Why manufacturers are a particularly juicy target for cyberattack

Posted on 12 Jun 2020 by Jonny Williamson

There is a sense of violation in being the victim of a cyberattack: ‘Why me?’ As Nick Peters reports, the truth is that everyone is a target and it’s only the ones who fail to defend themselves properly who will be hit.

It’s a disturbing thought that every second of every day, there are hunters scouring the internet for companies like yours who may have forgotten to lock their cyber doors.

Their goal: either to hijack the unwitting target’s computers for nefarious ends, like mining cryptocurrency, which takes vast amounts of computing power and energy, or to launch a ransomware attack that holds a manufacturer’s production line hostage and won’t release it until payment is made. This could involve data theft or paralysing business operations.

What has made manufacturers a particularly juicy target for these ruthless opportunists is the way that IT and OT within manufacturing plants are rapidly converging.

Industrial control systems (ICS) that hitherto were, at most, part of a discrete internal network are now exposed to the internet via the Industrial Internet of Things (IIoT) by which data from individual bits of kit flows into cloud-based software.

System lockdown software for mission-critical devices – Trend Micro

This is not an argument against taking advantage of the radical way in which connected technologies can boost design, productivity and customer service. It’s simply a reminder that what makes life easier for the good guys also makes it easier for the bad guys.

The honeypot king

Terence Liu knows this landscape of threat and opportunity only too well. He and his team at TXOne Networks in Taiwan are part of the global early warning system that monitors the terabytes of data flowing through the internet on a daily basis, looking for evidence of malign intent.

Terence Liu, general manager of TXOne Networks. Terence is also a vice-president at Trend Micro, leading the company’s Network Threat Defence Technology Group.
Terence Liu, general manager of TXOne Networks, and a vice-president at Trend Micro, leading the company’s Network Threat Defence Technology Group.

“At TXOne we deploy millions of sensors worldwide,” he told me, “and we also have several hundreds of honeypots out there, and every day they all receive attacks.

“So, if you connect your device to the public network with your IP addresses revealed, every day you will be hit, hundreds of times, by hackers trying to scan your vulnerability. It’s not personal, they are scanning the whole internet.”

[For a description of honeypots and what an attack looks like see the box at the bottom of this article]

If a hacker sneaks into your underdefended network to use your computing power, it’s unlikely you would notice any direct harm. Systems may be slower, productivity could be hit.

In IT terms, it is the equivalent of someone breaking into your house and leaving a door unlocked so they can come and go at will, and raid your fridge while they’re at it. Not optimal.

The most dangerous attack is the one where the hackers take over your ICS and shut you down by encrypting all your files, only allowing you to restart when you’ve paid the ransom. And in some cases, they don’t even decrypt vital files.

This article first appeared in the June issue of The Manufacturer Get your copy here. 

It is so tempting to believe “it will never happen to us”, but that implies an attacker somewhere across the globe has to know of your existence before attacking you. As Terence Liu is keen to emphasise, they don’t care who or where you are, just that your weakness and vulnerability makes you a target.

“It’s not personal at all,” he said. “Ransomware is the number one crisis, across different verticals – not just utility companies, but healthcare, medical, semiconductor, automotive, all of them have been attacked.

“It is quite recent. Before 2017 it was mainly critical infrastructure operators who suffered major cyber breaches, and the attackers were in many cases state-sponsored hackers. Manufacturers said to themselves, ‘We are not a target, right? We are safe’.

“However, since 2018 we have witnessed more and more targeted attacks, which means the hacker knows who you are, and they have gone to a lot of effort to get into your factory, lock it down and ask for the ransom.”

CyberSecurity - System Security Specialist Working at System Control Center Room - image courtesy of Depositphotos.

A baleful legacy

Manufacturers are not new targets just because of the greater connectivity of their production assets to the internet. It is that those assets are often operated on old, outdated operating systems like Windows XP and Windows 7 for which support in the form of security updates no longer exists.

While your connections become wider, the platform on which they sit is becoming increasingly leaky. To make matters worse, some equipment operates on proprietary software that itself has become outdated and even out of warranty.

