Author: Chase Snyder, Sr. PMM, Xage Security
Manufacturing organizations are being increasingly targeted by cyberattackers. In a recent report, IBM indicated that 23% of cyberattacks were targeted at manufacturing organizations in 2021–more than any other industry in the study. 2022 was no better, with an 87% increase in ransomware attacks on industrial organizations, and 72% of ransomware attacks targeting manufacturing organizations specifically, according to a Dragos report. Furthermore, the number of known vulnerabilities in manufacturing technology is on the rise. In the first half of 2022, there were 109 common vulnerabilities and exposures (CVEs) reported that impacted critical manufacturing assets.
By looking at common patterns of recent successful cyberattacks against manufacturing organizations, we can gain insight into how attackers target this industry, and how to stop them.
The Attack: Bridgestone Americas (Tire Manufacturer) Pauses Production Due to LockBit Ransomware
In February, 2022, Bridgestone shut down several production facilities “out of an abundance of caution…to contain and prevent any potential impact” in response to a security breach. It was eventually disclosed to have been a LockBit ransomware attack. The attack followed the now common playbook of both encrypting files for ransom, and threatening to publish sensitive stolen information unless a ransom is paid. The shutdown impacted 50 production facilities, as reported by Industrial Cyber.
The OT Cybersecurity Lesson: Lack of Effective Attack Blocking Tools Leads To Precautionary Down Time
IT and OT are deeply intertwined at many organizations. Credentials are shared across IT and OT environments. Remote access tools enable users to affect OT operations at a distance, often using over-privileged and under-managed identities.
This means that when any sort of security breach occurs on the IT side of the business, OT may also be affected. Those responsible for OT cybersecurity at manufacturers need the ability to isolate their OT networks from corporate IT systems to avoid shutting down production as a precautionary measure against increasingly frequent attacks.
The Attack: Toyota Shuts Down Production Due To Cyberattack on a Supplier
In February, 2022, Toyota suspended production at all of its manufacturing plants in Japan as a precautionary response to a likely ransomware attack on Kojima Industries, a supplier of plastic parts used in making Toyota vehicles. As reported by Nikkei Asia, deep integration between third-party suppliers and Toyota’s own production control systems means that a cyberattack on a supplier has the potential to “spill over” to Toyota itself.
The OT Cybersecurity Lesson: Your Supply Chain is Part Of Your Attack Surface
When upstream suppliers have direct connections into production systems, the possibility of an attacker intentionally (or even accidentally) jumping the gap from IT to OT goes up. This leads manufacturers to shut down production facilities as a preemptive response to attacks against IT assets, causing costly downtime that may have been preventable. Manufacturers need granular identity-based access management and privilege enforcement over all connections and communications in and out of their OT environments to avoid having to shut down production out of “an abundance of caution.” It’s also a good best practice to collect forensics for all changes to the operational systems made via remote or local connectivity.
The Attack: Nordex shuts down remote access to managed wind turbines in response to Conti Ransomware
In April, 2022, wind turbine manufacturer Nordex was affected by a Conti ransomware attack. As part of their response, Nordex shut down internal IT systems as well as remote access to managed wind turbines to limit the spread of the malware.
The OT Cybersecurity Lesson: Remote Access to Operational Assets is A Potential Attack Path that Must Be Secured
Remote access to operational assets is only going to increase. The ability of having remote technicians and engineers manage and monitor operational assets is too valuable to ignore. Manufacturers need to be confident that the remote access solutions they are using are cyber-hardened and cannot be exploited by attackers to infiltrate OT, IIoT, and various types of cyber-physical systems. Too often, industrial enterprises are driven to use IT-centric remote access systems such as VPNs and jump boxes that do not offer the granular control required to secure OT systems. To modernize remote access effectively while maintaining the necessary degree of security, enterprises should modernize VPN with Zero Trust-based purpose-built tools. Innovations such as reverse secure proxy can enable access to these systems with a level of security that goes above and beyond traditional VPNs, secure tunnels, and other commonly used technologies.
How Can IT and OT Cybersecurity Teams Work Together To Secure Systems and Avoid Down Time?
In all three of the above examples, and countless more over the past year, manufacturers chose to shut down production facilities as a precautionary measure against the possibility of malware making the jump from their corporate IT network into their OT assets. This sequence of events will only become more common and more costly if not addressed head on.
In the past, industrial enterprises kept OT assets separated from IT via air-gapped deployments. This practice has been steadily eroded by the increased demand for digital modernization and remote access. Industrial enterprises now find themselves needing a new approach to secure OT from a rising tide of cyberattacks. A zero trust approach to access control, identity-based access management (users-to-machine/application, machine-to-machine), privilege enforcement, and data security is the right way forward.
Government agencies such as TSA and the Department of Defense have published plans, guidelines, and requirements for organizations under their purview to adopt zero trust principles to secure operational technology and critical infrastructure. The TSA’s Security Directive for Oil and Gas pipelines notes specifically that pipeline operators must have in place “mitigation measures or manual controls to ensure industrial control systems can be isolated when a cybersecurity incident in the Information Technology system creates risk to the safety and reliability of the Operational Technology system.”
This type of policy may not be in force for manufacturers yet, but as the impact of these attacks increases, manufacturers who proactively modernize their OT cybersecurity and remote access systems will find themselves at a distinct advantage in the battle against cyber adversaries.
Learn How A Major Steel Manufacturer Uses Xage for Protecting Operations
Xage Security builds remote access and identity-based access management solutions with the needs of OT cybersecurity in mind. Our technology is already deployed at major manufacturers, including a steel manufacturer that secured their operations and reduced the cost of cybersecurity insurance premiums by demonstrating their elevated level of security with Xage in place. Read the Case Study.