Manufacturing companies are no strangers to the threats of cyber attacks. There are two main drivers behind the attacks we’ve witnessed over recent years, writes Darren Van Booven, lead principal consultant at Trustwave and former CISO of the United States House of Representatives. The first is the advancements made in technology. Manufacturing is now more complex, with more equipment that is on-par with a computer, rather than the analogue technology of the past. They have more capabilities, but a greater attack surface as a result, and this impacts a company’s overall risk posture in a more material way than ever before.
The second driver is that most manufacturing security teams are not well equipped to deal with the rising attack numbers, and the sophisticated methods being used. As environments become more computerised, it gets harder to define and understand the risks that come with these networks. In our experience, we often see many CISOs who do not have a handle on how the computerised equipment is integrated into the business. As a result, it can be much harder to manage security risks effectively.
The impacts so far
The news headlines are often dominated by the latest cyber attacks, with recent ones being named some of the worst in history. The Colonial Pipeline breach is a prime example, ultimately resulting in the company shutting the pipeline down temporarily. This had huge consequences, including product shortage and fluctuating gas prices. The business was forced to take such drastic measures as they were unable to contain the breach any other way. What’s more, security teams were not able to respond effectively as the relationship between the different systems was unknown.
This is just one example, but there have been hundreds of other attacks on manufacturing companies. Ransomware is commonly used by hackers and is becoming more sophisticated in its capabilities with each passing day. The main challenge for manufacturing security teams is understanding how these malicious weapons impact the environment so they can respond effectively to their advancements. If not, then it would be tricky to make informed decisions about what measures need to be taken, not to mention the wider budgeting discussions.
Confidence levels
At the beginning of the journey with a customer, one of the first questions we as consultants would ask a CISO is, how confident do you currently feel in your security systems? When delving deeper into the different security measures, such as how segregated their control systems are from the rest of the environment, we rarely get a confident answer. Most of the time, it’s a simple “Oh, I think they’re pretty segregated.” And those who seem confident, are often unable to provide evidence of an effective process to back it up. If the necessary controls and defences aren’t present, it won’t take long for hackers to find out.
However, we are seeing steady progress within the industry. Boards of directors and business leaders are beginning to ask questions, and the previous lack of focus on cyber security is changing. While there is still work to do in terms of attention and commitment, it’s positive to see these small steps being taken. Now though, it’s time for organisations to start making the big decisions, those that are going to impact all departments, from IT to process control engineering.
Making the big leaps
When devising a comprehensive security strategy, CISOs in the manufacturing industry should have two outcomes in mind. Firstly, they’ll need to be aware of what processes they have in place and develop ways to maintain their visibility as situations change. This includes hardware, software, legacy systems, etc. And secondly, the ability to identify the assets that are the most important to the business – this will determine what elements of the system are bumped up the priority list. For example, a printer is not as important as the technology running the control systems. This may seem obvious, but all hoops must be jumped through.
One of the most effective ways to limit the risks to manufacturing networks is to segregate different environments. Most organisations will not be able to afford to replace all legacy technology, so it becomes a case of controlling the existing risks. Having visibility over what parts of the network are connected and which are segregated is of vital importance. I’ve personally experienced the risks if this isn’t achieved. In one of my previous manufacturing environments for example, I received a call from a security researcher who had been able to connect to a major air conditioning unit in our data centre. The unit had an in-built GSM chip so that the manufacturer could control the unit remotely. Given that no one knew it was there, there was no protection around it, so it made the whole unit vulnerable. If an opportunistic cyber criminal had discovered it, they would have been able to access other parts of the network and shut the systems down.
Beyond these vital outcomes and solutions, there are further steps that I would always recommend CISOs consider when developing their security strategy.
Look outside your own network
Supply chains are notorious for weakening an organisation’s security defences, as there is no guarantee that third parties dedicate the same time and attention to their security as you do. The SolarWinds attack revealed the weaknesses in supply chains, as more than 18,000 businesses were affected by the ransomware, having spread through supply chain partners and customers alike.
Don’t forget about the cloud
Any cloud services being used in the organisation must be accompanied by appropriate controls. The cloud should be treated the same as on-premises systems, and access to datafiles should be restricted to only those who absolutely need it. It’s also about understanding the status of device and service. Does it have remote connectivity capabilities? Have all default settings been updated? We encourage teams to ask the questions, no matter how obvious they seem. Devices left with default administrative passwords could end up being the cause of a serious breach.
As machinery and components become more network-aware, manufacturers have added greater remote access functionality to allow for remote vendor maintenance or for devices to send out alerts when troubles are identified. If unaware of these capabilities, businesses are vulnerable to attackers using tools such as Shodan to identify unsecured devices with internet access. When acquiring equipment, it’s important to acknowledge the remote access capabilities, what will be enabled or disabled when you activate the equipment and ensure strong security like a VPN is used before any kind of remote access can take place.
Developing a comprehensive plan
There are several frameworks that can be used to help steer this process, including the Cybersecurity Maturity Model Certification and the NIST Cybersecurity Framework. This roadmap should cover any risks previously identified, actions that need to be taken and those responsible for each area.
Liaise with the C-Suite
Communication is everything. Part of the problem today is that those not directly involved with the business’ security are unaware of the threats against the network. CISOs and their teams can generate greater support and resources by getting the wider company involved
Staying on track
Situations will change over time and so teams need to be able to maintain the defences and controls beyond the initial setup. Managed security service providers (MSSP) can help provide constant coverage and deliver further environment audits, especially when teams do not have the in-house resources to do it alone. If my experience has taught me anything, it’s that if misconfigurations or vulnerabilities are left in systems, you can be certain that hackers will find them.
The manufacturing industry will remain a fundamental part of our world’s future, and so taking the time to arm it against malicious attackers now will ensure long-term protection. The cyber threat landscape will continue to grow, and only by maintaining sufficient visibility over systems and the threats waiting just outside the perimeter, will CISOs be able to propel the company to safety.