1 - Smart supply chains
Incremental gains in lean manufacturing are in part being driven by client devices able to interface horizontally with other client devices, using application programming interfaces (APIs). But smart supply chains such as this are also increasingly leading to security breaches at plants, according to Bernd Koenig, director of security, Europe, Middle East and Africa, at Akamai. “Poor security procedures somewhere down the supply chain can mean that malware is passed from client to client, infecting them all along the way,” he says.
Permanent denial of service (PDoS) attacks, such as last year’s Brickerbot, have been created to expose the insecurity of internet of things (IoT) devices. “Down the road, APIs exposed on the internet connecting smart and intelligent agents with IoT devices and cloud services will become an even larger threat,” warns Radware’s European security evangelist Pascal Geenens. These APIs will form large ecosystems and the attack surface will increase with every service that is added. “A PDoS attack on just one of the APIs in an ecosystem will result in a large blast radius,” says Mr Geenens.
These APIs are effectively the keys which unlock the data hackers need to cause disruption to industrial processes. Unfortunately, the API threat is exacerbated by the lack of security standards in the creation and delivery of IoT.
2 - Data manipulation
Manufacturers must understand they are no longer just at risk from data theft, but also data manipulation. “This is where hackers can get into a system and alter the data to showcase false information, which could be in the form of anything from sales figures to temperature gauges,” explains Jason Hart, chief technology officer for data protection at Gemalto.
Just last year there were reports of GPS spoofing which manipulates positional data. “The impact of incorrect position information is pretty evident for tracking deliveries on land and sea,” warns Tom Holloway, principal business resilience consultant with Sungard Availability Services. “Given the minute scope for error in lean manufacturing processes, minor variations in supply chain flows have the potential to cause significant disruption.” Or how about the millions of lines of code within 3D printable files that are the data supply chain of the future? Dr Adrian Davis, director of advocacy at (ISC)², reveals there is currently “no universal cybersecurity quality assurance built into 3D printing software or printers to alert manufacturers if design specifications are changed”.
3 - Social engineering
The manufacturing industry is a highly lucrative target for hackers, with Symantec’s 2017 Internet Security Threats Report ranking it as the third most breached industry globally.
Industry 4.0 is the creation of intelligent networks, connecting machines, users and systems to autonomously exchange information and trigger actions. “Complex production processes that were once isolated are now vulnerable to cyberattack,” says Darren Thomson, chief technology officer and vice president of technology, Europe, Middle East and Africa, at Symantec. “One exploited system can cause a ripple effect that takes down multiple facilities.” Yet despite the complexity of Industry 4.0, the most commonly successful attack vectors remain the simplest ones, such as social engineering.
According to the Symantec report, one in 130 emails in the manufacturing sector last year contained a malicious file or link. In 2014, a German steel mill came under attack with the threat actors using a targeted spear-phishing campaign to steal login credentials. The result was the shutdown of a blast furnace with both physical and financial disruption.
4 - IP-enabled operational technology systems
“The increased use of IP-enabled operational technology (OT) systems is becoming one of the biggest targets for cyberthreats,” according to Alex Hinchliffe, threat intelligence analyst at Unit 42, Palo Alto Networks. Not all that surprising when you consider the value of breaching and controlling such systems to tap into the connectivity on offer. In December 2017, Unit 42, the Palo Alto Networks threat intelligence team, discovered a new malware family named Satori which exploits known vulnerabilities on internet of things devices.
“What is worrying about Satori is how it had evolved into a new variant that can carry out zero-day attacks,” Mr Hinchcliffe explains, in other words the ability to exploit completely unknown vulnerabilities. “The challenge is that OT systems are hard to adapt and therefore struggle to keep pace with evolving threats like Satori.” Indeed, manufacturers of OT systems can be very prescriptive about what users can do with their technology, forcing organisations to use legacy software and hardware. Simon Leech, enterprise security specialist at HPE Pointnext’s Worldwide Security Center of Excellence, concludes: “Patch management remains a concern in a connected environment. The operational teams aren’t used to having to reboot systems to install patches as the systems are relied upon 24/7.”
5 - Air-gap suffocation
Traditionally, control systems used in the industrial sectors have relied on mechanical safety controls and fail-over switches, including physical keys and levers. However, with the evolution of the industrial internet of things (IIoT), the lines between IT and operational technology networks have started converging. “Industrial control systems have long benefited from physical isolation, often located in remote geographical areas and air-gapped from communications networks,” says Mike Solomon, senior consultant at BSI Cybersecurity and Information Resilience.
This removes the need to apply stringent access controls. However, secure and effective access controls have yet to catch up with the advent of internet-connected devices. “Maersk, one of the world’s largest shipping companies, suffered massively from 2017’s NotPetya malware outbreak,” Mr Solomon adds. This forced staff to revert to manual systems while global IT departments had to reinstall 45,000 new PCs and 4,000 new servers. Maersk estimated the cost to the business at $250 million to $300 million. “The fact that threats will find a way into critical systems can no longer be ignored,” Mr Solomon warns, concluding: “Critical assets exposed by the IIoT must be protected.”