For years the manufacturing industry has held a low profile as targets for cybercriminals and has enjoyed an environment free of business disruption. Retailers like Target corporation and healthcare companies have been in the crosshairs of attackers causing extraordinary amounts of damage. However, with the advent of Industry 4.0 and the interconnectedness of factory floor operations, a veritable cyber shooting gallery has been created, exposing a massive attack surface for cybercriminals and nation-state actors to exploit. Every day something new shows up on the attack radar of nefarious actors and the automated bots are seizing upon the vulnerable internet connected machines.
The bottom line: Manufacturing is getting attacked more often now simply because production facilities are now…prey.
The Target Stores Disaster
Manufacturers can consider the cyber attack of the retail giant, Target corporation as a didactic.
The cyber attackers first broke into the Target’s internal network on Nov. 15, 2013, using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.
Presumably, the HVAC company was given access in order to gain remote control into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software. Plus, it is sometimes a cost-benefit to allow a vendor to provide outside support as opposed to hiring and training internal staff to manage the HVAC systems.
Between Nov. 15 and Nov. 28 (Thanksgiving and the day before Black Friday), the attackers succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores. During that timeframe, the attackers took the time to test that their point-of-sale malware was working as designed.
The way the attackers waged the attack, according to Kreson Security, who first broke the story of the breach, the attackers infected the vendor with general purpose malware known as Citadel through an email phishing campaign. Attackers then used the stolen credentials to gain access to Target-hosted web services dedicated to vendors. This provided access to a Target internal web application hosted on Target’s internal network. Following a methodical step-by-step offensive, attackers gained unprecedented access to what was then the 3rd largest retailer in America. For a complete how-they-did-it, see 11 Steps Attackers Took to Crack Target –CIO.com.
By the end of the month — just two days later — the intruders had pushed their malware to a majority of Target’s point-of-sale devices and were actively collecting card records from live customer transactions. The Target cyber-attackers had gotten the Personal Identifiable Information (PII) of 70 million customers as well as data for 40 million credit cards and debit cards between Nov. 27 and Dec. 15, 2013. Investigators said that stolen financial information was transmitted to several “drop” locations that could be safely accessed by the suspected perpetrators in Eastern Europe and Russia.
Cybercriminals Set Their Sights on Manufacturing
External remote access
While external remote access—when an internal host device connects to an external server—is extremely common practice in the world of manufacturing, the tradeoff for convenience introduces a risk of network security sometimes allowing attackers to infiltrate company networks.
According to Christopher Morales who is head of security analytics at San Jose, California-based Vectra, a cybersecurity firm that detects hidden cyberattacks and helps threat hunters improve the efficiency of incident investigations, “Once an attacker establishes a foothold in IIoT devices, it is difficult for network security systems to identify the backdoor compromise.”
Reconnaissance and Lateral Movement
According to the 2018 Verizon Data Breach Industry Report, cyberespionage is the leading motive behind state-sponsored attacks. Industry Week reports that because of the rapid convergence of enterprise information technology (IT) and operational technology (OT) networks in manufacturing organizations, the manufacturing industry is exposed to “higher than normal rates of cyberattack-related reconnaissance and lateral movement activity.”
Mr. Morales informs that IIoT systems make it easy for attackers to move laterally across a manufacturing network, jumping across non-critical and critical subsystems, until they find a way to complete their exploitative missions.
“Cyber attackers leverage the same self-discovery used by peer-to-peer devices to map a manufacturing network in search of critical assets to steal or damage. This type of attacker behavior is known as internal reconnaissance and lateral movement,” reports Morales. “Consequently, a higher-than-normal rate of malicious internal reconnaissance behaviors were detected. And an abnormally high level of lateral movement behaviors indicated that attacks are proliferating inside the network.”
Data Exfiltration
Sometimes data flow in a manufacturing environment will look like this:
Machines sensors>>>Internal Servers>>>Network Gateway>>>Cloud Database
This IIoT architecture is common within the manufacturing industry and is sometimes subject to an external attack.
Morales says, “Sometimes these exfiltration behaviors are associated with other threat behaviors across the attack lifecycle that point to an in-progress attack. It is critical to ensure that systems are sending data to the intended and approved external systems instead of attackers who are trying to steal intellectual property and other critical assets. Consequently, network visibility and real-time monitoring of interconnected systems is essential to identify the earliest signs of attacker behaviors in the manufacturing infrastructure.”
How to Protect Your Organization
The take away here is that Cybersecurity should be moved to the forefront of manufacturing goals and initiatives. It only makes sense that the more interconnected our machines and factory floors become wired to the outside world, the more effort and capital should be expended to protect these assets. If a company is going to take the effort and money to put up fences, gates, and guard shacks around its physical buildings and properties, shouldn’t it be willing to do the same around its virtual property and assets? Network security should be evaluated on its ability to deter intrusions and the continuous operations of production facilities. Relying on anti-malware alone is not the answer.
Companies first need to start by developing a strong security policy that extends through all branches, divisions, departments and aspects of the organization and provide education, formal written documentation and training for all employees to ensure they are aware of and following network security protocol. Lockdown the company network with a strong password protocol and current WPA2 Wi-Fi standard. Invest in cybersecurity and data encryption and secure your mobile phones.
As cybercrime continues to escalate, businesses should view cybersecurity as a cost of doing business. Those companies that protect their data will look like a Fort Knox fortresses to would be intruders having them move on to easier targets.