3 Min Read
Cyber Threats to the Manufacturing Industry
Written by Mission Secure
Threats to Physical Systems Continue to Increase in Sophistication and Volume
The manufacturing sector continues to be the most active battleground between threat actors and operational technology (OT) security teams.
According to IBM’s 2024 X-Force Threat Intelligence Index report, "Manufacturing was once again the top
attacked industry in 2023 for the third year in a row.” The report cyber attacks against manufacturers represent more than the attacks against the energy, healthcare, and transportation sectors combined.
Ransomware attacks against manufacturers continue to make headlines, including recent high-profile attacks against Clorox, Bridgestone, and Dole Foods. Even when ransomware attacks target a manufacturer's IT systems, the effects often spread to production systems, either by proliferating across network boundaries or by forcing operators to shut down physical systems as a precautionary measure. The cost of these OT shutdowns often far exceeds the cost of the ransom a manufacturer pays to regain access to its IT assets.
As serious as the threat of ransomware may be, direct attacks against OT systems represent an even bigger risk. By manipulating industrial processes, attackers can damage equipment, harm the environment, and put human lives at risk. While manufacturing may not receive the same level of regulatory attention as other critical sectors like energy, water, and transportation, recent history shows that the sector remains a primary focus for attackers.
Attack on Honda Facilities Shows Accelerating Threat to Manufacturers
The June 2020 cyber-attack against Honda was another sign that the capabilities of criminal cyber attackers continue to evolve and can become more dangerous to OT infrastructure.
As described in The New York Times, “...the attack appears to have been carried out by software designed to attack the control systems for a wide variety of industrial facilities like factories and power plants.
Such cyberweapons previously were only known to have been used by state agents.”
Norsk Hydro Ransomware Attack Cost Millions
The 2019 LockerGoga ransomware attack against the Norwegian aluminum parts manufacturer Norsk Hydro is also a good example of the stakes. That attack cost the company $52 million in the first quarter of 2019. Norsk Hydro had to halt production temporarily, and one of its main production units was forced to unplug and shift to manual operations.
In some ways, Norsk Hydro was lucky. It was able to restore operations relatively quickly. But when a plant loses control of operational control systems, the results can quickly become catastrophic.
German Steel Plant Control Systems Attack
In 2014, a German steel plant was compromised, as confirmed by the Federal Office for Information Security (BSI) of the German government. The attack caused plant control systems to fail, which resulted in an inability to regulate or shut down the plant’s furnace. This led to confirmed significant physical damage to the steel plant.
Ransomware, Phishing, SQL Injection and SCADA / ICS Attacks
LockerGoga has been particularly effective against industrial and manufacturing targets and has been successful against Altran Technologies, Hexion, and Momentive, in addition to Norsk Hydro. In addition to LockerGoga, other ransomware prevalent in attacks against manufacturing facilities has included WannaCry, GandCrab, and BitPayment. The most common attacks against manufacturers, other than ransomware, were phishing attacks and SQLi injection attacks. Not surprisingly, attackers also targeted known vulnerabilities within SCADA and ICS hardware components.
Underreporting of Cyber-Attacks in Manufacturing
While the number of documented attacks against manufacturers is disturbing, it is likely only a small percentage of total attacks against this sector. This is because manufacturers do not have as many compliance reporting requirements as some other industries and are often not legally required to disclose data breaches. This probably makes it look like manufacturers are attacked less often than they actually are.
Manufacturing Supply Chain Threats
Physical and financial attacks can be designed to disrupt internal systems as well as those in a manufacturers’ supply chains. Manufacturers with international supply chains, a much bigger group than it used to be, are particularly susceptible to business email compromise fraud, which are a type of man-in-the-middle attack. After company email servers or even just individual email accounts are compromised, attackers insert themselves into existing communication threads to divert money to accounts under their control.
The Microsoft Exchange email server vulnerability exploits in February 2021 are the most recent example of high-profile software supply chain attacks to breach manufacturing and other critical industry networks. These exploits were preceded in December 2020 by the SolarWinds software compromise that unfolded into a massive supply chain cyber-attack hitting various parts of the U.S. government and private sector industries worldwide.
In the future, we can expect more disruptive events that leverage ransomware and supply chain attacks. These will likely evolve into more sophisticated sequenced or staged events that can compromise the integrity of process data in such a way as to ensure more significant damage to physical systems. Attackers are working on removing or disabling process protection and safety systems within ICS networks to further these goals.
Organizations Targeting Attacks on ICS Systems
There are currently numerous organized hacker groups operating today. Mitre, which released a version of its ATT&CK framework for industrial control systems early in 2020, maintains a useful knowledge base cataloging attackers. Mitre ATT&CK for ICS is currently tracking teen publicly reported groups that are targeting ICS systems. These groups are Allanite, APT33, Dragonfly, Dragonfly 2.0, Hexane, Lazarus group, Leafminer, Oilrig, Sandworm, and Xenotime.
The depth and breadth of these threat actors is worrisome and helps explain the sophistication of current attack tools and techniques. Manufacturers are particularly vulnerable given the combination of vulnerable legacy equipment and the hyper-connectivity associated with much of the new technology that makes up Industry 4.0 strategies.
Next Steps to Consider
In response to this increased network connectivity and complexity, cybersecurity teams need to enhance both visibility and network segmentation capabilities across IT and OT infrastructure. Every effort should be made to quickly flag anomalous behavior and to segment networks so as to limit hackers’ ability to move laterally once inside the network, for example, from IT infrastructure into the manufacturing facilities and vice versa.
Originally published May 1, 2023, updated August 30, 2024.