Cyber Threats to Physical Systems are Increasing in Sophistication and Volume
The recent growth in cyber-attacks against operational technology (OT) systems is unprecedented.
According to IBM’s 2020 X-Force Threat Intelligence Index report, targeted attacks against Industrial Control Systems (ICS) and OT assets have “increased over 2,000 percent since 2018.”
“In fact, the number of events targeting OT assets in 2019 was greater than the activity volume observed in the past three years combined.” These attacks represent a clear and present danger to manufacturers and other critical infrastructure sectors.
2020 Attack on Honda Facilities Shows Accelerating Threat to Manufacturers
The June 2020 cyber-attack against Honda was another sign that the capabilities of criminal cyber attackers continue to evolve and can become more dangerous to OT infrastructure.
As described in The New York Times, “...the attack appears to have been carried out by software designed to attack the control systems for a wide variety of industrial facilities like factories and power plants.
Such cyberweapons previously were only known to have been used by state agents.”
2019 Norsk Hydro Ransomware Attack Cost Millions
The 2019 LockerGoga ransomware attack against the Norwegian aluminum parts manufacturer Norsk Hydro is also a good example of the stakes. That attack cost the company $52 million in the first quarter of 2019. Norsk Hydro had to halt production temporarily, and one of its main production units was forced to unplug and shift to manual operations.
In some ways, Norsk Hydro was lucky. It was able to restore operations relatively quickly. But when a plant loses control of operational control systems, the results can quickly become catastrophic.
2014 German Steel Plant Control Systems Attack
In 2014, a German steel plant was compromised, as confirmed by the Federal Office for Information Security (BSI) of the German government. The attack caused plant control systems to fail, which resulted in an inability to regulate or shut down the plant’s furnace. This led to confirmed significant physical damage to the steel plant.
Ransomware, Phishing, SQL Injection and SCADA / ICS Attacks
LockerGoga has been particularly effective against industrial and manufacturing targets and has been successful against Altran Technologies, Hexion, and Momentive, in addition to Norsk Hydro. In addition to LockerGoga, other ransomware prevalent in attacks against manufacturing facilities has included WannaCry, GandCrab, and BitPayment. The most common attacks against manufacturers in 2019, other than ransomware, were phishing attacks and SQLi injection attacks. Not surprisingly, attackers also targeted known vulnerabilities within SCADA and ICS hardware components.
Underreporting of Cyber-Attacks in Manufacturing
While the number of documented attacks against manufacturers is disturbing, it is likely only a small percentage of total attacks against this sector. This is because manufacturers do not have as many compliance reporting requirements as some other industries and are often not legally required to disclose data breaches. This probably makes it look like manufacturers are attacked less often than they actually are.
Manufacturing Supply Chain Threats
Physical and financial attacks can be designed to disrupt internal systems as well as those in a manufacturers’ supply chains. Manufacturers with international supply chains, a much bigger group than it used to be, are particularly susceptible to business email compromise fraud, which are a type of man-in-the-middle attack. After company email servers or even just individual email accounts are compromised, attackers insert themselves into existing communication threads to divert money to accounts under their control.
The Microsoft Exchange email server vulnerability exploits in February 2021 are the most recent example of high profile software supply chain attacks to breach manufacturing and other critical industry networks. These exploits were preceded in December 2020 by the SolarWinds software compromise that unfolded into a massive supply chain cyber-attack hitting various parts of the U.S. government and private sector industries worldwide.
In the future, we can expect more disruptive events that leverage ransomware and supply chain attacks. These will likely evolve into more sophisticated sequenced or staged events that can compromise the integrity of process data in such a way as to ensure more significant damage to physical systems. Attackers are working on removing or disabling process protection and safety systems within ICS networks to further these goals.
Organizations Targeting Attacks on ICS Systems
There are currently numerous organized hacker groups operating today. Mitre, which released a version of its ATT&CK framework for industrial control systems early in 2020, maintains a useful knowledge base cataloging attackers. Mitre ATT&CK for ICS is currently tracking teen publicly reported groups that are targeting ICS systems. These groups are Allanite, APT33, Dragonfly, Dragonfly 2.0, Hexane, Lazarus group, Leafminer, Oilrig, Sandworm, and Xenotime.
The depth and breadth of these threat actors is worrisome and helps explain the sophistication of current attack tools and techniques. Manufacturers are particularly vulnerable given the combination of vulnerable legacy equipment and the hyper-connectivity associated with much of the new technology that makes up Industry 4.0 strategies.
Next Steps to Consider
In response to this increased network connectivity and complexity, cybersecurity teams need to enhance both visibility and network segmentation capabilities across IT and OT infrastructure. Every effort should be made to quickly flag anomalous behavior and to segment networks so as to limit hackers’ ability to move laterally once inside the network, for example, from IT infrastructure into the manufacturing facilities and vice versa.