The manufacturing industry has had a lower profile as cyberattacks against the retail, financial services and healthcare industries have made headlines. However, intellectual property theft and business disruption are now emerging as primary reasons manufacturers have become prime targets for cybercriminals.
The interconnectedness of Industry 4.0-driven operations, such as those that involve industrial control systems, along with the escalating deployment of industrial internet-of-things (IIoT) devices, has created a massive attack surface for cybercriminals and nation-state actors to exploit.
The motive and nature of attacks
According to the 2018 Verizon Data Breach Industry Report, state-sponsored attackers caused more than half of the data breaches in manufacturing. Along with these state-sponsored attacks, the Verizon report reveals that cyberespionage was the leading motive behind these breaches.
In the new 2018 Spotlight Report on Manufacturing, Vectra reveals that attackers who evade perimeter security can easily spy, spread and steal, unhindered by insufficient internal access controls.
The manufacturing industry exhibits higher than normal rates of cyberattack-related reconnaissance and lateral movement activity. This is due to the rapid convergence of enterprise information technology (IT) and operational technology (OT) networks in manufacturing organizations.
The information in the spotlight report is based on observations and data from the 2018 Black Hat Edition of the Attacker Behavior Industry Report from Vectra. The report reveals attacker behaviors and trends in networks from over 250 opt-in customers in manufacturing and eight other industries.
From January-June 2018, the company's Cognito cyberattack-detection and threat-hunting platform monitored network traffic and collected enriched metadata from more than 4 million devices and workloads from customer cloud, data center and enterprise environments.
The three key findings that were of most interest in the report are the frequency of external remote access, the volume of internal movement between systems, and the way data was stolen, or exfiltrated, from manufacturing networks.
External remote access
The use of external remote access tools is the most common command-and-control behavior observed in manufacturing. External remote access occurs when an internal host device connects to an external server.
While external remote access is common process in manufacturing business operations, it also runs the risk of allowing attackers to infiltrate networks. Cyberattackers perform external remote access, just like in manufacturing operations, but with the intent to disrupt industrial control systems.
Sometimes attackers hijack already-established external remote access connections. For example, IIoT devices can be used as a beachhead to launch an attack. Once an attacker establishes a foothold in IIoT devices, it is difficult for network security systems to identify the backdoor compromise.
Control system owners and operators who make use of remote access technology should be asking:
- What is connected and remotely connecting to my systems?
- Do I have visibility and adequate security controls on my external and internal connections?
- How can risks and rewards with remote access be responsibly balanced?
Reconnaissance and lateral movement
Manufacturing networks consist of many gateways that communicate with smart devices and machines. These gateways are connected to each other in a mesh topology that simplifies peer-to-peer communication.
Cyberattackers leverage the same self-discovery used by peer-to-peer devices to map a manufacturing network in search of critical assets to steal or damage. This type of attacker behavior is known as internal reconnaissance and lateral movement.
IIoT systems make it easy for attackers to move laterally across a manufacturing network, jumping across non-critical and critical subsystems, until they find a way to complete their exploitative missions.
Consequently, a higher-than-normal rate of malicious internal reconnaissance behaviors were detected. And an abnormally high level of lateral movement behaviors indicated that attacks are proliferating inside the network.
Data exfiltration
IIoT devices exhibit behavior in which an internal host acquires a large amount of data from one or more internal servers and subsequently sends a significant amount of data to an external system.
IIoT network architectures reflect this behavior, where multiple sensors will aggregate data at a network gateway that sends the clustered data to a cloud database for monitoring and analytics. This IIoT architecture is common within the manufacturing industry and does not normally indicate an attack.
However, sometimes these exfiltration behaviors are associated with other threat behaviors across the attack lifecycle that point to an in-progress attack. It is critical to ensure that systems are sending data to the intended and approved external systems instead of attackers who are trying to steal intellectual property and other critical assets.
What actions can be taken?
Many factories connect IIoT devices to flat, unpartitioned networks that rely on communication with general computing devices and enterprise applications. These digital factories have internet-enabled production lines that support data telemetry and remote management.
In the past, manufacturers relied on customized, proprietary protocols, which made mounting an attack more difficult for cybercriminals. The conversion from proprietary protocols to standard protocols makes it easier to infiltrate networks to spy, spread and steal.
For business reasons, most manufacturers do not invest heavily in security access controls. These controls can interrupt and isolate manufacturing systems that are critical for lean production lines and digital supply-chain processes.
Consequently, network visibility and real-time monitoring of interconnected systems is essential to identify the earliest signs of attacker behaviors in the manufacturing infrastructure.
However, network-wide visibility can be a double-edged sword. Manually monitoring network devices and system administrators creates a challenge for resource-constrained organizations that cannot hire large security teams.
Numerous security analysts are needed to perform the manual analysis required in identifying attacks or unapproved behaviors in large, automated networks that have IIoT and IT/OT devices.
Cybersecurity is an ongoing exercise in operational efficiency. Organizations have limited resources to address unlimited risks, threats and attackers. Network security must always be evaluated in terms of efficiency as well as its impact on the operational fitness of the organization. At the same time, there is a global shortage of highly-skilled cybersecurity professionals to handle detection and response at any reasonable speed.
As a result, the use of artificial intelligence is essential to augment existing cybersecurity teams, so they can detect and respond to threats faster and stay well ahead of attackers.
Christopher Morales is the head of security analytics at Vectra, a San Jose, Calif. cybersecurity firm that detects hidden cyberattacks and helps threat hunters improve the efficiency of incident investigations.