Ransomware attacks and security breaches on industrial control systems are becoming the “new normal” for manufacturers, who now understand what weaponized software can do.
Last month’s news that Russian threat actors have penetrated industrial control systems (ICS) of U.S. critical infrastructure and some manufacturing sites, have the U.S. government and other targeted entities in energy, water and aviation reexamining how to thwart what could be an imminent strike.
To that end, I can’t help but wonder if last week’s SamSam and WannaCry malware attacks on the city of Atlanta and Boeing respectively, represent the new normal. We now operate in what can turn into a hostile digital domain where “weaponized software” can cause massive destruction or loss of intellectual property.
Of course, malware is not a new concept. But with the proliferation of the Internet of Things (IoT) and organizations digitizing operations internally and across supply chains, there are more avenues of entry for these malicious actors. And, while the information revealed in the U.S. Computer Emergency Readiness Team (CERT) TA18-074A Alert calls out critical infrastructure and manufacturing sectors like primary metal, machinery, electrical equipment and transportation industries as targets, any industry segment can fall victim to this virtual form of violence.
In Dave Greenfield’s article “The Infiltration of U.S. Control Systems,” a number of industry experts weighed in on what the cybersecurity CERT alert means to Automation World readers. Because, even though the focus is mainly on U.S. energy facilities, “really, any manufacturer and processor is fair game,” said Barak Perelman, co-founder and CEO of Indegy, a cybersecurity technology supplier. “Recently we have seen concerning trends and activity at water facilities and in the food and beverage, chemical and pharmaceutical industries.”
Shutting down a food manufacturing process or disrupting a pharmaceutical supply chain may not cause life-threating explosions or impact power grids, but it can be costly and damaging in other ways.
“WannaCry and NotPetya, which are now attributed to North Korea and Russia, respectively, had a major impact on manufacturing companies like Merck and Mondelez, causing hundreds of millions of dollars in quarterly losses due to production downtime, in addition to loss of customer satisfaction due to missed shipments,” said Phil Neray, vice president of Industrial Cybersecurity at CyberX, a critical infrastructure and industrial cybersecurity firm based in Boston. “Now imagine cybercriminal organizations targeting major manufacturers with a ransomware attack. These companies could be held hostage while their plants idle, resulting in the loss of millions of dollars per hour in downtime.”
In Merck’s case, the Washington Post reported that the intrusion impacted all U.S. offices, and there was fear that critical information tied to Merck drug research could be lost. But hackers are not just encrypting corporate data and demanding payment in return for the files—which could result in the loss of mission critical information—but they are also stealing intellectual property (IP) for their own use.
Last month, the U.S. government indicted nine Iranian hackers who were affiliated with the Mabna Institute, an Iran-based company that conducted coordinated cyber intrusions into at least 144 American universities and 176 universities located in 21 foreign countries. The hacking campaign began in 2013 with the stolen university data totaling more than $3 billion in IP, which was used to benefit the Islamic Revolutionary Guard Corp. (IRGC), one of several entities within the government of Iran responsible for gathering intelligence.
In addition, at the same time the defendants were targeting, compromising and stealing data from universities around the world, they also compromised the computer systems of at least five U.S. federal and state government agencies and at least 36 U.S.-based private sector companies. Among the private sector victims were academic publishers, media and entertainment companies, technology companies, consulting and marketing firms, investment and law firms, and more, including one industrial machinery company, one biotech company and one food and beverage company.
“This could potentially be an attempt to steal proprietary design information about ICS/SCADA systems that could later be used to compromise critical infrastructure,” said Neray. “Don’t forget that in 2016, Iranians working for the Islamic Revolutionary Guard were also charged for compromising SCADA systems of the Bowman Dam in Rye, NY—which might simply have been a practice run for more sophisticated and destructive attacks.”
Neray also noted that in the August 2017 attack on a plant in Saudi Arabia, the attackers demonstrated a high-level of knowledge about the specific design and memory layout of a safety controller by accessing and stealthily inserting a Remote Access Trojan (RAT) into the controller without interrupting its normal operation.
There may be similar strategies at work from a variety of cyber criminals that are targeting the food, beverage and pharmaceutical industries. “With respect to theft of corporate IP, ICS/SCADA devices like historians contain a wealth of data about proprietary recipes and formulas,” said Neray. “Competitors and nation-states like China are very motivated to steal these types of corporate trade secrets by compromising ICS networks.”
So what’s the best defense? Experts recommend a multi-layered approach that goes beyond perimeter security to include continuous ICS monitoring and analytics, automated threat modeling, vulnerability management and threat intelligence.