By Bruce Geiselman
A soft drink machine, fish tank and smart TV in recent years have provided access to bad actors looking to do damage to companies. With businesses, including manufacturers, increasingly dependent on computer networks to leverage both internal and external data, saboteurs and thieves no longer need a window or door to break in.
“From a hacker’s perspective, there is never a downside of hacking a company,” said Itzik Kotler, CTO and co-founder of SafeBreach, a cybersecurity company specializing in breach and attack simulation software. “No hacker ever hacked a company and said, ‘Oh, this company is not big enough.’ There is always something that can be done once you have access to a company.”
He and other experts said while the risks are serious, there are strategies companies can take to protect themselves.
Hackers’ sophistication grows
From simple schemes involving malicious emails to sophisticated attacks involving gangs of cybercriminals, or even foreign nations, cybercrime poses threats to companies both large and small.
“The risks out there are plentiful; that's the unfortunate part of this, and it doesn't matter what size you are, you can be on their list for attacks,” said Erich Kron, a security awareness advocate for KnowBe4, a cybersecurity company that emphasizes employee education.
Today’s hackers are becoming increasingly sophisticated, said Brian Haugli, CEO and co-founder of SideChannel.
The typical criminal isn’t “some kid in his mom’s basement,” he said. Today, many hackers are part of criminal enterprises with the ability to infiltrate targets through weaknesses in their supply chain vendors.
“These are well-constructed businesses,” said Haugli, who previously provided cybersecurity services to the U.S. Department of Defense (DOD). “In the DOD, we used to track these folks. When they went on vacation, you could see the attacks go down. I’m not kidding. There’s an ROI. These hacking operations, whether they are for economic means, military means or social means, and either sponsored by criminal groups or by countries, are set up like businesses. They have payroll; they have vacation; they have benefits; there is HR, there is accounting; there’s pay; these folks have quotas that they have to hit. They’re going for the things that are going to net them the most money.”
While many financially motivated hackers randomly seek vulnerable computers and send out mass phishing emails, more sophisticated hackers, particularly nation states, might target a specific manufacturer or manufacturers in specific nations and industries for purposes of espionage or sabotage. For example, during a military conflict, a hacker might try to bring down an enemy’s manufacturing capabilities, Kotler said.
For manufacturers, the risks of a cyberattack go beyond downtime, cost or inconvenience. Operational technology (OT) networks — which oversee operational equipment, including the machines running on the plant floor — might represent would-be victims’ most dangerous vulnerability.
“If I had the ability to take control of a PLC or a controller in any way, anything that you can make that machine do, you can do,” Haugli said. “You can degrade it, you can make it run slow, you can stop it, you can turn off safety features, you could make it run faster and overheat.”
A machine, for example, could be allowed to overheat and catch fire, which could place workers in jeopardy, he said.
“Now, there’s people who could be injured, maimed or killed,” he said.
Manufacturers’ industrial control systems (ICS), which are designed for process monitoring and reporting, are often the most vulnerable to an attack.
“We’ve continued to improve cybersecurity on the corporate [IT] side. …” said Marty Edwards, deputy chief technology officer at Tenable for OT and IoT (Internet of Things). “Unfortunately, what we have not done in most cases is improve the security on the operational technology side of the house. The factory is still running the same PLC that was installed 20 years ago, and it’s never been updated because the old adage is, ‘if it ain’t broke, don’t fix it.’ Well, unfortunately, some of those older PLCs and computers that are in the factories have significant vulnerabilities in them.”
Louis Columbus, DELMIAWorks senior industry marketing manager, echoed his concerns.
“ICS systems are not built for security at all,” he said. “A lot of them were built at a different time when security wasn’t even a thought.”
Once in the OT network, cybercriminals can then attempt to pivot to access information from IT systems.
“Among breach attempts on manufacturers, 61 percent first targeted operational technology systems essential to manufacturing operations,” Columbus said.
Cybercriminals can exploit emails, people’s trust and even seemingly innocuous devices, like memory sticks and internet-connected accessories to find their way into companies, experts said. Connections along the supply chain companies serve also can open them up to risk.
