The Tech Column: What the DBIR Means for Manufacturers
The second edition of The Tech Column kicks off this morning with a little more coverage of the 10th annual Verizon Data Breaches Investigations Report. The DBIR is one of our favorite reads every year, and this year was no different: when it was released Thursday morning, it included a little more coverage focused on manufacturing in particular than in previous years. We talked with Marc Spitler, one of the report’s co-authors, about how cybersecurity might affect manufacturers and what still be to come in 2017.
IndustryWeek: This report seemed to include more focused coverage and analysis than previous reports, and there were a handful of facts that jumped out from that coverage. One was that manufacturing had more incidents categorized as “Everything Else” than any other industry. There was some explanation that those incidents just couldn’t be classified, that more information was needed. Should this be any cause for concern for manufacturing?
Marc Spitler: No, it’s nothing as exciting as that. (Laughs) Typically, what it is is that we’re just not getting the level of detail from certain sources. Say a data base was hacked, or there was a phishing attack, but the level of detail received isn’t up to the level that allows us to put it into another category. A lot of the “Everything Else” incidents, we knew what happened, we knew the story, but it just didn’t fit into any of these other buckets and we hadn’t seen quite enough of it yet for it to get its own pattern. … We have enough of those little data points where those can go into the corpus, but we don’t know the motivation. Was it part of a cyber-espionage campaign? Was it more opportunistic in nature? We don’t know enough about the payload of the malware received for us to classify it further, and that’s really what those are falling into. It’s not an indictment on the industry itself.
IW: With that in mind, the nine categories you do use are pretty well defined. Is there a possibility next year there are more categories, and some industries are maybe classified a little differently?
MS: We would certainly like to see some other categories or patterns develop as a result of the disruption of the nine we see. Right now, though, we haven’t seen a drastic enough switch in tactics for another one to be created. We certainly are seeing evolution in the patterns. … We’re still seeing a lot of similarities in the way adversaries are going after industries from a remote-attack standpoint — we’re still seeing phishing, getting that malware on there, moving around with credentials.
Most mature companies have done a good job of really limiting what they have open to the Internet. So you can look for remote access ports, you can look for things you might have had success with 15 years ago, but we’ve tightened it down pretty well. One thing everybody has is a web presence, so that will be targeted because it’s available. Phishing is still really used a lot, because it’s a way for outsiders to have some level of interaction with somebody on the end of the user device on the internal network. It’s not surprising to us that we see emails and web drive-byes as the No. 1 and No. 2 vectors of malware. That’s where things might change based on industry and data type and the threat actors involved. With manufacturing, we’ve found it’s affected primarily be cyber-espionage, and there will be more sophisticated threat actors, potential state affiliation, looking for a particular type of data.
IW: Do you see manufacturing as maybe a little more susceptible in the quarters and years to come, just because there are so many more connected devices on the factory floor and so many more potential points of entry?
MS: We’ll have to see how it plays out. Certainly if the attack surface changes for manufacturers and there are more things to attack, we may see a more opportunistic style of attack. Different sectors and different industries are based on the people that contribute data to us, which is why the public sector has always had a lot of incidents, and we have a disclaimer saying, “We don’t think it’s any worse than anybody else, we just get a lot of data that’s going to make those numbers increase.” In manufacturing, there is a lot of care and a lot of focus on state-affiliated actors, and we’re looking at those kinds of breaches. Manufacturers might not have the reporting requirements around some of those other data types, like employee information or PII, so I’m always hesitant to say any industry is any better or worse than another.
IW: According to the report, 62% of breaches featured hacking, and 81% of those hacking-related breaches leveraged either stolen or weak passwords. How is this still a thing in 2017?
MS: As far as the weak passwords, those are predominantly small and medium businesses, and a lot of those came in the point-of-sale intrusion section, which is what we have seen historically. The stolen passwords are almost as frustrating because we do put a lot of emphasis on things like minimum ages, maximum ages, special characters, complexity. If you have a key piece of sensitive information that you need to protect and you have the ability for people to access it in a remote manner, if you’re only relying on static authentication, you’re behind the times. Keyloggers have been around for some time, they’re specifically designed to capture user input including passwords, so you do need another factor — and one that can’t be captured in the same way as the first factor. You need to at least double the efforts of the adversary.
IW: If we transition from specifics to the proverbial 25,000 feet, 30,000 feet, what else really popped out at you?
MS: We are seeing more ransomware than in previous years. It’s an interesting topic, and it’s an interesting way for the financially-motivated criminal groups to try to earn a buck. There is some targeting, but a lot of it is opportunistic, so regardless of your industry, …it’s something to be cognizant of.
We talk about manufacturing, obviously, quite a bit, and some of the common, scalable, automated attacks have dropped down a little bit, in the form of point-of-sale intrusion. I’ll be interested to see how that turns out. We didn’t have a mega-breach last year, and I’m hoping that’s not just an anomaly. Let’s see what we can do to break up the pattern of phishing, malware, credentials, and disrupt that in the years to come.
IW: Do you see that decrease in big-name and headline hacks decreasing?
