With October National Cybersecurity Awareness Month (NCSAM) and November Critical Infrastructure Security and Resilience Month, Morphisec is publishing a series posts on industries included in the DHS list of 16 critical infrastructure sectors.
When we think about critical infrastructure, we are more likely to think of energy or transportation before manufacturing, but the sector is crucial to national economic prosperity and continuity. As the Department of Homeland Security (DHS) points out, a direct attack on or disruption of certain elements of the manufacturing industry could disrupt essential functions at the national level and across multiple other critical infrastructure sectors.
The risk is real. Manufacturing is the third most targeted industry for cyberattacks according to EEF’s 2018 Cybersecurity for Manufacturing report. The study found that 48% of manufacturers have been victims of a cyberattack, with half of those victims sustaining financial or other business losses.
Incidents are not only more frequent, they’re more damaging. The 2018 Cost of a Data Breach Study by IBM and Ponemon puts the average cost of a data breach at $8.7 million for a U.S. industrial manufacturer and $4.8 million globally. With Manufacturing accounting for approximately 10 percent of U.S. GDP, attacks on the industry have national economic impact. The stakes are even higher for a country like Germany, where the manufacturing sector represents about 20% of GDP. Cyberattacks have cost German manufacturers an estimated 50 billion euros over the past two years.
Manufacturers Prime Target of Cyber Spies
In looking specifically at espionage related attacks, the Verizon 2018 DBIR found manufacturing to be second only to the public sector as the most attacked industry. State-sponsored attackers caused more than half of the data breaches in manufacturing with cyberespionage the leading motive behind these breaches. These are sophisticated attacks, tailored to weaknesses in manufacturing defenses.
Take the cyberespionage group Bronze Butler, also known as Tick, which has been targeting Japanese and Korean heavy industry since at least 2012. The group, believed to operate out of China, constantly updates its tactics and is quick to incorporate new threats. The most recent used Dapter malware hosted on compromised websites, likely delivered by phishing emails and watering hole attacks. An attack reported earlier in the year went after a secure USB drive built by a South Korean defense company. Another leveraged an Adobe Flash zero-day in a popular Japanese corporate desktop management tool.
Motive and Opportunity
Why are manufacturers a favorite target for criminal and state-sponsored attackers alike? Simply put, motive and opportunity. Manufacturing systems are host to high value intellectual property and trade secrets. An NTT Group report found that 21% of manufacturers have lost intellectual property as a result of a cyberattack, with more than 90% of stolen data considered “secret” or “proprietary.”
Manufacturers also have a large and expanding attack surface. Industrial Internet of Things (IIoT) devices have brought enormous gains in operational efficiency and reliability but they also enormously increase manufacturers’ threat exposure. Smart devices connected to industrial control systems (ICS) and legacy systems leave the network fragmented and vulnerable. Third-party suppliers and partners contribute to the risk –organizations that allow third-party access are 63% more likely to experience a cybersecurity breach according to The State of Industrial Cybersecurity 2017. Yet more than half of industrial organizations permit such access.
According to the EEF Cybersecurity for Manufacturing report, one of the easiest forms of cyberattack comes through poorly protected office systems. For example, several production systems were severely disrupted after hackers infiltrated via unprotected office software used to keep HR and admin records, and moved laterally across the IT infrastructure. Antivirus is not enough to protect these applications when modern attacks use fileless and other evasive techniques to get past endpoint security tools.
Building a Better Defense
A new Mandiant report found that 33 percent of the security issues in ICS organizations were high or critical risk, meaning they could be used to give adversaries control of target systems and potentially compromise other systems or networks.
Securing fragmented technology environments requires a defense in depth approach to protect every layer. The endpoint protection layer is critical as, like the example above of infiltration via office software, endpoint applications are a common avenue of attack. Protect endpoints from known attacks with updated antivirus plus install a solution like Morphisec to prevent evasive unknown threats and fileless attacks.
The most common critical security issue found by Mandiant related to Vulnerabilities, Patches, and Updates (32 percent). These included out-of-date firmware, hardware, and operating systems, unpatched vulnerabilities in software applications and equipment, outdated firewalls and poor patch management. Manufacturers need a vulnerability management strategy, a well-defined patching program and a way to mitigate exposure in between patching cycles. Morphisec virtually patches vulnerabilities, keeping endpoints protected from vulnerability exploits when patches are not yet available or deployed.
The Mandiant report also found that many of the issues could be rectified with standard best practices. A full quarter of high risk issues were related to insufficient access management in handling passwords and credentials.
Contact a Morphisec security expert to learn how we can help your manufacturing organization build a better cyber defense.