I am regularly inundated with cybercrime reports, and they all have at least two data points in common: ransomware is one of the most popular attack types used by threat actors (read: cybercriminals), and the manufacturing industry is one of the most popular targets for ransomware attacks.
Verizon’s 2023 Data Breach Investigations Report (DBIR) contains a wealth of well-presented information including explainers for anyone interested in cybersecurity, and it validates these points. Ransomware was present in 15.5% of all cybercrime incidents included in the study, with only denial of service (DoS) attacks topping it on the list. And where an incident resulted in a successful breach, 24% of those breaches involved a ransomware attempt, second only to use of stolen credentials.
Manufacturing, according to the DBIR, saw the fourth-largest number of incidents behind the public administration, information and finance industries, in that order. And these cybercriminals don’t have political or social motives, they just want cash. Financial motivations dictated a whopping 96% of bad actors’ motives when they attacked the manufacturing sector.
Why is the manufacturing sector so popular a target?
Cybersecurity reports on industrial cybercrime often imply that these are fresh threats, raising another question: How long has this gone on? Is this actually new or is there hype at play (considering the companies presenting these reports usually have cybersecurity products on offer)?
Manufacturers Often Pay Ransoms
A big reason why manufacturing is such a target: Manufacturers often pay when attacked because even small incursions can have huge repercussions.
The larger the constituency affected by a ransomware attack, the more likely a victim pays ransoms. In manufacturing, a successful attack may cause tremendous and cascading amounts of damage if it targets critical plant equipment. Supply chain fragility creates long-reaching ripple effects when cyberattacks succeed on these targets. Taking a few production lines down for even a few days could have serious effects on meeting production and distribution targets.
“If a manufacturing line is brought down, there’s an immediate impact to a larger audience. Consider the impact to customers that an attack on Colonial Pipeline caused. To avoid impact to their customers, and to keep the service level agreements that manufacturers have with their supply chain, they have been known to agree to pay the ransom, which encourages bad guys to target them more,” says Ryan Cloutier, president of SecurityStudio.
Erich Kron, security awareness advocate at KnowBe4, adds, “Modern manufacturing methods are very sensitive to timing to allow for just-in-time methods of production. Ransomware is a one-two punch for manufacturing, crippling the ability to create parts by taking down production lines and blinding the organization with respect to incoming materials, expected shipments, status of production and all of the other processes that keep organizations moving smoothly.”
Manufacturers also become juicy targets for threat actors because manufacturers historically have not taken cybersecurity seriously enough. They fail to appreciate the size of their ‘attack surface,’ defined as the sum total of all potential entry points into their networks.
“Many manufacturing companies are still working with legacy systems that can’t keep up with the pace of today’s threats, which makes them attractive targets. Manufacturing has embraced IoT technology. Many of these sensors and automation devices were not designed for security and are not able to be updated or patched. This makes them vulnerable,” says Cloutier.
Kimberly Cornwell, system engineer and member of the cybersecurity tech team with Siemens Digital Industry Factory Automation Division, says, “Manufacturers are focused on producing their products and may not have thought of themselves as potential targets, so they may not have the level of IT sophistication necessary to combat an attack or even recognize that they are being probed/attacked.”
In addition, says Debbie Gordon, Founder and CEO for live-fire OT/ICS cyberattack simulation training company Cloud Range, “Manufacturing is one of the least regulated industries and typically a target with a high cross-section of vulnerabilities. Many systems are connected for ease of use and reporting, and many are legacy systems using software riddled with vulnerabilities. And the threat actors know it.”
Industrial Cybercrime Goes Back Decades
While cybersecurity studies are factually correct in pointing out that the number of industrial cyberattacks continues to rise, industrial cybersecurity has been a concern since the early 2000’s when the adoption of industrial Ethernet as a backbone for IO and communication really started to take hold in the manufacturing world.
Prior to that, machines were stand-alone islands and the earliest cyberattacks targeted very specific hardware and software. For instance, during the Maroochy Water attack in Queensland, Australia, a threat actor used a laptop and specialized supervisory control and data acquisition (SCADA) equipment to target sewage pumping stations.
In 2010, cybercriminals used malware called Stuxnet, considered highly sophisticated at the time, to target industrial control systems (ICS) in Iran's Natanz uranium-enrichment facility. Stuxnet was ‘a precision weapon’ requiring exact software to infect and specific equipment to target. Variants of this malware could compromise microphones and web cameras, analyze keystroke logs and even extract geolocation data from images.
