The cybersecurity threat landscape keeps changing. Every day there are new threats, exploits, and reports of breaches. If one thing has stayed the same it’s that the threat is real and it’s knocking on the door of corporate networks and seeing what can be leveraged for value.
Shift to SMB
One trend we are seeing is the threat actors are decreasing their focus on the benefit of economy of scale of large businesses and instead leveraging the increased opportunity of the small and medium businesses. They are taking developed exploits and methodologies along with lessons learned, and applying that to small companies that don’t have the cyber defense system and processes in place. They are finding the can more quickly exploit a company, get in, and get out instead of spending so much time and risking a higher chance of being detected and caught at the bigger businesses.
This is largely due to the increased budget and spend at larger companies over the last five years.
Forbes says “And such spending has grown markedly. In the United States, outlays for cybersecurity have jumped from $40 billion in 2013 to $66 billion in 2018, if, that is, the pace of spending in the first half holds up for the entire year. That amounts to a 10.5% yearly growth rate. Few lines of business can claim that kind of growth. Globally, the spending figure, according to Gartner, should approach $93 billion this year, though many industry executives suggest that this estimate is much too conservative. They put the likely final spending amount well over $100 billion.”
(source: https://www.forbes.com/sites/miltonezrati/2018/09/05/cyber-security-a-major-concern-and-a-great-business-opportunity/#7fa5866e3e26)
The manufacturing industry hasn’t been able to keep up with the people, process, and technology that larger companies have been investing in.
Specific Risks
#1 Biggest Risk: IP Data
Intellectual property (IP) is at the heart and core of manufacturing companies.
The manufacturing industry is unique from other verticals as it tends to have a higher concentration of intellectual property.
This is process data, and plan data. Process data is how a manufacturing company uniquely design and implement a process to; satisfy customer requirements, improves efficiency, validate effectiveness, measures speed, accuracy, and tolerances.
IP plan data include uniquely designed plans, blueprints, and schematics for machines and manufacturing equipment that is designed, built and supported. This is the secret sauce of the business. Theft of this data by foreign actors and competitors cannot be afforded. The unavailability of this data can also come at a huge loss due to ransomware or malware.
Risk Contributors:
Process:
- Lack of data classification labeling and identification of IP data.
- Distribution of data throughout the network, and lack of data centralized to one location.
- IP data on endpoints with a higher risk of exfiltration and malware such as ransomware.
- Lack of access controls to only allow people who need this access to IP data to have it.
- Credential management and rotation allowing potential access to terminated employees. Sharing and knowledge of shared system credentials. Lack of password rotation requirements, especially on system accounts (non-employee).
- Lack of visibility into changes, access, and moving of PI data, especially off network to resources like cloud and personal email accounts.
Technology:
- Lack of perimeter controls that policy data movement to the cloud
- No data tagging or loss prevention controls
- People:
- Weak security awareness training educating users not to store data on endpoints
#2 Biggest Risk: IoT
Trends in manufacturing show that more and more machines are being designed and built for interconnectivity. The most common connectivity has remained network cabling that communicates over local networks. Newer devices are leveraging WiFi controllers and devices to allow communication with equipment without the cabling requirements of historic machines.
This connectivity is being deployed to allow machine code updates, check availability and system status reporting. This access is even being used to remotely distribute plans and instructions to the equipment.
Our research found most of the network communication to these devices to be unencrypted, using protocols like FTP and Telnet.
This IoT access provides a large opportunity for malicious attackers. The risk being the ability to capture system credentials in clear text as they traverse the network. There is also the risk of being able to leverage the credentials to make system change that can decrease quality, create outages and drive up operating costs.
Even greater is the risk this places to the clients operating these machines, as it provides an open door and vulnerabiltiy into client networks. This level of access even has the ability to change the code, impacting the integrity. One example of how this could be leveraged is to edit the code to include a command and control, or remote access tool kit, and even a key logger.
We found no examples of manufactures signing their code, so no evidence can be used to check the integrity of the manufacturing code onsite or in client environments.
Risk Contributors:
Process:
- No code signing or integrity process.
- Unencrypted, clear text protocols
People:
- Lack of skills on how to implement code hash or certificate-based signing.
- Lack of skills to implement secure socket layer (SSL) transport protocols.
Technology:
- No internal certificate authority implementation
- No centralized code repository
Key Risk Indicators
Outside these specific risks, there are several key risk indicators (KRI) that continue to rise to the top during risk assessments in the manufacturing vertical. Key risk indicators are early indicators metrics that can signal a risk based on lack of people, process or technology. Although these are not risks in and of themselves, if there is any measure of a threat at all, then these risks are magnified and significant.
#1 KRI: Lack of Risk of Identification
Most manufacturing companies assessed do not have a formal risk assessment process and because of that lack specific identification of what the businesses top risks are. If any risk is identified it is ad-hoc and not based on a formal or regular review process, it has not been measured, and cybersecurity initiatives are not specifically mapped to decreasing the risk associated.
#2 KRI: Lack of People Skills
Cybersecurity tends to be a shared responsibility across technology and bears the burden of also sharing priorities. It lacks a specific focus, budget, and organized initiative. Because of this employee training is not at a level that supports the efficient ope of cybersecurity controls and capabilities. In addition, there is not ongoing focus or priorities for employees and no measured metrics.
#3 KRI: Lack of developed processes
Lack of formal documented best practices exists within this industry vertical and instead of a high dependence on ‘reaction’ and ‘response’. There is a lack of formal security policy and this causes the lack of important security guides and processes such as data classification guides, users awareness, and security incident response and handling.
Summary
The manufacturing industry has a set of data that is unique from many other industry verticals and this data is the heart and soul of the business. This intellectual property has significant value to the business and should be classified as ‘confidential’.
The two main driving risks are the loss, theft, and availability of this IP data and secondly, the connectivity of machines that are unique across the manufacturing industry that require and support remote connectivity. This risk impacts the integrity of the code base could allow remote access and availability issues and finally could greatly impact the companies reputation.
Recent Comments