The No. 1 way bad actors get into a network is through “simple, old-fashioned email phishing,” hoping to trick at least one person into opening a file containing a virus, KnowBe4’s Kron said.
Remote access, which has gained in popularity with more employees working from home and signing into work networks, presents another vulnerability.
“It’s because accounts that access the system may have very poor passwords that are easily guessed,” Kron said.
Sometimes, a would-be hacker calls an employee of a targeted company claiming to be an IT department employee who is trying to resolve some network issues. The bogus IT worker attempts to convince the employee to divulge his or her username and password. Then, the cybercriminal has direct access into the company’s network.
While human error is the most frequent way cybercriminals access a network, they also can break in by exploiting accessory devices.
For example, Columbus, said, “Over one in three malware attacks (37 percent) on an ICS are designed to be delivered using a USB device.” In other cases, hackers have found access through a smart TV, an internet-connected soda machine and thermometer in a fish tank.
Hackers can easily find vulnerable equipment connected to the internet — equipment that hasn’t had up-to-date security patches installed or legacy software that can’t be updated. SideChannel’s Haugli described a website that collects information about publicly available devices. The database lists millions of internet-connected devices with details about the device, and its security vulnerabilities, as well as whether the device still uses its default password.
“IOT devices, including TVs that are plugged in, are absolutely a risk,” Kron said. “Nobody thinks about it for a while and it doesn’t get security patches or updates. Then, it’s vulnerable to an attack. The bad actors … could use that as a springboard to move around within the network.”
Small manufacturers can fall victim to a supply chain attack because they frequently have network connections with bigger companies, SafeBreach’s Kotler said.
“Whether it’s through VPN (virtual private network) technologies, whether it’s through remote access, once you get a footprint within a smaller company, then there is a chance that you can use them as a pivot point to a bigger company,” Kotler said. “Sometimes the path of least resistance is to hack a smaller company and try to piggyback on them to a bigger one. Unfortunately, smaller companies are sometimes even more at risk because they are known for having less security investments and will be considered by some degree easier to hack.”
One well-known example, not involving the plastics industry, involved the 2013 data breach at Target, in which cybercriminals stole credit and debit card information of tens of millions of shoppers.
“They end up discovering that Target got hacked through their HVAC vendor,” Kotler said. “They had an HVAC vendor that was in charge of making sure their data centers are cooled down so their servers can operate at an ideal temperature.”
“If you have vulnerable systems facing the internet and accessible to the internet, they are being prodded and attempted to be breached, or potentially already breached,” Haugli said.
To protect the supply chain, larger companies are starting to demand that smaller companies that serve as their vendors or that are in their supply chain prove that they have undertaken efforts to secure their networks, several cybersecurity experts said.
How to reduce your risk
Strategies to prevent attacks can include steps such as keeping software up to date, limiting remote network access, segmenting networks from each other and monitoring network activity.
“Today, everybody needs to understand that security and basic concepts like segmentation, patch management and authorization need to be applied across the board, IT and OT alike,” Kotler said.
To beef up security, increasing numbers of manufacturers are adopting zero-trust security frameworks, which assume no entities on a network are trusted, even those within a network, Columbus said.
“It’s a fundamental shift from traditional network security models that rely on perimeter defense and trust all internal traffic,” Columbus said. “Zero-trust security protects a manufacturer’s data and systems by authenticating users, devices and applications before granting access to the network.”
Kotler, SafeBreach’s founder, said keeping computer software patched and up to date can be one effective tool for thwarting cyberattacks. However, convincing manufacturers to take those steps can be challenging.
“When you go down to manufacturing, companies with physical goods and deliveries, it's not always very obvious for them why it would be worth their downtime to upgrade to the latest Windows version,” Kotler said. “I mean, the factory is already running, the product is already being shipped, it’s not very obvious why to update to the latest Windows. It won’t get them to manufacture faster, and in many regards, updating the software can create even a bigger impact.”
