Making your Manufacturer Workforce Cyber Resilient

A phishing email can propagate from your office network to your production line. This can culminate in a ransomware attack like what happened to Honda in the UK (2020).

Most Supervisory Control and Data Acquisition / industrial control systems networks as used in manufacturing facilities were never really designed to be connected to the Internet. As a result, many of the protocols used in production-line networks such as FTP, EtherCAT, Modbus, Omron, Ethernet/IP, Siemens S7, FINS, PROFINET and Telnet often lack security features.

Cybercriminals can use search engines such as Shodan or Censys to find exposed networks belonging to manufacturing facilities. These “Internet-discoverable” networks can make your manufacturing facility a sitting duck.

Once inside your network, hackers can damage your computer numerical control (CNC) systems, which control equipment such as lathes, mills, and drill presses. These systems are designed to handle physical stresses such as heat, humidity, or cold. But from a security perspective, they often employ few mechanisms to thwart hackers. Many devices on the production line, such as old PCs, are simply too old and fragile to accommodate modern security controls such as antivirus or anti-malware software.

But how is our facility vulnerable if the computers we use on our factory floor aren’t connected to the Internet?

Be careful here. Many IT or factory managers believe their factory floor computer systems are not connected to the Internet when they actually are. Unfortunately, this fact is sometimes only learnt after a ransomware attack. The reality is that many production-line computers are connected to the Internet for essential software updates. And sometimes they are connected because some operatives want to check their email or social media accounts on the factory floor. In addition, Internet of things (IoT) devices that are added to the production-line network for monitoring and data collection further increase the attack surface even further. Moreover, many production-line computers are Internet connected because of ERP reporting or data mining requirements. The bottom line is that the hard boundaries between the production line and the Internet are fast eroding. Cybercriminal groups know this only too well. Therefore, sometimes the easiest way to bring a production line to a grinding halt is to send one of your employees a phishing or spear-phishing email.

From a security perspective, if our production-line computer is linked to our office network, what does this mean?

Let’s say one of your office-based employees inadvertently opens an email containing crypto-ransomware. This malware could easily propagate to your production-line computers and cripple them. This can result in downtime, lost revenue, and reputational damage.

We're only a small manufacturing facility, though - aren't hackers unlikely to target us?

Research by Symantec found that small businesses are targeted by cybercriminals at least as often—if not more— than larger businesses. Being a small production facility does not exempt you from being a target.

So, are there some real-life examples of manufacturing facilities being affected by a cyberattack?

WannaCry and Petya/NotPetya crypto-ransomware forced several manufacturers of pharmaceuticals and automotive components to stop operations.

The production line of Cadbury in Hobart, Australia came to a standstill when it was infected by Petya ransomware (2017).

Norsk Hydro, a Norwegian aluminium manufacturing plant, got hit by LockerGogo, a strain of crypto ransomware. It is believed that the initial attack vector was spear phishing. 22,000 computers across 170 different sites were locked down by the ransomware, and staff had to resort to pen and paper.

ASCO Industries, a manufacturer of aerospace components in Belgium, got hit with ransomware in 2019, suspending most of its operations. 1,000 members of staff were placed on leave as systems were restored.

Office-based employees of a German steel manufacturing plant inadvertently opened spear-phishing emails containing malware which resulted in the operation of one of their blast furnaces being brought under hacker control. According to the German Federal Office for Information Security (2014), massive physical damage was incurred.

What are some of the other threats that could affect our production-line computers?

A programmable logic controller (PLC) that has been damaged by malware can result in defective products. If you’re operating in the food and drinks sector, then this can sometimes result in a contaminated product. Your PLC would then have to be reprogrammed and revalidated to ensure system safety—and in some cases, your PLC may even have to be replaced altogether.

Ransomware and some strains of malware can cause human-machine interface (HMI) systems on your production line to become inoperable. HMI systems can become infected with malicious JavaScript and HTML scripts embedded in their browser. This is often the result of employees visiting non–work-related websites.

Worms spread via removable media such as USB memory sticks and SD cards. The Stuxnet attack perfectly demonstrated how an innocuous USB stick can wreak havoc on a network. Worms can also be spread via network shares common to office and production-line systems.

Malware targeting AutoCAD, a widely used application in production facilities, is another threat to be wary of. It uses AutoLISP scripts that can be exploited to exfiltrate data from your systems back to a malicious C2 server. This can result in your product designs, blueprints, or other competitive information being stolen.

Social engineering continues to be on the main attack vectors in the manufacturing sector.

The business impact of a cyberattack on your production line.

Downtime - A shutdown of your production line for even just a few hours can result in lost revenue. System remediation and data restoration after a cyberattack can be costly and lengthy processes.

Lost Revenue - Every hour that one of your production lines is out of action results in lost revenue. As an IT manager of a production facility, you should take all necessary measures to prevent a cyberattack.

Safety - If your production line involves valves, centrifuges, or hazardous chemicals, a cyberattack can result in damage not only to equipment but also to human life.

Reputational Damage - A production line interrupted by a cyberattack can result in missed order deadlines and upset customers.

What is the best way to prevent a cyberattack on my factory?

Although it’s easier said than done, try to segregate your production-line network from your office network (business LAN) as much as possible. This can be achieved using firewall zoning, VLANs, and VRFs.

Remote access to your production-line network should be provided only if it’s absolutely essential. The remote access channel should be authenticated and encrypted, with no access to network segments beyond what is needed. When your remote access channel is no longer required, it should be disabled.

Make sure all the systems are patched with the latest updates. Even if older operating systems such as Windows 7 are used on your production-line network, they should be “hardened” as much as possible. For example, credential caching should be disabled on these systems whereas account lockout policies should be enabled to prevent brute force attacks. If your facility is using more modern operating systems like Windows 10, the use of Windows AppLocker should be considered. This technology requires all executable files to be signed and can make a hacker’s life a little more difficult.

• Administrative privileges for production-line computers should be held only by users who truly need them.

• NetBIOS over TCP/IP is enabled by default on many old Windows operating systems. This protocol introduces vulnerabilities and should be disabled.

• Make sure all unnecessary RDP and SMB ports on your production line network are closed and only opened when needed.

• Implement multifactor authentication on all production-line systems where possible. Use robust password policies with an emphasis on length over complexity.

• If your facility is using a jump server, it should be hardened, protected with multi-factor authentication and should never be used for non–work-related computing.

• Remote persistent vendor connections should be disallowed. Ideally, any remote connections should be temporary and operator controlled.

• All the employees who access computers in your manufacturing facility should engage in IT security awareness training. Over 80% of attacks on manufacturing facilities now target the human first. IT security awareness training conditions users to detect and mitigate threats before they become a problem.

“Five to 10 years ago, many thought that enterprise-grade firewalls were enough to secure an IT network. But this thinking has significantly evolved. Firewalls alone can't provide the protection that digital-first, smart factories and connected manufacturers need,”

- Raj Krishna, VP of Strategy & Planning, Cisco Meraki.

Our cyber security training for employees in the manufacturing sector includes topics such as:

• Password Security
• Credential Theft
• Risks of Removable Media
• Ransomware
• The Human side of IoT attacks
• Phishing and Spear-Phishing
• Waterhole Attacks
• Supply Chain Attacks