can also automate attacks.
A report from Omdia Research exploring cyberattacks on manufacturing companies found that 80% of companies in the sector have experienced a significant increase in overall security incidents or breaches. Worryingly, less than half (45%) have adequate cybersecurity preparedness.
A survey by Forescout identified the USA as being by far the most targeted country:
Analyzed Incidents Per Country
Source: Forescout
The following are the most common threats targeting the manufacturing sector:
Ransomware
According to the Sophos State of Ransomware report, 65% of Manufacturing and production organizations experience ransomware attacks. This highly disruptive tactic effectively halts production and causes major losses unless swiftly dealt with; this factor alone places pressure on an organization to pay the ransom demand.
Norsk Hydro was a target of LockerGoga ransomware. The infection resulted in several plants needing to be shut down, impacting production and distribution. The likely scenario is that attackers initiated the ransomware campaign using legitimate login credentials bought via a dark web marketplace.
The Sophos report has identified the main type of vector used to initiate ransomware attacks, with malicious email being the number one way that ransomware attackers enter a network:
Ransomware Attacks
Source: Sophos
Data Theft
The Sophos report also noted that 28% of organizations affected by ransomware also had data stolen. Data theft in combination with ransomware is usually performed to add further pressure to pay the ransom - the attackers threatening to release the data on the dark web if payment is not made swiftly.
A report from the ITRC (Identity Theft Resource Center) places Manufacturing among the top five most targeted sectors for data theft. The most recent research found that 317 manufacturing organizations experienced data compromises, resulting in 51 Million Victim Notices being released that year.
Supply Chain Attacks
Manufacturing uses a complex web of suppliers and associates to keep the production line flowing. A recent supply chain attack that targeted a Toyota supplier, Kojima Industries, resulted in the car manufacturer shutting down 14 factories for 24 hours. Supply chain attacks often use spear phishing emails to target suppliers and cause massive disruption across the supply chain. The intelligence needed to identify targets and create highly personalized phishing emails is typically found on the dark web. This information is then used to prompt a generative AI tool to generate the malicious email.
DDoS and IoT Botnets
Many manufacturers rely on a connected infrastructure, often dependent on internet-connected devices (IoT). A Zscaler report has found a staggering 400% increase in IoT botnets targeting manufacturing. DDoS attacks targeting IoT devices can disrupt critical OT environments and halt production.
Why Cyberattacks Occur in Manufacturing
There are multiple reasons driving cyberattacks in the manufacturing sector. However, a Forescout analysis of the industry identified the main reasons, as shown below:
- Hacktivism/Political: Activists may target a particular manufacturer with whom they have an ideological dispute to halt production. For example, Anonymous is an infamous group of activist hackers.
- State-sponsored: Some hacktivists are state-sponsored and carry out attacks on manufacturing plants as part of greyzone war activities. For example, hacking group Goneshke Darande, which is suspected to be Israeli state-sponsored, attacked Iranian power plants.
- Ransomware: Ransomware is used for financial gain and can be linked to state-sponsored hacking groups.
Other reasons include industrial espionage, with company secrets being sold to the highest bidder.
Threat Actors Targeting Manufacturing
Source: Forescout
Impact of Cyberattacks on Manufacturing
Manufacturing is highly vulnerable to the impact of a cyberattack on production. Costs of downtime, in particular, are staggering:
Downtime
Aberdeen Research has analyzed the impact of downtime on manufacturing, finding that unplanned downtime costs a staggering $260,000 an hour.
Ransomware Costs
A Sophos report, The State of Ransomware in Manufacturing and Production, reported that manufacturing organizations pay a mean cost of $1.67M to recover from a ransomware attack, and 58% of companies pay the ransom to reduce disruption.
Regulations and Standards in Manufacturing
Manufacturers in the USA are covered under an umbrella of federal and industry-specific regulations and standards. Some of the most well-known include the following:
NIST Special Publication (SP) 1800-10, Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector. Some of the requirements include the following:
- Detect and prevent unauthorized software installation
- Protect ICS networks from potentially harmful applications
- Determine changes made to a network using change management tools
- Detect unauthorized use of systems
- Continuously monitor network traffic
- Leverage malware tools
- IEC 62443: Comprisesaset of standards, setting out requirements and processes for implementing and maintaining electronically secure industrial automation and control systems
- U.S. HHS FDA Cybersecurity Requirements: This is a sector-focused law setting out requirements forcybersecurity for medical device manufacturers.
Mitigating Cybersecurity Risks: Best Practices
Manufacturers are at risk from a variety of cyber threats. Best practice requires that a company use a defense-in-depth approach that comprises multiple layers of security measures:
Robust Identity Management
Stolen credentials can penetrate an OT environment. Manufacturers should implement identity security measures to mitigate identity-related cyberattacks. These measures must include phishing-resistant MFA, Privileged Access Management (PAM), and the enforcement of least privilege access rights (access on a need-to-know basis). One Identity is a vendor that can provide Manufacturing with identity security solutions
Network Segmentation
By segmenting and isolating areas of a network, a manufacturer can reduce the scope of an attack. Network segmentation is used alongside identity security measures to create a zero-trust architecture.
Secure and Monitor OT and IoT
Continuous monitoring of the OT and IoT environment will help with the early detection of potential cyberattacks. This proactive measure provides visibility into potential threats and vulnerabilities within IT and OT environments, allowing for a prompt response to mitigate escalation to a cyber incident.
Update Software and Firmware
Vulnerabilities in software and firmware are exploited during many attacks, including DDoS and ransomware. Update all systems promptly.
Backup and Restore
Ransomware-resistant backup and restore solutions help to mitigate the impact of a ransomware attack. Backups must be made regularly. Solutions that offer encrypted and automated backups with redundant storage and off-site backups are ideal for ensuring that backups are secure and current. However, it is essential to regularly test and validate your recovery processes.
Dark Web Monitoring
Sentinex is a dark web monitoring tool recommended for manufacturing companies. It helps identify data stolen during ransomware and data theft attacks. An organization can lock down the data by locating stolen data to stop other cybercriminals from carrying out follow-on attacks
Review the Security Posture of Connected Third-Party Suppliers
Manufacturing is reliant on the security of its broader supply chain. Carry out risk assessments on any suppliers and ensure that their cybersecurity posture meets regulatory standards.
Security Awareness Training for Education
Human-centered attacks like spear phishing can put employees at risk. A fundamental security measure that manufacturers should deploy is security awareness training. Companies like Infosec provide ready-made training campaigns that educate employees on how to identify phishing attacks and how to work securely and safely online.