There are many factors affecting downtime that manufacturers must consider in order to minimise disruption to the production line. While unplanned maintenance is one of the main elements posing a risk to streamlined operations, another growing issue is cyber attacks and ransomware.
Cyber security has long been a threat to industrial organisations, but the risk, and indeed incident rate, is growing. According to a report by cybersecurity technology specialists Dragos, ransomware attacks alone against industrial organisations increased by 50 per cent during 2023. The firm tracked 28 per cent more ransomware groups impacting operational technology (OT) in the same period, with 70 per cent of all ransomware attacks targeting 638 manufacturing entities across 33 subsectors.
Threats also continue from ‘hacktivists’ driven by global conflict, most notably those between Russia and Ukraine, and Israel and Hamas. Techniques used by adversaries range from a re-hash of old techniques such as phishing, to very sophisticated attacks that are harder to stop, as well as a trend for targeting low-hanging fruit like internet-accessible devices that lack adequate security and enable easy operational disruption.
These threats, alongside new regulations that mandate security controls and which hold financial, or even criminal, penalties for organisations not complying with them, means industrial organisations need to have a robust plan when it comes to management of cyber security risk.
The motive behind cyber attacks
Operational technology (OT) within manufacturing plants and industrial organisations is being deliberately targeted by cyber criminals due to the likelihood of a pay-out from any affected company. If a criminal can hold a factory to ransom, then the company affected may have no option other than to pay up. It’s a rising tide as threat groups evolve and grow.
Only last month, Belgian ale manufacturer, Duvel, had its brewery brought to a halt when it was hit by a ransomware attack. The impact wasn’t as damaging as it could have been, due to the firm having good stocks to fulfil orders to its shops, bar and restaurant customers. But when a crippling cyber attack was launched in 2017 on Reckitt Benckiser, a provider of consumer health, hygiene and nutrition products, it resulted in significant loss to the organisation of £100 million, with 15,000 laptop computers, 2,000 servers and 500 systems hit in a hacking attack that spanned just 45 minutes.
The 2021 cyber ransomware attack on Colonial Pipeline’s servers shut down operations of the US’ largest pipeline for transportation of refined petroleum products. The fall-out lasted five days and caused localised shortages of petrol, diesel and jet fuel, sparking panic-buying which exacerbated the shortages.
And while it’s reported that around only 34 per cent of firms pay ransoms, the proportion of manufacturing firms paying higher ransoms is on the rise, according a recent Sophos report, so cyber criminals are highly motivated in this sector as the reward can be fruitful. The threat of being caught in the crossfire of conflict-driven activity is also ever-present in these times of global political instability.
The challenges for manufacturers in protecting OT
OT is often harder to secure due to age and lifespan of the equipment used in most plants, its specialist nature and the difficulty in interrupting operations, which are often 24/7 in order to fix or patch issues. It is also often unlikely that there is an equivalent test environment where changes can be tested safely without impacting production.
There can also be confusion regarding where the responsibility for security of OT environments lies. Historically, it would be the responsibility of engineers, who have little to do with IT, and vice versa. But increasingly, these lines of demarcation are becoming blurred and it’s not always straightforward to know who should do what.
As well as the impact a cyber attack could cause, industrial players must also now be mindful of NIS2, the second Network Information Systems directive, which mandates a number of information security controls, both technical and organisational, for certain organisations operating in the EU. There have been more stringent supervisory measures and stricter enforcement requirements introduced. Non-compliance can result in serious financial impacts and even personal liability for senior management.
What industrial operatives can do to protect the business from cyber crime
All manufacturing organisations should ensure they regularly conduct security tests against their OT environments. This requires a specialist set of skills, distinct from IT penetration testing, but there are security firms operating that specialise in OT security testing and it’s an investment well worth making.
It is crucial to run tabletop simulation exercises to prepare the organisation, particularly senior decision makers, for a cyber attack in a manufacturing environment. This enables the consideration of big decisions like whether a plant switch could be made and who has responsibility for what to do with what equipment in the middle of the crisis situation: who gets to decide what gets turned off and when? There is a point at which the attack might become obvious to customers, competitors, suppliers and the press, so an action plan should be in place for this eventuality too.
Operators should also be considering the physical security measures within the plant, including how easy is it for someone to simply walk into the buildings that hold the OT. Could anyone wearing a high-vis jacket walk in unnoticed? Risk from third-party access should also be a consideration, if equipment suppliers have remote access into the site. The level of security they have on their side to verify employees is important and should be a key element of the supplier contract.
Preventative measures to consider
Effective OT security monitoring enables an organisation to proactively detect potential security incidents before they become operationally impacting. Other than cost the barriers to this for some firms may be the requirement for specialist staff to run them and, in particular, to filter out false positives whereby a detection of something that looks bad, but is in fact innocuous, could cause unnecessary alarm.
Ensuring proper segregation of IT from OT networks is key to blocking cyber criminal access. Implementation of Internet of Things (IoT) devices for effective monitoring is increasing in the industrial space, but when improperly secured, these devices can also provide an easy way in to the wider network.
Many providers can now connect IoT devices in one cloud-based system for effective real-time data analysis to facilitate predictive maintenance, but it’s wise to consider providers that have industrial sector knowledge and can provide confidence in having high levels of security, like RS Industria.
Security can also be breached by criminals compromising employees, either directly through coercion or indirectly through phishing, or other social engineering methods such as sending a malicious USB stick to someone who could use it unwittingly.
The tactics of cyber criminals will of course continue to evolve and the threat is ever-present and growing. Any industrial organisation without a protection plan in place could leave themselves open to attack and/or at risk of regulatory action. The phrase ‘prevention is better than cure’ has never been so appropriate.
About the author
An accomplished information security leader with extensive IT and business experience, Dr Joseph Da Silva is Chief Information Security Officer for RS Group.