Modern cyberattack techniques such as using highly crafted phishing emails; stealing passwords, cookie and browser histories; and compromising computer network connections and drive information allowed threat actors in 2011 to breach natural gas pipeline sector organizations. The incidents led to some of the earliest official cybersecurity alerts issued by the United States government, including education about the dangers of social engineering.
“A sharp spike in ransomware attacks unofficially deemed 2016 the year of ransomware. The following year, the NotPetya ransomware attack captured public attention as a massive attack targeting OT systems. This attack was so destructive that Merck, Maersk and FedEx reported $800M in losses related to the attack. Attacks targeting OT systems have exponentially increased since, as threat actors realized the financial opportunity and adopted new strategies,” says Marty Edwards, deputy CTO for OT/IoT at Tenable.
So, while industrial cybercrime itself is nothing new, partly what's changed is what cybercriminals are after.
“The overall number of cyberattacks targeted against manufacturing has been relatively stable over the years [as] they are a soft, high value target. We are hearing about this as more attention is being paid due to disruption (ransomware, tomfoolery), paired with greater reporting and risk exposure visibility requirements,” says Cloutier.
“In the past, these attacks mainly focused on gaining network access for use in other cybercrime schemes, corporate espionage or general malfeasance, tomfoolery and shenanigans. And, many times these incidents were overlooked or not reported. So while it is true there has been an increase in ransomware-based attacks, I would argue that on average the overall attack count, risk exposure and attack surface remain the same as they did 20 years ago,” Cloutier adds.
The number of network vulnerabilities for cybercriminals to exploit, however, continues to grow, which changes the threat landscape.
“As IT and OT converge, it’s created a larger attack surface. Digital transformation efforts are driving more convergence and the more aspects of a plant/company that are ‘connected,’ the more potential vulnerabilities that exist or can emerge,” says Aamir Lakhani, cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs.
Kron adds, “As manufacturing processes have streamlined and become more reliant on computer systems to keep the lines running smoothly and without disruption, cyber threats have become more of an issue than ever before. While the threat has been around for a while, the attackers have perfected the art of disrupting manufacturing, so their impact is greater than ever before.”
And it doesn't help that modern-day cybercriminal gangs enjoy celebrity in the press.
“The notoriety gained for attacking OT organizations is popular amongst attack groups because it gives them cachet. This added credibility makes them seen as a more serious threat, which in turn means more lucrative and faster payouts for ransomware attacks,” Lakhani adds.
Getting Past the Same-Old Advice
Cybersecurity firms’ common refrain after warning manufacturers about the dangers of industrial cybercrime goes something like this:
· Check the condition of your cybersecurity protocols.
o Do you guard privileged access to systems?
o Do your employees know how to recognize phishing attempts?
o Do you demand employees change passwords at specific intervals and mandate minimum acceptable password complexity?
· Conduct risk assessments and precisely know the weaknesses in a manufacturer’s cybersecurity.
I wanted to know if there is other, more specific and less frequently cited advice to help manufacturers guard against network breaches and ransomware attempts.
“Manufacturers can help themselves by segmenting their industrial control systems and operational technology (OT) from the Internet. It might require them to work with technology partners, so finding and nurturing those relationships in advance is important,” says Cloutier.
Matt Gyde, CEO, at vArmour, adds, “With data being ‘digital gold’ for ransomware attackers, it’s becoming increasingly difficult for manufacturing companies (and all companies) to track where data moves, how it’s used, and who can access what as they expand and embrace hybrid cloud. Proactively understanding and controlling the flow of data can mean the difference between security and a breach that ripples through the enterprise. Tooling and processes need to be implemented to see what’s actually happening across their hybrid infrastructure so that manufacturing companies can shut down suspicious behavior in real time and risk-proof for the future.” .
Contingency planning is also underrated, Kron says.
“Organizations need to ensure they have processes in place to keep things running when computer systems are down. The ability to continue operations, even in a limited capacity, when systems are offline is not only applicable to cyberattacks, but also to other types of disasters, such as weather or other disasters, that can cause failures with computer systems,” says Kron.
Will Industrial Cybercrime Ever Go Away?
Having established that industrial cybercrime is a long-running problem that arguably gets worse every year, is there any reason to think that it may someday get better?
“A famous bank robber was asked, ‘Why do you rob banks?’ and the response was ‘That is where the money is.’ Essentially, if you are in a profitable industry where downtime is costly and you have poor cybersecurity practices, you will be targeted by criminal ransomware operators,” says Edwards.
In other words, no.