And other malware? And DDoS attacks? Manufacturers are waking up to issues about which they need to be on high alert.
The nexus of cyber and physical security threats is the stuff of nightmares, and while manufacturers are waking up to it as a reality, experts worry that the awakening is happening too slowly.
A handful of incidents in recent years in which hackers have been able to remotely control machinery have underlined the risk, but experts say it may take a more seismic shock to the industry to spur the necessary action in cyber defense.
That relative inertia, coupled with the growing complexity of manufacturer’s digital assets, will pose a stiff test for manufacturers trying to defend their enterprises in the near term.
“The risk is getting bigger and bigger because of the tighter digital integration,” said Ralph Langner. The co-founder and managing principal of a consulting and software firm that bears his name was among the first to decode the infamous computer worm called Stuxnet.
“Here’s the problem: We are creating so [many] more cyber-physical interdependencies and at the same time we don’t spend enough effort to actually understand those cyber-physical interdependencies.”
There is a clear and present danger: A rise in recent cyberattacks on manufacturing have made it the second most hacked sector after healthcare, according to research from IBM.
The automotive industry accounted for 30 percent of attacks aimed at manufacturing in 2015, the most of any category within manufacturing, according to IBM, which did not name any of the automotive companies hacked. Chemical manufacturers were the second most targeted category of manufacturers, the report said.
For starters, Langner and others predict ransomware—malware that encrypts a computer user’s data until hackers are paid off, usually via crypto-currency—will soon become a force to be reckoned with in manufacturing.
But it is not all doom and gloom.
Practitioners say the baseline of cyber defense in the industry is rising, the cyber insurance market for manufacturers is blooming, and some standards initiatives are bearing fruit.
Two features of U.S. manufacturing have made it inherently challenging for the sector to tackle cybersecurity compared with some other sectors, according to analysts.
One is the fact that manufacturing is not regulated in its cybersecurity practices in the way, for example, that the electric utility industry is. Electric utilities face fines if they do not comply with mandatory cybersecurity standards set by the North American Electric Reliability Corp.’s Critical Infrastructure Protection plan.
There is no such punishment hanging over manufacturers, which some argue has led to insufficient cyber investments in the sector.
“One thing I learned a long time ago in this business… is people don’t spend money unless they have to,” said Mark Weatherford, senior vice president of vArmour, a firm that specializes in data center and cloud security.
“Unless there’s a compliance requirement, my experience is that people are not going to spend money on security just because it may be the right thing to do,” added Weatherford, a former cybersecurity official at the Department of Homeland Security.
Absent regulation, security professionals have tried to build a more robust set of voluntary standards to which manufacturers and others can adhere.
“Within the standards realm, there’s growing recognition that there is an intersection between functional safety and cybersecurity,” said Brian Wisniewski, engineering security manager at Rockwell Automation.
Wisniewski points to IEC 62443, a series of standards for securing industrial control systems, as an effective rubric to progressively shore up ICS security.
That set of standards is critical because it is “not just about the components and it’s not just about the development process,” he said. “It’s also about the systems level and the policies and the governance and the oversight, and a common terminology.”
Another disadvantage for US manufacturing is the complexity of the industrial supply chain.
Ensuring the integrity of all of the components of a vast machine like an airplane is a monumental task.
In other words, manufacturers aren’t just tasked with “protecting their own interests and intellectual property, but the interests and viability of their customer’s products, reputation and services, as well,” said Nathan Wenzler, principal security architect at AsTech Consulting.
Cybersecurity specialists who focus on manufacturing have therefore tried to develop a clearer and more traceable picture of the supply chain.
Many manufacturers have a hardware “bill of materials,” or list of all hardware components in products, but no such list for software, according to Ken Modeste, global security principal engineer at testing organization Underwriters Laboratories.
That is a significant shortcoming, he said.
Take, for example, OpenSSL, one of the most popular open-source libraries for cryptography. Without tracking updates to OpenSSL, a manufacturer will be in the dark to newly discovered vulnerabilities and their corresponding software patches, Modeste pointed out.
UL in April introduced a cybersecurity assurance program to help manufacturers and other asset owners assess the security of the software in their supply chains. UL has some 70,000 clients, Modeste said, and the goal of the program is to drive adoption of the security assessment so that a factory asks for a software bill of materials before it acquires a product.
There are other initiatives afoot that will have implications for manufacturing supply-chain security.
The Digital Manufacturing Design and Innovation Institute (DMDII), a federally funded, public-private organization based in Chicago, has been developing an open-source platform to give manufacturers big and small the ability to share design models.
The platform’s code is open source, which gives small and medium-sized firms “the ability to communicate using modern digital tools that we’ve seen in the past work very well but that had this cost issue, or maybe even expertise issue, [that was] hard to overcome,” said Ben Beckmann, lead scientists at GE Global Research, a collaborator on the project.
The hope is that by giving manufacturers a common language in which to compare supply inputs, “we can smooth out the rough edges across our engineering-manufacturing supply chain,” he said.
Shots across the bow
Nothing seems to have the effect on companies’ attention to cybersecurity investments and best practices as a major breach that makes national headlines. All the preaching and prodding from cybersecurity advisers behind closed doors seems to pale in comparison to the impact of having your proprietary data dumped online.