It amounts to a three-dimensional tangle of systems held together with the digital equivalent of string and sealing wax.

The vulnerabilities from internal threats such as workers bringing viruses into the system via USB sticks, no matter how unintentionally, are bad enough: they could infect the entire company.

Anyone with malicious intent scanning the internet for vulnerabilities would have a field day. The answer is to put in a series of firebreaks and cut-outs that isolate key installations.

“We are a strong advocate for internal segmentation,” Terence Liu told me. “If someone plugs a compromised USB stick into one of your assets, we want to contain that malicious device and stop the virus propagating everywhere, using our network segmentation tool.”

“We believe it’s important to pay particular attention to the PLC,” Liu continues “because previous major breaches of the ICS world ended up with the PLC being misused. If a hacker can control the PLC they can do a lot of damage.

“This is why we protect the PLC by ensuring  that anyone on another machine connected to it can only read the telemetry of the PLC, they cannot change anything. By providing this granular access control, we secure the PLC.”

Enemy at the gates

The size of a company does not determine its vulnerability. It might determine the scale of ransom the hackers will demand, so that a large company could be hit for millions, a small company for thousands.

Nobody knows for sure how many companies have paid ransoms to hackers as they fear what exposure might do to reputation and customer confidence.

New defence and security projects at data science centre ‘The Alan Turing Institute’ are to tackle cyber security problems - image courtesy of Depositphotos.

In March 2019, the Norwegian aluminium company Norsk Hydro was attacked, shutting down production lines at its 170 plants and paralysing the business.

Intriguingly, they refused to pay, even if it meant going back to pen and paper while software experts scoured their systems for the malware that the hackers had planted.

That defiance cost the company close to £50m in lost profits but earned it high praise for refusing to cave to the hackers’ demands. Not many companies would have the resilience to put up such a fight, which is why keeping the attackers out is by far the best choice.

They only need to be lucky once, as their automated scanners scour the digital universe day in, day out for poorly protected companies. You need to be lucky all the time.

As a celebrated movie detective once said: You’ve got to ask yourself one question: Do I feel lucky? Well, do ya?

The honeypot trap

TXOne Networks is a joint venture between Trend Micro, one of the largest cybersecurity specialists in the world, and Moxa, a global networking and automation company specialising in the manufacturing sector.

The goal was to develop cyberdefensive tools and systems specifically for manufacturers.

On the age-old premise of ‘Know thy enemy’, Terence Liu and his team at TXOne have been working alongside the Trend Micro Forward-Looking Threat Research (FTR) which for years has been using ‘honeypots’ to monitor hacker activity.

In 2019, the FTR went so far as to create an entirely fictional manufacturing company called ‘METech’ to lure hackers in, so they and their modus operandi could be identified.

They built a company website, even populating it with photographs of the principals that had been generated by AI, as opposed to stock images, so that the hackers could not do a reverse verification search.

They then established their ‘factory’, including four PLCs that were networked into a plausible simulacrum of a working SME manufacturer.

The entire process, from inception through to multiple attacks, reads like a true-crime thriller (see the link opposite). They made the company look as real as possible because while the hackers may not care who they attack, once they have found an insecure digital doorway they need to exploit the target systems and that actually takes operator time.

These people are efficient. They hate wasted effort. The end result is a ransom note, often placed as desktop wallpaper, that demands money (usually Bitcoin) in return for unlocking all the systems they’ve encrypted.

As the story demonstrates, the fake CIO of the fake company got so far as having email conversations with the hackers. Terence Liu told me that the attackers are very often located in North Korea, China or Iran, so legal retaliation is all but impossible.

But just as intelligence agencies used to recognise the ‘fingerprint’ of Morse Code operators, arguably the first digital communicators, so his team can learn who is launching the attacks, the better to defend against them.

cyberattack ransomware

This is the message you really do not want to see displayed on your computer. Image: Trend Micro

The story behind the Trend Micro Forward-Looking Threat Research (FTR) Honeypot trap https://go.aws/35XP2CN

Trend Micro’s assessment of the global threat to manufacturers from hackers https://bit.ly/2LtbvhO

*Images courtesy of Depositphotos