MS: Hesitant to say, because the last time we were thinking in that manner was 2011, when we only had 4 million records. We thought then, “Did we just miss everything?” and we started to freak out a little bit, but those mega-breaches just weren’t happening until 2013. We are still seeing some high loss numbers, but they’re going after these websites and portals, not retail, that have a large user base. How those are being monetized and used? We know they have large databases of compromised credentials from all over the internet that they’re trying to re-use. I don’t know if that’s going to bear a lot of fruit, but ransomware certainly short-circuits the typical attack pattern.
Steve Minter, IndustryWeek
HANNOVER MESSE ROUNDUP: Plenty of news and notes from Hannover, where IW executive editor Steve Minter should have been wearing a FitBit (or one of its competitors) to track his tens of thousands of daily steps.
On Monday, the GE Energy Connections Automation & Controls business announced in Control Server and Control System Health Application, which was mentioned in a piece published last week on the site. The Control Server collects, stores and analyzes all data received using Predix, and allows power plants to extract industrial data, reduce operating costs, and is pretty well protected from cyber-attacks and hacking. The Control System Health Application, meanwhile, allows users to monitor the status of their control hardware from anywhere with Internet access, with corrective action recommendations provided based on real-time data. … SAP launched it Distributed Manufacturing app, which “provides a scalable process for manufacturers to collaborate with 3-D printing service providers to optimize design and integrate order creation and procurement.” So, basically, bringing the sharing economy of Uber and B2B to on-demand 3-D printing. Yes, we’re already keeping an eye on this. … Augmenta, the Finnish augmented reality app developer mentioned last week as one of Vuzix’s new European VIPs, introduced cloud-based studio tool to allow developers to quickly design AR apps using pre-built templates and control element libraries, among other tools.
And on Tuesday, IBM and ABB announced a new industrial artificial intelligence partnership that will combine the famous Watson with ABB Ability, giving Watson yet another task (after he proved he could topple some of the greatest Jeopardy! players ever and, of course, cook. … Cisco unveiled three new solutions for its Connected Factory portfolio, all focused on wringing more value from the reams of data already collected. (Flex and Apple supplier Foxconn are among its higher-profile customers.) … GE returned with another announcement Tuesday about its Plant Applications Manufacturing Execution System, designed for hybrid manufacturers to manage highly automated production processes.
ROBOT OF THE WEEK: Love robots? Of course you do. Love … art? The Robot Art competition is back for another year, with 200 pieces of art painted by 39 different robots, and you can have a say in who wins and takes home a share of more than $100,000 in awards. (I swear every word of that last sentence is true. The competition runs through May 15, and you should definitely check out the online gallery between now and then. “The quality of the paintings for many of the teams has reached levels that are comparable with human artists,” event organizer and sponsor Andrew Conru said. “Many of this year's entries are expressive, layered, and complex.”
Ethan Miller, Getty Images
NET NEUTRALITY, PART 1: On Thursday, the Federal Communications Commission reversed the Title II classification of Internet service providers — the first step in dashing net neutrality. In response, more than 800 startups, including some big names like Y Combinator, signed a letter addressed to FCC chairman (and former Verizon general counsel) Ajit Pai (pictured above): “Without net neutrality, the incumbents who provide access to the Internet would be able to pick winners or losers in the market. They could impede traffic from our services in order to favor their own services or established competitors. Or they could impose new tolls on us, inhibiting consumer choice. [...] Our companies should be able to compete with incumbents on the quality of our products and services, not our capacity to pay tolls to Internet access providers.” This is how Pai explained his initial stance to scrap net neutrality.
NEW NEUTRALITY, PART 2: Fight for the Future, a nonpartisan digital rights organization perhaps most recognizable for its role in online protests against SOPA, released a statement Monday denouncing Pai. An excerpt: “Moving so quickly to slash the protections that millions of Internet users from across the political spectrum fought for is a slap in the face to democracy and poses a serious threat to the future of freedom of expression. Net neutrality is the First Amendment of the Internet. By ignoring what the public wants and attacking Title II open Internet rules, the FCC is playing with fire and potentially opening the floodgates for widespread censorship. …If Ajit Pai thinks that destroying net neutrality is going to be easy, he has another thing coming. Internet users will fight tooth and nail to defend our basic right to connect, create, learn, and share.”
TED
QUOTE OF THE WEEK: “The BBC told me it was too intellectual. When you hear that from the BBC, where else do you go?” — June Cohen, former executive producer of TED Media, to Emma Grey Ellis in a (ridiculously short and still really entertaining) oral history of TED and TED talks published in Wired.
Hard to remember now, but from its introduction in 1984 until 2006, TED was pretty much just an ideas conference for really rich people. Then a little more than a decade ago, TED CEO Chris Anderson and others wanted to share some of the content with the world … and were rebuffed by pretty much everybody, including the BBC. Thankfully, they took control of their own content, uploaded six videos that only became more popular day by day, and developed into a phenomenon. (TED2017 has been in full swing this week. Here’s early TED talker Ken Robinson delivering what remains the most-viewed TED talk, on whether schools kill creativity.)