To combat unauthorized remote network access, Kron, of KnowBe4, recommended that companies use multifactor authentication to verify employee identities. In addition, Kron recommended educating employees on the importance of not reusing the same passwords on different websites and services. There have been well-publicized cases of cybercriminals stealing usernames and passwords during data breaches involving various companies including online email and social media sites. Other criminals buying those usernames and passwords on the dark web can then use automated programs to find other websites or computer networks on which the usernames and passwords will work.
For user convenience, Kron recommends the use of password vaults that generate random passwords and store them securely.
“They’re great, great tools, and they’re generally very inexpensive,” he said. “There are even some good free ones out there.”
Kron said separate password vault programs are generally more secure than storing a password in a web browser.
In addition, companies can limit geographically who has access to their networks. For example, a company based entirely in the U.S. could limit access to its network to IP addresses based in the country.
Setting up barriers
Air gapping or network segmentation can prevent cybercriminals from pivoting from one computer network to another or to different areas within one company’s networks, Kotler said.
Air gapping involves the complete separation of one computer from others on the network to reduce the attack surface. However, in many cases, air gapping can create inconvenience and can be incompatible with process monitoring and artificial intelligence for optimizing manufacturing. In those cases, proper segmentation — limiting access between various areas of a network and between networks using firewalls — might be a better option, Kotler said.
“Just because something is accessible to the internet or from the internet doesn’t mean that everyone should have access to it,” Kotler said.
DELMIAWorks’ Columbus advised going beyond simply air gapping.
“Manufacturers are adding endpoints [physical devices that connect to computer networks] and partners with unprotected third-party devices, exposing threat surfaces at a rapid pace,” Columbus said. “Configuring an ICS with physical gaps between systems, an air-gapping technique, no longer works.”
Segmenting networks, while another effective method for minimizing cyber risks, can be “notoriously difficult,” said Haugli, of SideChannel. Proper segmentation of a network doesn’t shut down everything, but only allows the systems that are supposed to talk to each other to do so.
“You’re shutting down all of the negative activity and only allowing the activity that is authorized,” Haugli said.
Haugli’s company, SideChannel, developed its own software to encourage and simplify the segmenting of networks, he said.
“We built the Enclave product to focus on that because we saw this as an underserved area,” Haugli said. “When you start segmenting networks, it’s not intuitive, and it’s not easy. … If you can create something in a product or solution that makes it easy, there’s a higher adaptability to it.”
The product is designed to be affordable to mid-market and small businesses, he said.
In addition, companies should have the ability to flag abnormal situations, such as pieces of equipment communicating with each other that normally wouldn’t or spotting what appears to be a PLC that shouldn’t be on the network. Software from companies like Tenable can help identify those anomalies, but the software won’t help unless a company has the proper personnel in place to act on the information.
In case of cyber emergency
All companies need to plan for the possibility of an attack, Tenable’s Edwards said.
“They should have that already written down and exercised,” he said. “That should be something that they evaluate once or twice a year with their company’s executives to make sure that everybody understands who is in charge when these things happen.”
Manufacturers can hire their own security experts or they can contract with an outside company. For example, they might have experts on a retainer who can be brought in to assist with security incidents once they are identified by software products.
Edwards encourages companies to have tabletop exercises involving executives, engineers and security personnel. During those exercises, they should evaluate what would happen to their business operations if specific pieces of equipment became unavailable. They need to identify and evaluate the experts available to them who could aid in a recovery. Company executives also need to decide what they would tell company shareholders, employees and customers in the event of an attack or network intrusion.
“I tell our customers all the time that there’s no use in buying our software if you don’t have the people to maintain and utilize it,” Edwards said.
Having on-hand expertise also is key, he said.
“There is no magic bullet here. You have to have a team of people that are trained and can respond to these types of incidents.”
Bruce Geiselman, senior staff reporter
DELMIAWorks, Dassault Systèmes, Waltham, Mass., 800-693-9000, www.3ds.com/products-services/delmiaworks
KnowBe4 USA, Clearwater, Fla., 855-566-9234, www.knowbe4.com
SafeBreach, Sunnyvale, Calif., 408-743-5279, www.safebreach.com
SideChannel, Worcester, Mass., 508-925-0114, www.sidechannel.com
Tenable, Columbia, Md., 410-872-0555, www.tenable.com