In an interconnected world, manufacturing is a prime target for cyber criminals. Malcolm Wheatley examines the critical thinking needed to stay secure.
On 23 December 2015, the lights went out across large swathes of Western Ukraine. Locked out of their desktop computers, and unable to log back in, operators inside the country’s Prykarpattyaoblenergo power distribution control centre could only watch helplessly as the cursors on their computer monitors took on a life of their own, systematically triggering circuit breakers to take power substations off-line.
In all, almost 60 substations were affected, plunging more than 230,000 people into darkness. Subsequently attributed to Russia, the vulnerability was tracked to malware loaded onto USB memory devices.
In many ways, the role model for the Western Ukraine attack was the earlier attack on Iran’s uranium enrichment programme in 2009. Widely thought to be the work of American and Israeli intelligence agencies, it again used USB memory devices to target the Siemens S7-315 programmable logic controllers (PLCs) in use at Iran’s Natanz enrichment facility, reprogramming them to randomly change the centrifuges’ speed, thereby damaging their rotors beyond repair.
Buried deep underground to avoid American bunker-busting munitions, the Natanz facility had instead fallen prey to targeted malware, rather than targeted ‘smart bombs’.
Dramatic though such attacks are, they undoubtedly represent one of the more extreme forms of cybersecurity risk to which manufacturers are exposed: simply put, huge numbers of manufacturers possess the automated machinery and SCADA-driven control systems that featured in both attacks. That said, similar instances have been rare, although according to an incident disclosed by the German Federal Office for Information Security in 2014, a blast furnace at a German steel mill reportedly suffered ‘massive damage’ after hackers used malware-laden emails to gain access to the unnamed steel mill’s automated control systems.
But that isn’t to say that manufacturers shouldn’t worry about cybersecurity risks, warn experts. Far from it, in fact: as far back as 2011, a study undertaken by the UK government Cabinet Office in conjunction with specialist IT consultants, Detica reckoned that manufacturers – and particularly hi-tech manufacturers, ranging from aerospace to electronics to pharmaceuticals – were a high-risk target.
Which is worrying news, given that the latest government-backed study into cybersecurity breaches, Cyber Security Breaches Survey 2017, published in April, and authored by experts from the Ipsos MORI Social Research Institute, together with Professor Mark Button and Dr Victoria Wang from the Institute for Criminal Justice Studies at the University of Portsmouth, suggests that manufacturers are far less likely than many other sectors of the economy to rate cybersecurity as a serious priority for their organisations.
Whereas cybersecurity was rated as a very high priority for 60% of financial services institutions, 49% of education and healthcare institutions, 42% of utilities, and 39% of retailers, it turned out that just 31% of manufacturers – in other words, fewer than a third – regarded cybersecurity as a high priority.
“The irony is that manufacturers are in reality a prime target, not just in terms of the value of the assets that they have exposed to cybersecurity risk, but also the velocity of their transactions – a velocity that means that there’s a higher chance that a cyberattack might be successful,” warns Robert Holmes, vice-president of products at IT security provider, Proofpoint.
“So when looking at manufacturing businesses, attackers see opportunities to help themselves to both cash and data, which when coupled to an apparent lack of cybersecurity awareness among manufacturers tends to make such thefts easier to carry out.”
The cybersecurity task facing manufacturers is considerable, owing to the number of ‘attack surfaces’ that they must protect. The dilemma: where to prioritise their cybersecurity resources – the automated equipment on the factory floor, the intellectual property residing in their R&D and design systems, the cash in their payments and invoice processing systems, or the customer and employee data in their ERP and payroll systems? For many manufacturers, the answer is far from obvious.
Moreover, adds Emile Naus, technical director at supply chain consultants, LCP Consulting, those ‘attack surfaces’ potentially open the door to bridging across from a manufacturer’s own systems to those of its customers, suppliers, and partners. The potential for reputational damage, to say the least, is obvious – just ask the maintenance firm whose compromised systems provided the wherewithal for hackers to gain entry to the systems of American retailer, Target, stealing the credit card data of tens of millions of customers.
Talk to cybersecurity experts, and one of the biggest difficulties that manufacturers face is that they must guard against both targeted and untargeted attacks.
Targeted and untargeted attacks
Ransomware – which encrypts an organisation’s files, forcing it to pay a fee to have its data unlocked – is generally untargeted. For example, all it takes is one member of staff to open a malware-laden email that might have been sent to thousands of recipients. Likewise, data theft of employee or consumer customer data, can also be untargeted: once obtained, data of names, addresses, national insurance numbers, bank account details and dates of birth can be readily sold on the so-called ‘dark web’.
But fraud – especially if reasonably sophisticated – and the theft of a company’s intellectual property, on the other hand, is often targeted. Talk to companies where the finance functions have fallen prey to emailed requests from the CEO to urgently send funds to an offshore bank account, and a common feature is the amount of corroborating detail that the fraudsters possessed.
Similarly, adds Richard Wilding, professor of supply chain strategy at Cranfield University’s Cranfield School of Management, and the world’s first professor of supply chain risk, the very nature of a manufacturer’s operations heightens the risk.
“Levels of activity within manufacturers’ financial processes are high, there are frequent payments to suppliers and other third parties, and simple fraud can easily be lost in the detail,” he points out. “Once inside a manufacturer’s financial systems, it’s not difficult for a hacker to set up a fraudulent supplier account, and submit a stream of low-value invoices which go unchallenged.”
