This blog was jointly authored by Zachary Curley.
Manufacturing facilities employ assembly lines, material handling systems, motors, and furnaces that all require big physical machines. Innovative trends in the manufacturing industry and the advancement of operational technology have also meant introducing computers across operation and production systems. Operational technology or OT is a category of computing and communication systems used to manage, monitor, and control industrial operations, focusing on the physical devices and processes they use. Operational technology monitors and manages industrial process assets and manufacturing/industrial equipment.
To function, these expansive systems must be monitored and controlled by sensors, which are in turn connected to other automated systems that facilitate data transfer and operations. Attackers can use this web of systems to direct ransomware attacks that can significantly disrupt the manufacturing industry, cause substantial production losses, and otherwise limit or impede operations. Manufacturing facility systems owners must identify best practices designed to reduce the impact of ransomware attacks on their networks, including standard IT devices along with IoT and OT components.
The impacts that could occur should ransomware be introduced into any organization's network can be severe. Due to the increasingly computerized nature of manufacturing networks, ransomware can create long-term material harm to manufacturing devices and equipment. Network-based file sharing, for example, is critical to the manufacturing environment. From an operational aspect, network-based file-sharing facilitates the sharing and transfer of design and other engineering documents and serves as a repository for saving workflow parts lists, reference, and tooling files. When considering the business side of manufacturing facility operations, network file sharing allows managers and other staff to store information on invoices, purchase orders, suppliers, and vendors.
While a ransomware attack on these file repositories is unlikely to disrupt the production line, it is exceedingly more likely to hinder business operations such as product engineering and design and supply chain management. Additionally, modern ransomware attacks have also evolved to include data theft, which might have permanent, albeit negative, implications across the manufacturing industry. Before ransomware attacks were as prominent as they are today, attackers stole data for the sole purpose of blackmailing victims and subsequently increase the likelihood of payment. Nowadays, attackers leak or sell stolen data on the dark web, much of which contain sensitive and intellectual property. Some attackers may even target key supply chains as part of a larger orchestrated attack to cripple a specific industry or supply chain.
Modern ransomware attacks are also designed to cripple or shut down infected systems and deny legitimate people the ability to view and control them. Apart from their destructive features, ransomware attacks also have scatter mechanisms that will flood a manufacturing system's automation networks with data packets to affect its real-time response time until it completely paralyzes it. Such attacks directly affect operations by blocking access to utility systems, such as heating, cooling, and power human-machine interfaces. These attacks are also likely to infect other plant locations connected to the same network.
Securing manufacturing IoT/ OT networks
Based on the evidence provided in news reports about recent ransomware attacks, one can deduce that manufacturing networks have become easy to compromise despite using specialized equipment, secure protocols, and proprietary or commercial-off-the-shelf (COTS) software. While standard security best practices and solutions should work in protecting the production/manufacturing environment, there are additional security requirements that security officers across the manufacturing industry can implement. These include addressing issues involved with legacy systems and reducing the value of sensitive data to threat actors.
Most manufacturing networks and systems have not been designed with cyber risk in mind—many of these outdated machines control the most integral aspects of their manufacturing operations. Over time, these systems are likely to become a cybersecurity liability. There is also the issue of integration with acquired assets, which present their own problems such as hidden vulnerabilities and legacy systems. Changing configuration files or updating anti-virus software on legacy systems in OT networks can be challenging with legacy systems. Manufacturers need to weigh the cost of the risk involved versus integrating control systems with modern standards. They should also carry out a cyber assessment to help them assess infrastructure costs and mitigate cybersecurity risks or partner with a third party such as AT&T to provide dedicated resources to manage vulnerabilities.
Protection of sensitive data has proved a complex challenge requiring great investments in funding, talent and time, executive support, and a holistic data protection strategy. However, implementing data-centric solutions without integration with the manufacturing systems is likely to leave critical gaps that can be exploited for a ransomware attack. Manufacturers can work on reducing the value of sensitive data to threat actors by obfuscating or encrypting data. Doing so can make the data useless to a threat actor since it becomes difficult to use when compromised. Manufacturers can also reduce the value of sensitive data by destroying it whenever it has served its business and legal purpose
Balancing outside risk
The risks outlined above extend to systems outside of the manufacturers' control. Given the size and complexity of modern manufacturing, it is unrealistic to expect an organization to create or wholly own every device or piece of infrastructure that supports critical operations. This can significantly expand the size of an organization's attack surface and creates a reliance on the secure practices of others.
Core manufacturing systems, implemented years ago in some cases, are prone to go for long periods without any software update or security patches if they receive them at all. Due to their criticality, the systems are permitted to operate in an insecure state despite the increased risk. This means additional care must be taken when selecting devices or software supplied and supported by third parties. Security risks can be introduced in numerous ways. Still, some of the most common causes of breaches include lack of patching, use of insecure operating systems, and unencrypted communication between systems.
It is clear that the ransomware threat landscape will continue evolving and expanding. However, the good news is that such attacks can be prevented with enough security measures in place. Many attacks rely more on weak security practices instead of creating new attacks, so even simple steps like patch management can significantly reduce an organization's exposure to attacks.
Manufacturers should protect themselves by working on their legacy systems, improving device or software selection processes, and reducing the value of sensitive data to threat actors. It is recommended that organizations conduct full audits of their current operating procedures, listing the essential functions and devices that support the business's goals and any associated risks therein. Depending on the size of the organization's security team and their existing workload, engaging third parties is highly encouraged. For an example of what a company can gain from partnering with an outside agency, manufacturing entities should look at AT&T's Managed Vulnerability Program or our Managed Threat Detection and Response platform. Engaging these measures will help ensure that manufacturers do not end up victims of the evolving powerful ransomware attacks likely to emerge in the future.