Hardly a week goes by without a well-known company admitting to a data security breach. Besides an increase in number, the style of hacking attacks is also changing, putting many manufacturers in the hackers’ crosshairs. Organised cyber-criminal gangs know they can make more money with less risk through ransomware. Moreover, anonymous payment services using cryptocurrencies make paying ransoms easy and safe for the fraudsters.
It is important to realise that every business, every SME, and every internet user is in the firing line for a hacking attack: it is foolhardy to think otherwise. This is because most hacking attacks are not targeting individual companies. They use email phishing attacks to deliver malicious code or ransomware on a shotgun approach.
As hackers become more sophisticated, their emails become harder to spot as they are among the many that businesses receive each day. Fortunately, spam filters identify the vast majority of these but not all. Spear-phishing attacks are particularly difficult to spot. These are a precise form of targeted phishing using bespoke emails to well-researched victims.
For criminals, ransomware and malware are a low risk, high return business. They justify their investment in developing, evolving, and distributing malware: it is their business. They even sell the tools onto other criminal gangs. Some hackers do it for fun, and some protagonists are nation-states seeking industrial espionage or disruption of services and infrastructure. For most, it is about money.
In the past, most malware was based on “pay up or lose your data”, or “pay or we publish/sell your data”. Sometimes the data was taken and sold on without the company knowing they had been hacked. Increasingly criminals are turning to ransomware to encrypt essential software, making plants or systems unusable. Paying the ransom sometimes gets the information, but there is no guarantee. Furthermore, paying the ransom does not always result in the recovery of the data or system. Sometimes the systems are irreparably damaged. In a data breach, involving the loss of customer data, UK companies must declare the incident to the Information Commissioner’s Office (ICO).
Whatever the motivation the financial damage can be enormous, and for some company’s terminal. Financial losses can include fines for breaching GDPR, compensation for stolen information, and loss of reputation. In particular, the time taken to recover data lost from a malware attack can vary from days to weeks and longer for restoring automation systems. Lost production is a significant cost for manufactures during this time. Furthermore, if a hack affects the company’s website or emails, further losses of business may result.
In June, automotive maker Honda suffered a ransomware attack disrupting its global operations, including production. Garmin also suffered a cyber-attack in July. In a statement, they say there is no indication that any customer data, including payment information, was lost leading to speculation of ransomware. The hijacking of some celebrity Twitter accounts in a cryptocurrency scam netted over $100,000 in bitcoin in just a few hours. In August, several Canon USA domains suffered an outage thought to be ransomware.
Closer to home, machine safety specialist Pilz suffered a ransomware attack in late 2019 that affected much of its global IT infrastructure. Norwegian aluminium and energy producer Norske Hydro also suffered a ransomware hacking attack that paralysed its business, losing over £30m. Swiss heavy machinery maker Aebi Schmidt was amongst many hit by ransomware in 2019.
Equipment vulnerabilities in industrial automation systems, software, and protocols also present problems for users. One of the early cases was Stuxnet, and although the motivation for that was probably political, it resulted in the loss of control and damage to plant and machinery. In 2018 microprocessors used by some of the leading industrial control and automation suppliers suffered vulnerabilities called Meltdown and Spectre. Vulnerabilities have also been found in the protocol implementation of OPC UA and Wonderware SCADA. Equipment and software suppliers are quick to produce patches when problems occur, but they can only repair what they know about.
The State of Industrial Cybersecurity 2019 Survey
With IoT driving connectivity between OT and IT systems and the prospect of 5G increasing network connectivity, manufacturers are increasingly entering the hacker’s crosshairs. Clearly, operational systems make attractive targets. An ARC/Kaspersky survey of 282 companies found that almost 60% had suffered a cyber incident within the previous 12 months. 81% identified OT cybersecurity as a priority, and 70% of companies considered an OT/IT attack likely. Despite this, only 31% had implemented a response programme.
UK manufacturers are at risk
According to the Institute of Directors (IoD), smaller UK firms now have a better than evens chance of a hacking attack. Any business of any size is a potential target for hackers and ransomware. Business, finance, healthcare, leisure and entertainment, retail, manufacturing, commerce and transportation.
They also identify the human factor, with up to 50% of cyber-attacks initiated through staff opening emails containing malware. Others included employees visiting unsafe websites, losing a work-related electronic device or from disgruntled employees.
Hacking attacks are an evolving threat to OT systems as connectivity to IT systems increases. In part 2 of this article, we consider how organisations can address the rise of cyber-attacks.