The digital transformation of manufacturing goes by many names — Industry 4.0, Smart Manufacturing, The Fourth Industrial Revolution. Cyber spies like to think of it as the Mother Lode.
The potential advancements arising from the interconnection of everything from manufacturing design to maintenance and repair to enterprise business and supply chain systems are exciting. The ripple effects are wildly disruptive — we’ll be able to produce consumer goods and build airplanes in ways we never imagined. But with the possibilities come risks. As more equipment, processes, suppliers, and people are connected online together to form the digital thread connecting everything inside factories and extending across the value chain, the cyber attack surface grows exponentially.
Bad actors — organized cybercriminals, state-sponsored hackers, and even hacktivists — see newly connected Industrial Control Systems (ICS), factories, and public utilities as a unique opportunity to steal trade secrets, carry out extortion schemes through threats to public safety, make some quick bitcoin via ransomware, or sabotage operations.
The global race for dominance in smart factories, shipyards, energy systems, and aerospace and defense has already begun. Made in China 2025, Make in India, the EU’s Factories of the Future, and Australia’s Advanced Manufacturing Growth Centre are but a few examples. The massive efforts to create digital factories and supply chains by integrating operational technology (e.g., factory equipment), and traditional IT, and then collecting related data in real-time across the extended enterprise are still nascent. Manufacturers and their suppliers are making heavy use of commercial cloud computing infrastructure and software to replace and connect outdated proprietary systems.
The stakes are high. In the U.S. alone, manufacturing still accounts for approximately 10 percent of GDP. With a trade-and-tariff war looming on the horizon, manufacturing and related industries are under immense pressure to stay ahead, reduce costs, and beat competitors in terms of delivery speed, innovation, and quality. And increasingly, they have to defend against cyberthreats that could lead to disaster.
Attackers Are Active and on the Move
Unfortunately, these threats are not theoretical. In October 2017, the US government issued a rare public warning about the targeted attacks on critical nuclear, energy, aviation, water, manufacturing, and government entities, the purpose of which was to gain access to the organizations’ networks. The activity observed appeared to be the work of groups associated with the Russian government. Other groups being monitored are connected to China, Iran, and North Korea. National Intelligence Director Dan Coats reiterated the warning in July, saying, “the warning lights are blinking red again” in reference to intelligence channels tracking these threats.
According to the 2018 Verizon Data Breach Industry Report, state-sponsored attackers caused more than half of the data breaches in manufacturing. Along with these state-sponsored attacks, the Verizon report reveals that cyberespionage was the leading motive behind these breaches.
In the new 2018 Spotlight Report on Manufacturing, Vectra reveals that attackers who evade perimeter security can easily spy, spread and steal, unhindered by insufficient internal access controls.
The manufacturing industry exhibits higher than normal rates of cyberattack-related reconnaissance and lateral movement activity. This is due to the rapid proliferation of Industrial Internet of Things (IIoT) devices, many of which were not robustly designed for security, on enterprise IT and OT networks that were traditionally air-gapped or isolated from the outside world.
The information in the spotlight report is based on observations and data from the 2018 Black Hat Edition of the Attacker Behavior Industry Report from Vectra. The report reveals attacker behaviors and trends in networks from over 250 opt-in customers in manufacturing and eight other industries.
From January-June 2018, a cyberattack-detection and threat-hunting platform from Vectra monitored network traffic and collected enriched metadata from more than 4 million devices and workloads from customer cloud, data center and enterprise environments.
The three key findings that were of most interest in the report are the frequency of external remote access, the volume of internal movement between systems, and the way data was stolen, or exfiltrated, from manufacturing networks.
How Attackers Infiltrate
The use of external remote access tools is the most common command-and-control behavior observed in manufacturing. External remote access occurs when an internal host device connects to an external server.
While external remote access is common process in manufacturing business operations, it also runs the risk of allowing attackers to infiltrate networks. Cyberattackers perform external remote access, just like in manufacturing operations, but with the intent to disrupt industrial control systems.
Sometimes attackers hijack already-established external remote access connections. For example, IIoT devices can be used as a beachhead to launch an attack. Once an attacker establishes a foothold in IIoT devices, it is difficult for network security systems to identify the backdoor compromise.
Control system owners and operators who make use of remote access technology should be asking:
- What is connected and remotely connecting to my systems?
- Do I have visibility and adequate security controls on my external and internal connections?
- How can risks and rewards with remote access be responsibly balanced?
What Are Attackers Doing Once Inside?
Manufacturing networks consist of many gateways that communicate with smart devices and machines. These gateways are connected to each other in a mesh topology that simplifies peer-to-peer communication.
Cyberattackers leverage the same self-discovery used by peer-to-peer devices to map a manufacturing network in search of critical assets to steal or damage. This type of attacker behavior is known as internal reconnaissance and lateral movement.
IIoT systems make it easy for attackers to move laterally across a manufacturing network, jumping across non-critical and critical subsystems, until they find a way to complete their exploitative missions.
Consequently, a higher-than-normal rate of malicious internal reconnaissance behaviors were detected. And an abnormally high level of lateral movement behaviors indicated that attacks are proliferating inside the network.
What Are They Getting Away With?
IIoT devices exhibit behavior in which an internal host acquires a large amount of data from one or more internal servers and subsequently sends a significant amount of data to an external system.
IIoT network architectures reflect this behavior, where multiple sensors will aggregate data at a network gateway that sends the clustered data to a cloud database for monitoring and analytics. This IIoT architecture is common within the manufacturing industry and does not normally indicate an attack.
However, sometimes these exfiltration behaviors are associated with other threat behaviors across the attack lifecycle that point to an in-progress attack. It is critical to ensure that systems are sending data to the intended and approved external systems instead of attackers who are trying to steal intellectual property and other critical assets.
What Can Manufacturers Do to Stop Attacks and Exfilatration?
Many factories connect IIoT devices to flat, unpartitioned networks that rely on communication with general computing devices and enterprise applications. These digital factories have internet-enabled production lines that support data telemetry and remote management.
In the past, manufacturers relied on customized, proprietary protocols, which made mounting an attack more difficult for cybercriminals. The conversion from proprietary protocols to standard protocols makes it easier to infiltrate networks to spy, spread and steal.
For business reasons, most manufacturers do not invest heavily in security access controls. These controls can interrupt and isolate manufacturing systems that are critical for lean production lines and digital supply-chain processes.
Consequently, network visibility and real-time monitoring of interconnected systems is essential to identify the earliest signs of attacker behaviors in the manufacturing infrastructure.
However, network-wide visibility can be a double-edged sword. Manually monitoring network devices and system administrators creates a challenge for resource-constrained organizations that cannot hire large security teams.
Numerous security analysts are needed to perform the manual analysis required in identifying attacks or unapproved behaviors in large, automated networks that have IIoT and IT/OT devices.
In the end, both cybersecurity and manufacturing are continuous exercises in optimizing operational efficiency — and in applying systems data intelligently to solve dynamic problems. Organizations have limited resources to address unlimited risks, threats and attackers. Network security must always be evaluated in terms of efficiency as well as its impact on the operational fitness of the organization.
As manufacturing supply chains grow more dispersed and complex, they introduce similar risks and management challenges. In both disciplines, artificial intelligence is essential to augment human experts as we face unprecedented challenges. In the global race for resources, technological innovation, and trade dominance, we need to develop a whole new level of visibility, control, and speed to stay ahead of attackers and competitors.
Christopher Morales is the head of security analytics at Vectra.