Complex legacy systems in factories and poor cyber-hygiene across the industry render manufacturers vulnerable to attacks in unexpected ways
When considering cyber-risks, the first things that spring to mind are ransomware, theft of personal and financial data, or viruses. Few people realise that away from the headline-generating mega-breaches, there are surprising cyber-threats unique to the manufacturing industry that have potentially wider-reaching consequences.
These cyber-risks can be categorised as destroy, harm or manipulate, says Yuri Kramarz, senior security consultant at Finland-headquartered F‑Secure, a leading cybersecurity organisation. “A distributed-denial-of-service (DDoS) attack, where machinery stops and does not work, is a higher risk than traditional cyber-threats,” he says. “The loss of production time has a direct financial impact on manufacturing operations and, quite often, on the entire supply chain.
“Attackers could try to turn off operating systems and paralyse them. Some plant machines are big, complex and are installed by vendor consultants, so it would take time to reinstall software or operating systems with the appropriate components and expert engineers who might need to be flown in to carry out these repairs.”
Alarmingly, more malevolent, life-threatening attacks are possible. “The attackers could speed up or slow down production lines, or change simple things like mixing components, the size of the product, or its design, to cause damage,” says Mr Kramarz. “Imagine a situation where cyberattackers break into a bolt manufacturer’s system and make all the bolts a little bit wider, subsequently compromising the safety of the bolts, which may be installed in cars or planes.”
There are very few documented examples of cyberattacks of this nature on manufacturing plants. But one of the most worrying was disclosed in December 2014, by the German Federal Office for Information Security. It reported physical damage on a “massive” scale caused by a cyberattack on an unidentified German steel plant that had prevented the mill’s blast furnace from shutting down.
Arguably the most concerning aspect of cyber-risk in the manufacturing industry, however, is the apparent lack of knowledge about adequate security, according to the manufacturers’ organisation EEF, formerly the Engineering Employers’ Federation, Cyber Security for Manufacturing Report 2018. Almost half of the manufacturers surveyed (48 per cent) admitted they had fallen victim to cybercrime and 24 per cent of these suffered financial or business losses as a result.
More chilling statistics revealed 41 per cent of respondents did not believe they have access to enough information to even assess their true cyber-risk and 45 per cent felt they did not have the correct tools for the job.
“There seems little doubt that many more attacks will have gone undetected,” according to EEF chief executive Stephen Phipson. “More companies are at risk of attack and manufacturers urgently need to take steps to protect themselves against this burgeoning threat.
“Failing to get this right could cost the UK economy billions of pounds, put thousands of jobs at risk, and delay the supply of essential equipment to key public services and major national infrastructure projects.”
Dan Turner, chief executive at UK-based cybersecurity organisation Deep Secure, blames the combination of poor cyber-hygiene across the manufacturing industry in general, including default passwords never being changed by controllers, who tend to “have an operational technology rather than information technology background”, and legacy systems in particular.
“Lots of the technology used in manufacturing is old, making it more susceptible to attack,” he says. “For instance, many manufacturing plants are controlled by workstations running outdated or unsupported versions of Microsoft operating systems.
“This problem is compounded by the fact that lots of the technology solutions used in manufacturing are unpatched. There are many reasons for this, for example if you have a plant controller that needs to run around the clock, then it ends up going unpatched for months and sometimes years, but it makes them a prime target.”
Karl Lankford, lead solutions engineer, Europe, Middle East and Africa, for remote support organisation Bomgar, agrees there are some sizeable holes in many manufacturers’ cyberdefences, making it all too easy for criminals to access networks via plant employees and third parties. His company’s Privileged Access Threat Report 2018 showed that 70 per cent of UK manufacturing organisations afford third-party access to networks with just standard logins and passwords. Furthermore, in the year to April 2018, 57 per cent of manufacturing companies “possibly or definitely suffered a breach due to third-party access”.
Mr Lankford says: “An increasing target for malicious groups concerns industrial control systems (ICS), which control our power grids and more, and in particular pose a significant challenge to ensuring secure manufacturing facilities. ICS systems are often more than 15 years’ old and incompatible with newer security systems and security patch developments. As they have such long life cycles, it’s tough to keep ICS secure against the continually developing threat landscape.”
Lots of the technology used in manufacturing is old, making it more susceptible to attackDan Turner, Deep Secure
Most manufacturing companies have been forced to digitalise their plants to keep pace with change and internet of things (IoT) solutions, such as smart sensors, are now ubiquitous. Adopting processes that are directly or indirectly connected to the internet, though, represent a considerable risk if not well guarded, says David Ellis, vice president of security and mobility solutions at Tech Data Europe.
“Unprotected IoT endpoints can be compromised to allow ‘stepping-stone’ access to corporate networks, enabling data-stealing raids,” he says. “They could be conscripted into botnets to launch DDoS attacks across a critical network, enable crypto-mining, click fraud and more. The Mirai attacks of 2016 showed us just how easy it is to do this.” Mr Ellis is referring to the Mirai malware that transforms networked devices run on Linux open source software into bots that can be remotely controlled and used in a botnet army.
Manufacturing leaders should be worried about multiple cyber-threats, but following the introduction by the European Union of both the General Data Protection Regulation (GDPR) and the Directive on Security of Network and Information Systems (NIS Directive) in May 2018, cybersecurity ought to have become a top priority, if it was not previously.
“If organisations apply security practices to meet the NIS Directive, this in turn will help with GDPR compliance, including knowing where your data is held and responding to any incidents correctly,” says Mr Lankford. “Using the framework from the NIS Directive, organisations can start to be proactive, assessing their network and the data they hold, and build a better picture of the landscape they need to protect.”