Intellectual property (IP) is also a cybersecurity risk – and again, many manufacturers possess it in abundance. Chiefly, the risk here is of being targeted, as intellectual property clearly has its highest intrinsic value when in the hands of people who know what to do with it, and who have deliberately sought out those businesses which possess it – namely, competitors.
And while industrial espionage is hardly new – instances go back hundreds of years – today’s manufacturers are peculiarly vulnerable to such theft, points out Jano Bermudes, director with specific responsibility for cybersecurity in the technology risk consulting practice of business advisory group, KPMG.
“In a digital world, data becomes increasingly important, because it is how value is stored, and that opens the door to the theft of that digital data,” he warns. “The result is that there are a lot of companies out there that hadn’t really thought of themselves as digital businesses, but which are now waking up to fact that they are indeed digital businesses, and ones with a lot of exposure to cybersecurity risk.”
An obvious example: manufacturers working within the supply chains of large, high-profile technology, aerospace, and defence manufacturers. Reasoning that such manufacturers might be a greater security risk than the ‘Tier 1’ suppliers to which it awards major contracts, in 2015 the UK’s Ministry of Defence mandated that stricter security protocols were to be mandated across the entire defence industry’s supply chain.
As Tier 1 defence contractors had ramped up their own defences against cyberattacks, suppliers were told, cyber criminals had switched to attacking the supply chain instead. According to the New York Times, for instance, a single secretive Chinese military unit has been blamed for a series of hacking attacks that have stolen data from more than a hundred companies, many of them defence-related.
The US Department of Justice has charged five Chinese army officers with stealing trade secrets and internal documents from manufacturers such as Westinghouse Electric, US Steel, Alcoa, and Allegheny Technologies. And while it’s unclear who exactly was behind the high-profile cyber-attack on film studio Sony Pictures a year or so back – which led to the theft of embarrassing emails, financial data, and not-yet-released movies – the trail pointed to North Korea, the leader of which was the subject of an unflattering movie produced by that very same Sony Pictures.
Yet for many manufacturers, the problem posed by such high-profile hacks is that they may lull firms into a false sense of security, imagining that if they guard against the most egregious forms of cyberattack – viruses, broadly-targeted ‘phishing’ emails and the like – then no one is likely to be specifically targeting their own manufacturing firm. It’s one thing to target a FTSE 100 major defence contractor or hi-tech pharmaceutical firm, goes the logic, and quite another to target the average manufacturing firm.
Not so, say experts. As the falling cost and growing ease of cyberattacks opens the door to a wider range of both threats and motivations, complacency could be dangerous.
For one thing, warns Mike Lees, product manager for industrial networking and SCADA at SolutionsPT, the era of proprietary factory floor networking is increasingly giving way to the Ethernet-driven networks found in the rest of the business – indeed, that’s the whole premise of the Internet of Things. But the ease with which Ethernet networks can be extended to the factory floor sharply increases the risk to which factory-floor systems are exposed, he warns, holding out a greater prospect of both intellectual property theft as well as Stuxnet-style disruption.
And for a typical manufacturer to assume that no one would bother with such disruption might be a very dangerous premise indeed, adds Cranfield School of Management’s Wilding.
“The danger is that it is possible to ‘short’ the shares of a FTSE-listed manufacturing business, and then attack its factory production lines, or its supply chain, and cause sufficient disruption to affect the share price.
“The popular press is focusing on fraudulent emails that encourage the accounting staff to make urgent payments at the behest of the chief executive or managing director – but it’s all too possible for criminals to make bigger gains through disrupting manufacturing or supply chain processes, and at less risk to themselves.”
Moreover, adds Thomas Fischer, global security advocate at IT security provider, Digital Guardian, new technologies are exposing firms to risks to which they may not yet have fully considered their response. Increasingly, for instance, software is built using source code versioning systems such as Github, with local versions of code residing on local machines.
While such tools can be a real boon to productivity, he points out, it is important to think through the proffered data protection options, rather than blindly accepting the defaults. And that is a decision that needs to be taken at an appropriately senior level, he emphasises, by someone with an appropriate level of responsibility for cybersecurity.
Talk to cybersecurity professionals, and such messages are heard again and again. While it may be tempting to think in terms of malign attackers hovering over keyboards on the other side of the world, constantly probing your firm’s cyber defences, the reality is almost always more prosaic. Sometimes, the simplest way to breach a firm’s defences might be to drop a handful of malware-laden USB memory devices in the company car park, confident that someone would pick one up, and plug it into a computer.
“Get the basics right: without the right practical fundamentals in place, attacks do not need to be advanced to succeed,” advises Stuart Reed, senior director for market strategy at NTT Security. “People are a manufacturer’s greatest threat – so invest in staff awareness and training, and highlight the importance of collective responsibility.”
“There is no silver bullet to ensure complete security,” sums up Jalal Bouhdada, founder and principal industrial control systems security consultant at specialist industrial control system cybersecurity advisers, Applied Risk. “To mitigate the risks posed by cyberattacks, manufacturers should conduct adequate due diligence, and have enough barriers in place to safeguard industrial assets. This requires resources and senior management commitments, as well as consistent, effective security training of all staff across an organisation.”