Cyber Security Incident Forced Shutdowns, Financial Losses

The infection took out 10,000+ unpatched Windows 7 machines and caused $255 million in damages and lost production.

Hacker In Front Of His Computer 583818378 2142x1404

Last month, Taiwan Semiconductor Manufacturing Co. Ltd. (TSMC), the largest chip fabricator globally, introduced a WannaCry Ransomware cryptoworm variant onto its information technology/operational technology (IT/OT) networks. A TSMC supplier installed infected software on a new fabrication tool and connected it to the network, facilitating the malware infestation. 

The infection spread quickly, taking out 10,000+ unpatched Windows 7 machines that run the chip fab company’s tool automation interface. The cryptoworm crashed and rebooted systems endlessly, forcing several plants in Taichung, Hsinchu and Tainan to shut down through much of the weekend. The infection crippled materials handling systems and production equipment as well as Windows 7 computers. Some of the plants were producing SoC chips for the Apple iPhone 8 and X models.  

According to TSMC's CEO, patching for the Windows 7 machines requires computer downtime and collaboration with equipment suppliers. The absence of current patches created an environment where WannaCry could easily propagate.The 2018 Spotlight Report on Manufacturing published by Vectra a few weeks before the incident foretold TSMC’s infection, which could cost the company as much as $255 million. 

Cybersecurity Risks Continue to Increase 

According to the TSMC website, the company had “introduced new applications such as IoT, intelligent mobile devices and mobile robots to consolidate data collection, yield traceability, workflow efficiency, and material transportation to continuously enhance fab operation efficiency.” Further, TSMC had “integrated automatic manufacturing systems." 

These innovations are typical in the evolution of Industry 4.0, which has increased the risk of cyberattacks against manufacturers. But as manufacturers moved from air-gapped industrial systems to cloud-connected systems as part of the IT/OT convergence – using unpartitioned networks and insufficient access controls for proliferating IIoT devices – they created a massive, vulnerable attack surface. 

While air-gapped systems such as industrial controls have no connections by design to guard against malicious tampering, IT/OT convergence has connected these systems to information technology networks with little accounting for security vulnerabilities. Many factories connect IIoT devices to flat, unpartitioned networks that rely on communication with general computing devices and enterprise applications. Since IIoT devices support few, if any, native cybersecurity measures, connecting them to easily infected applications, computers and unsegregated IP networks only invites trouble. 

In the past, manufacturers relied on more customized, proprietary protocols, which made mounting an attack more difficult for cybercriminals. The conversion from proprietary protocols to standard protocols makes it easier to infiltrate networks to spy, spread and steal. 

Few if any cyberattackers know and understand the proprietary protocols those closed legacy systems used. But it’s easy for most criminal hackers and their exploits to access standard IP network protocols just as WannaCry abuses the SMB protocol where there is no patch. 

Real-Time Visibility is Crucial 

Industry 4.0 brings with it a new operational risk for connected, smart manufacturers and digital supply networks. The interconnected nature of Industry 4.0-driven operations and the pace of digital transformation mean that cyberattacks can have far more damaging effects than ever before, and manufacturers and their supply networks may not be prepared for the risks.

Wherever cyberattacks interfere business continuity for business and information processes, they can also disrupt operational technologies that render products and get them out the door. For cyber-risk to be adequately addressed in the age of Industry 4.0, manufacturing organizations need to ensure that proper visibility and response capabilities are in place to detect and respond to events as they occur.

As in the case of the TSMC ransomware debacle, anything less than real-time detection and response is too little, too late to avoid production downtime. Manufacturing security operations now require automated, real-time analysis of entire networks to proactively detect and respond to in-progress threats before they do damage.

The 2018 Spotlight Report on Manufacturing delineates the many attack types and behaviors that the Cognito platform captured. The Cognito threat-detection and hunting platform monitored traffic and collected rich metadata from more than four million devices and workloads from customer cloud, data center, and enterprise environments to reveal the cyberattacker behaviors. You can learn about other findings pertinent to your Industry 4.0 cybersecurity risk by downloading the 2018 Spotlight Report on Manufacturing.


Christopher Morales is the head of security analytics at Vectra, a San Jose, Calif. cybersecurity firm that detects hidden cyberattacks and helps threat hunters improve the efficiency of incident investigations.