Manufacturers have experienced a handful of breaches that cyber practitioners point to as teachable moments.
The first is Stuxnet, the computer worm reportedly unleashed in November 2007 by US and Israeli intelligence agencies on the software controlling centrifuges at an Iranian nuclear facility. Manufacturers are still drawing lessons from that zero-day exploit.
Stuxnet “shone a spotlight on the ways that isolated, custom-built and specialized [industrial control systems] could legitimately be attacked and compromised,” Wenzler said.
The attack’s precision in being able to hit only the specific control systems it was after showed that “previous security models of air-gapping [industrial control systems], or trusting that the custom nature of the manufacturing systems made it secure from outside attacks, were no longer valid,” he said.
Air gapping—the act of physically separating one network from another—has been going out of vogue for manufacturers, and Stuxnet may be a big reason for that. The Industrial Internet of Things, or the growing connectivity of control systems, has seen manufacturers prefer connectivity to the limited security returns of air gapping.
Connectivity is here to stay for manufacturers, and the security controls they employ better catch up quickly.
“In a modern factory, there is no way that you would completely isolate… your control network from the enterprise network,” Langner said. “No way, because you want this integration in order to do things like manufacturing execution systems.”
In a sequel of sorts to Stuxnet, hackers were able to cause significant damage to a German steel mill, a 2014 assessment by German analysts revealed. The hackers were able to use social engineering to enter the network of the steel mill and prevent a furnace from shutting down.
Then there was the highjacking of medical devices, known as MEDJACK, a tire-pressure monitoring system (TPMS) attack, and the remote hack of a Jeep vehicle that was shown in a 60 Minutes episode.
These disruptive attacks notwithstanding, the manufacturing sector has not felt anything on the order of the magnitude of the data breaches that have hit, for example, the retail sector. The 2014 breach of Target Inc. compromised the privacy of tens of millions customers’ data and cost the company’s chief executive his job.
Despite seminal attacks like Stuxnet, “the reality is that the asset owners in manufacturing really didn’t wake up,” Langner said.
Insuring against disaster
Bolstering supply chain security is crucial for manufacturers, but it is, of course, no panacea against getting hacked. There is a growing acceptance among asset owners that getting hacked is part of the cost of doing business, and that buying insurance is a necessary safeguard.
Justyn Hardcastle, a cyber underwriter at insurer Tokio Marine Kiln, said he has seen a clear increase in manufacturers’ interest in insurance and that a market has taken shape that accounts for their specific needs.
“There’s this ever-growing interconnectivity between IT infrastructure and operational technology infrastructure,” Hardcastle said. “There’s a greater exposure, I think people are becoming more aware of that exposure. Whereas before, people might not have been aware of the risks of, say, connecting certain aspects of control systems to the Internet.”
Hardcastle predicted a “gradual uptick” in manufacturers’ adoption of cyber insurances as awareness of its utility increases, in part, through communication between IT security professionals across sectors. Citing client confidentiality clauses in its policies, he said his firm could not name any companies it has insured.
Parsing the tea leaves
What will the next six to 12 months look like for cyber threats to manufacturers?
Ransomware will grow as a menace, experts agreed.
Ransomware “is a very lucrative business model for organized crime, and it’s just a matter of time until the threat actors in question figure out how much more money they can make just by hitting real large manufacturing companies,” Langner said.
Joseph Carson, head of global strategic alliances at IT security firm Thycotic, agreed that ransomware will increasingly target manufacturers.
Carson also noted a growing impact of distributed denial of service (DDoS) attacks that flood systems with traffic in an attempt to knock them offline. He and several other experts pointed to the recent crippling DDoS attack on Dyn, a DNS service provider, as a harbinger of things to come.
Command-and-control attacks like the one on the German steel mill could become more prevalent as hackers explore new ways to attack manufacturers, said Jim Barkley, director of DMDII’s Digital Manufacturing Commons.
Meanwhile, digital adversaries will continue to target manufacturers’ prize possession of intellectual property, he said.
New forms of customized malware will continue to keep manufacturing executives up at night, according to AsTech Consulting’s Wenzler.
“Many manufacturing and ICS systems are custom built for specific purposes, and this has historically made them difficult to attack without custom, targeted malware or exploit code,” he said.
“However, as malware kits are becoming commodities and can provide a great deal of easy-to-configure customization, I believe we’re going to see more and more customized attacks that can be broadly distributed but may go undetected as they’ll only affect the particular custom systems the attacker wants to compromise.”
Beckmann, the GE Research scientist, said that the Industrial Internet of Things will continue to pose a distinct-but-surmountable challenge to manufacturers’ cyber defense.
“It’s very common to have machines on a manufacturing floor that are disconnected,” Beckmann said. “They operate by themselves, they’re plugged into the wall, but that’s the level of connection it has. And I think as we move towards more and more of these systems that that’s where threats could arise, but I do think we have time to address them at the moment.”
Not everyone was so optimistic.
“In many ways, we are only seeing the tip of the iceberg in terms of the outcome of a network attack. Entire plants could be shut down or even ruined,” said Kasey Cross, director of product management at LightCyber.
“Defects could be introduced to products that are not immediately discernible,” she said. “A motivated attacker can get into any network today.”