By Bruce Geiselman
Your cybersecurity defense is only as good as its weakest link, and sometimes that link isn't even within your walls.
“From a hacker perspective, there is never a downside of hacking a company, said Itzik Kotler, CTO and founder of SafeBreach, a cybersecurity company specializing in breach and attack simulation software. “No hacker ever hacked a company and said, ‘Oh, this company is not big enough.’ There is always something that can be done once you have access to a company.”
Small manufacturers can fall victim to a supply chain attack because they frequently have network connections with bigger companies, Kotler said.
“Whether it’s through VPN (virtual private network) technologies, whether it’s through remote access, once you get the footprint within a smaller company, then there is a chance that you can use them as a pivot point to a bigger company,” Kotler said. “Sometimes the path of least resistance is to hack a smaller company and try to piggyback on them to a bigger one. Unfortunately, smaller companies are sometimes even more at risk because they are known for having less security investments and will be considered by some degree easier to hack.”
One well-known example, not involving the plastics industry, involved the 2013 data breach at Target, in which cybercriminals stole credit and debit card information of tens of millions of shoppers.
“They end up discovering that Target got hacked through their HVAC vendor,” Kotler said. “They had an HVAC vendor that was in charge of making sure their data centers are cooled down so their servers can operate an ideal temperature.”
Rather than target specific companies, financially motivated hackers frequently simply scan the internet for vulnerable computers. They send mass emails to different email addresses found on websites in the hope of tricking an employee into clicking on a malware infected link or file or revealing information about their username or password.
On the other hand, more sophisticated hackers, particularly nation states, might target a specific manufacturer or manufacturers in specific nations and industries for purposes of espionage or sabotage. For example, during a military conflict, a hacker might try to bring down an enemy’s manufacturing capabilities, Kotler said.
In another recent example, during the COVID 19 pandemic, Russian hackers were accused by officials from the U.S., UK and Canada of trying to swipe COVID-19 vaccine research through the use of computer malware.
IBM security analysts also uncovered evidence of COVID-19 cyber threats against organizations that were keeping the vaccine supply chain moving, Kotler said.
One of the challenges to combating cybercriminals is convincing manufacturers to keep their computer software patched and up to date, Kotler said.
“When you go down to manufacturing, companies with physical goods and deliveries, it's not always very obvious for them why it would be worth their downtime to upgrade to the latest Windows version,” Kotler said. “I mean, the factory is already running, the product is already being shipped, it's not very obvious why to update to the latest Windows. It won't get them to manufacture faster, and in many regards, updating the software can create even a bigger impact.”
Security measures to prevent cybercriminals from pivoting from one computer network to another or to different areas within one company’s networks can include air gapping or network segmentation, Kotler said.
Air gapping involves the complete separation of one computer from others on the network to reduce the attack surface. However, in many cases, air gapping can create inconvenience and can be incompatible with process monitoring and artificial intelligence for optimizing manufacturing. In those cases, proper segmentation — limiting access between various areas of a network and between networks using firewalls — might be a better option, Kotler said.
“Just because something is accessible to the internet or from the internet doesn’t mean that everyone should have access to it,” Kotler said.
A company can limit geographically who has access to their network. For example, a company based entirely in the U.S. could limit access to its network to IP addresses based in the country.
“Today, everybody needs to understand that security and basic concepts like segmentation, patch management, authorization, they need to be applied across the board, IT and OT alike,” Kotler said.
Contact:
SafeBreach, Sunnyvale, Calif., 408-743-5279, www.safebreach.com
Bruce Geiselman, senior staff reporter
