Intrusion : Manufacturers are in the crosshairs of cybercriminals

What You Can Do

Earlierthis year,Canadian aircraft manufacturer Bombardier announced they were a victim of a cyberattack. Industry Week's reporton the attack said, 'This is not a broken record. This is not part of the script from the movie Groundhog Day. It is just the sad reality that cybersecurity attacks just keep coming. The threat landscape continues to evolve with hackers having access to far more sophisticated tools. Each time another breach impacts a manufacturer it clearly demonstrates just how much today's hackers value having access to the mountains of data these companies possess.' Simply put, this summarysums up the state of affairswith manufacturers. The bad actors have found them to be an easy target- ripe for exploitation.

A recent studyby White Hat Securityresearchersfound that among the all the verticalindustries, the manufacturing sector is highly vulnerable tocyberattacks. Theyfound that 70% of software applications used by manufacturers had at least one serious vulnerability that was not fixed over the past 12 months. In another study, security firm Trend Microfound that of the 500 manufacturing sector employees surveyed in the U.S., Germany and Japan, 61% said they had experienced cybersecurity incidents,with many causing system outages.

In another case, a ransomware incident at a pair of manufacturing facilities in Italy temporarily shut down production for two days. The strain of ransomware called Cringwaspushed masqueradingas an anti-virusupdate to begin the compromise. Once on their network,the Cringransomwarewas usedto access the manufacturing equipment and bring it to a halt.

How did we get here?

Internet of Things (IoT), Industrial IoT (IIoT) and Internet of Everything (IoE) catapultedthe manufacturing sector into the Internet ageconnecting anything and everything. IoTtechnologies helpedretrofit industrial systems, manufacturing supply chains and processes withthe much-needed hardware-software combo, andmore importantly,the ability to easily manage everything throughsoftware.

Many networking companies createddevicesto translate industrial protocols such as Zigbee and SCADA to TCP/IP and connect the operational technology (OT)networkto your network and ultimately the Internet. Now, they can talk to other devices and processesin other locations and other organizations within their supply chain. The entire supply chain and partner ecosystem became connected.One could say mission accomplished, but then as is almost always the case cybercriminals and bad actors looked to exploit vulnerabilities in these interconnected networks and cause harm.

While these technologies have deliveredmany significant benefits such as reduced costsand improvedproductivity, the urgency to hop on to the Internethas left many manufacturing companies vulnerable to attack.

Key Lessons

Learning fromthese and other incidents, certain key patterns have emerged. The attackers spentmonths understanding OT networksand the key people involved togather their credentials. The initial compromise happens inthe IT network, using some known unpatched vulnerabilities on the IT devices (in one case hackers leveraged old vulnerabilities in Fortinet's VPN software), or some common phishing techniques. Once on their internal network they jump on to the industrial OT network-- the network that directly interactswith machinery- to carry out their actual attack.

How to Fix Top Vulnerabilities

Researchers identified that thetop vulnerabilities were information leakage, insufficient session expiration, cross-site scripting, insufficient transport layer protection,and content spoofing. With proper network security policies configured on the security devices, many of these vulnerabilities can be fixed. On a broader context, here are some simple actions that you can take.

• Air-Gap your IT and OT networks: Through network segmentation, separate the IT and OT networks,and institute independent set of access controls so that if the IT network gets compromised, the OT network doesn't automatically become vulnerable. This is referred to as air-gapping.
• Keep your network devices in IT and OT network up to date:Install patchesandupgrade software and hardware when providedby the vendors. It should be noted that the life cycle of network devices is much shorter than that of the equipmentused in manufacturing companies. So, top leadership might need a mindset change to react timely while allocating budgets to replace devices that have reached their end-of-life cycle.
• Audit and assess security footprint: Due the ever-changing nature of the threat landscape, security solution vendors are bringing to market new innovations. These should be consideredby the IT and Security teams and implemented as needed. Frequent audits such as defining security training efforts and checking your current strategy, must be done to assess the security footprint.
• Build security awareness: Conduct security training forall employees. Awareness needs to be built to thwart social engineering attacksthat could lead to being compromised. Certain key employees may need additional, specializedtraining like self-taught security diagnosis and new levels of analysis between machines and systems, because of the potential risk to the entire manufacturing facility if they get compromised.

How to Protect Your Network and Data

Layered Defense:Of course INTRUSIONrecommends a layered defense in all cases, to include implementing a rigid information security policy. This includes boundary firewalls, virus/malware protection on all hosts and servers. But also, company owners need to rethink how to defend against what other solutions can't. Not just from the technology perspective, but from the financial perspective.

Why INTRUSIONShield: All those previous mentioned technologies operate on the Layer 1, 3, and 4 of the OSI model or TCP/IP stack. However, most new malware such as zero-day and file-less types do not. Therefore, the typical aforementioned technologiesdo little to stop these new type of attacks. Second and most important, while these new types of malware live on your network patiently waiting, they must eventually call home for instructions on what to do next. Only INTRUSION's Shield, using real-time Artificial Intelligence, will inspect every inbound and outboundpacket to and from your network and comparesthat to a live list of 5.1 Billion verified good IP addressesout of 8.5 Billion total IP addresses.If your data is destined to any other IP address or URL (website), Shieldwill automatically kill that attempted connection. The zero-day and file-less malware may be on your network, but unless it can talk to home station for its next instructions it is dead on arrival.

Sources:

https://resources.trendmicro.com/Industrial-Cybersecurity-WP.html

https://www.industryweek.com/technology-and-iiot/article/21156122/bombardier-suffers-cyber-attack

https://www.whitehatsec.com/news/whitehat-security-introduces-appsec-stats-flash-a-modernized-approach-to-application-security-reporting/

https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-report-h1-2020.pdf

https://www.cyberscoop.com/fbi-darkside-colonial-pipeline-ransomware/