The topic of ‘risk’ and ‘threats’ can be confusing, and sometimes overwhelming for those that do not spend all their time organizing the uglies of cybersecurity. So before we jump into the biggest threats that the manufacturing industry is faced with let’s define what a threat is and how we, at Asher Security, qualitatively measure and equate threats.

Dictionary.com defines threat as, “a person or thing likely to cause damage or danger.”

In cybersecurity, we can apply this to the business context and I will attempt to define it as, “anything that has the ability, either intentionally or unintentionally, to impact the confidentiality, availability, or integrity or information systems or data.”

I will specifically make note, that I like this definition as it includes ‘unintentional’. We can often assume and picture threats as malicious attackers ready to break in and destroy. This belief will position us to miss naive behavior. It wasn’t long ago that Gartner and Ponemon ranked the ‘unintentional insider‘ as a top cybersecurity threat. This trend has changed because of the security maturity increase in larger companies that makes up a large scale of this survey feedback. For the small and medium-size companies, the ‘unintentional insider’ still remains a top threat.

What I’ve found consulting with cybersecurity clients over the last twenty years is that cybersecurity maturity starts with focusing on the inside threat via policy, user awareness and basic security controls, detection and then it progresses to focusing on the external malicious threat and finally comes back full circle to monitoring the insider again.

 

Imagine a guy with binoculars looking inside the business, then looking away – outside the business, then again looking inside.

 

 

In cybersecurity, we are trying to identify threats to your digital information. We can rank threats by ‘seriousness’ by labeling them as;

High Threat

Medium Threat 

Low Threat

 

This ranking system greatly helps identify the top threats that should drive prioritization of cybersecurity initiatives, security controls and capabilities, process development, and people skills.

The equation we use to rank threats is:

Threat = Capability x Intent

We use this matrix model to help us:

Threat Matrix		Capability
		High	Medium	Low	Info
Intent	High	High	High	Medium	Low
	Medium	High	Medium	Medium	Low
	Low	Medium	Medium	Low	Low
	Info	Low	Low	Low	Low
				Asher Security Threat Matrix

(Asher Security table of capability and intent with severity rankings.)

 

Let’s walk through a couple of examples.

Example #1 – Professional Ethical Hacker

I’m a certified ethical hacker and sometimes when I meet with potential clients they challenge me to ‘break in’ to their systems. They’ll say, “If you can break-in and show us that a hacker could break in them we’ll hire you.” I’m confident enough to not pursue this system of fear-based sales. I’ll explain I’m trying to serve them by lowering the risk to their business, not proving someone can break in with a particular methodology. These types of acts will only encourage the client to fix the single system leveraged to gain access, and the process needs to be repeated to improve the security of the next system.

But if we continue to use this example in the threat matrix and your business, we can say that my capabilities are ‘high’ but because I’m ethical and my desire to help you my intent is ‘zero’. So using the threat matrix below we can classify the ‘professional ethical hacker’ as ‘no threat’.

 

Example #2 – Peanut Butter & Jelly

Looking at the flip side of this situation, let’s say someone has a son that loves peanut butter and jelly sandwiches. Their parent emails the recipe to their work address and the son calls asking for it. The parent explains to the child that they will have to wait until they are home. The child is super angry and screams, “If you don’t give it to me right now I’ll break in and take it!” We can see in the treat grid below, the child has ‘High’ intent, but ‘zero’ capability to execute on this. So there is no threat here.

 

Example # 3 – Foreign State Hacker

A state-sponsored attacker is trying to get the blueprints and design plans for a new machine that your company has designed. The attacker knows your business builds these kinds of designs and also knows you fit into the SMB market. They have been participating in reconnaissance and data exfiltration for years, and have if they not successful they will not be allowed to stay ‘sponsored’ by this group (you can figure out what I’m saying).

In this example (true example by the way), we can see the threat has ‘high’ intent and also based on experience, team, and sponsor, has ‘High’ capabilities. This is the clear and present danger and gets ranked as a High threat.

 

Threats vs. Threat Actors

Remember that we defined at threat as, “anything that has the ability, either intentionally or unintentionally, to impact the confidentiality, availability, or integrity or information systems or data.” So in example three above it’s important to state that the threat is ‘hacker‘ not specifically ‘foreign state hacker’. When we tie an identity or persona to a threat we’re really talking about the ‘threat actor‘ or ‘threat group’. There can be many ‘threat actors’, but if they are all using the same means intentionally impacting the confidentiality, availability or integrity of information systems or data, then the ‘threat‘ is the same.

Sometimes, depending on the cybersecurity maturity of the business, it can be beneficial to tie threat actors to threats. The key here is having the ability to digest threat intelligence and take action on it. Without diverting too far from the purpose of this article, it’s important to consider the maturity required to implement action to reduce business risk by associating threats to threat actors. You need technology including visibility, SIEM, and other systems that allow the integration and dynamic digestion of threat intelligence. You need people who can use this data and have an understanding of how these threat actor groups operate. For example, I’ve worked to try to identify foreign state attackers and it’s hard. They use onion routers and VPN’s that prevent us from depending on geolocation and IP tracking to identify the originating states.

With that said, I do encourage people and feel it actionably valuable to differentiate between ‘intentional‘ and ‘unintentional‘ threats. So you may have the same ‘threat‘ but by two different sources that have different ‘intents‘.

 

Top Three Threats

The top three threats to the manufacturing industry are foreign state hackers, opportunity hackers, and malicious insiders.

 

Foreign State Hackers

There is a lot of foreign network traffic for countries that are not currently doing business with, or should have connectivity, with US-based manufacturing companies. The intent is believed to be to steal US trade and patent information and exfiltrate the manufacturing plans to a foreign country to be sold to foreign manufacturing companies that can duplicate plans and produce the same, or similar, products cheaper and sell them for a lower price.

The focus on innovation remains strong in US-based businesses and this could possibly the motivation for attackers to stay up-to-date with trends and technology so that can retain market demand.

 

Opportunity Hackers

Due to the openness and pervasiveness of IoT device under the umbrella of ‘network connected’ manufacturing devices, the threat remains high that the devices will be discovered, penetrated, and used for credential harvesting, hosting command and control or botnets, pivoting on credentials for upstream information systems and data repositories, or held hostage with ransomware.

The majority of manufacturing interconnected equipment is still relying on old network protocols and ciphers that can be easily listened in on and have the credentials stolen. They have not yet implemented any type of password hashing, or secure encrypted communications. It has even been identified that machines are being deployed at remote locations and have the FTP and Telnet session open over the Internet.

 

Insider Threat

Lack of security controls, user awareness training, and security visibility allow data to be moved outside the security boundaries of manufacturing companies without detection or other controls. This allows insiders, either intentionally or unintentionally to move manufacturing plans, trade secrets, processes, and other sensitive and confidential data outside the network.

 

Summary

The threats to businesses in the manufacturing industry remain high and have increased in concern has attackers looking for ways to make money from exploits increases. The appeal of local, small, and medium-sized businesses also has greatly increased because of the increased security controls and capabilities at larger companies have not made the SMB market prime for exploit attempts with a lower risk of detection.