In 2014, a smart refrigerator had been caught red-handed for spawning over 750,000 spam emails after hijacked by a botnet attack. It is the first documented attack worldwide for Internet of Things to have fallen prey to hackers[i]. A more recent case in the US concerns an internet connected thermostat in an aquarium, which hackers successfully controlled to access the high-roller database of gamblers in a casino[ii].
Across the ocean and in the Middle East, a factory plant with a safety shut-off system was infiltrated by Triton, a malicious software, which exploited a previously undetected bug and from there brought the factory operation to a halt[iii].
In another case, hackers got into the company network of an online store by using the credentials and email accounts from 3 of its employees and from there stole the personal information and encrypted passwords of its 145 million users. The breach was not detected for almost 230 days[iv].
And in February this year, FBI agents arrested a disgruntled former employee of a manufacturing plant in the US who had sneaked in through the open VPN backdoor of his employer's network, leading to US$1.1million in damages[v].
Given this ongoing list of reported security breaches and headlines in the press, it's not a question of "It has not happened to me", but more so a mindset change of "It's not if, but when". And yet, given so much attention in the media, cyberattacks continue to rise, and businesses are falling behind in terms of adopting a proactive security strategy. In fact, manufacturing was recently highlighted as the third most-attacked industry, after banking and retail[vi]. Electronics, semiconductors and hi-tech manufacturing sectors are especially vulnerable to threat scenarios, when Industry 4.0 forced them to link their factory production - likely to run on a combination of outdated machines and end-of-support SQL servers - with information technology networks, leaving a gaping hole in their security architecture.
So why are we getting this sudden hype with cybersecurity incidents happening within the manufacturing sector? What is motivating these hackers to shift their target and choice of victim from the other high-profile industries to manufacturing?
Let us take a deeper look at each of these threat cases in an effort to understand how and why these security incidents are occurring and what can manufacturers do to mitigate the risk of being the next cybersecurity victim.
Threat Case 1: Security cannot keep up with IoT
Most end-user IoT devices are designed to be lightweight, they have limited processing capabilities and almost "zero" features in terms of security. Hackers are simply leveraging these IoT devices, as in the case of the smart fridge and fish tank thermostat, to get inside your factory network. They can easily take over or control an IP-enabled device, extract data, and or implant malicious code that opens the backdoor in your system without being noticed.
What causes the alarm bell to trigger is that amateur or rogue attackers can simply pay as little as US$25 to get services from an online hacker-for-hire. The rapid proliferation of connected devices or Internet of Things (IoT) will only mean that the warning bell is flaring into a siren, when the number of connected devices, for home or for business use, will grow from the current 8.4 billion to 50 billion by 2020, according to some recent research reports[vii].
Unfortunately, when security issues are found, it is almost impossible for any company to recall its product from the market, nor can it be completely resolved through after-the-fact firmware upgrades or software patches. What needs to be done requires a concerted effort by both IoT users and manufacturers. IoT consumers should think twice before pressing the "Remind me later" or "Force quit" button the next time they received an alert for an update. Equally, manufacturers need to adopt a proactive outlook to security. One case in point is that manufacturers can use the cloud network as a defense layer, by creating a secure and authenticated connection between the end user device and its origin server, thereby blocking backdoor vulnerabilities right at the edge while ensuring patches are done without compromising consumer experience.
Threat Case 2: Factory automation becomes the loophole for ransom
For any manufacturing company, loss of intellectual property and downtime in factory operations are the biggest threat. While technology has enabled manufacturers to transform into smart factories, it can be your very Achilles' heel. For example, a competitor or a highly skilled employee can easily scan your network to find the next weak spot and making off with your new product source codes.
Given the type of valuable information stolen, it is likely that the company has to pay for a huge ransom and then keep quiet or suffer significant reputation damage when the story makes headlines. The fact that few manufacturers disclose these incidents publicly is a cause of alarm, as hackers who are opportunistic will continue to employ already proven tactics targeting these industries. In China alone, up to 2016,1036 loopholes with industrial control systems have been documented by CNVD (China National Vulnerability Database)[viii]. Industry surveys also find that as high as 40% of manufacturers do not have a formal security policy in place, while 60% of those interviewed confessed that they do not have adequate personnel dedicated to security monitoring[ix].
Threat Case 3: Trust no one, when your users' credentials can be abused
Time and again, we hear of stories where hackers infiltrated a company's network to steal customer database, pricing books or simply intercept a sales order to even having customers perform unauthorized wire transfers by leveraging an employee's legitimate credentials. Examples include man-in-the-middle attacks in which the attacker actively eavesdrops the connections between the victims and then impersonate either parties by injecting new communications. What is more alarming being the fact that 30% of these breaches remain undetected[x], while the average number of days it takes to detect a cyberattack has increased to 206 days in the US[xi] and in some cases in the Asia, an alarming1.6 years[xii]!
The reason why breaches from credential abuse are less likely to be detected lies with how these attacks are being devised. Contrary to "brute force" attack types that generate multiple login attempts to the same accounts, credential abuse attacks leverage user names and passwords that have been leaked and hence only tried a single login attempt with one account. To make matters worse, everyday users tend to use the same login credentials across different sites and devices, including company applications and social media sites.
With credential abuse attacks on the rise and attackers motivated by financial gains, manufacturers should no longer limit themselves to on premise security solutions or performing basic security checks, they should look to a multi-layer security approach that is actively hunting and blocking any potential threats.
Threat Case 4: Espionage from within, not just only from outsiders
What are we also finding these days? Are you aware that internal employees may be the number two hackers? Whether intentional or unwitting employees - including disgruntled ex-employees - can be the source of security incidents (26%). While professional hackers and competitors (43%) top the usual list of suspects, the other type of less suspected attackers is actually third-party users such as partners in the supply chain ecosystem (19%)[xiii].
If so, why is this happening? Foremost, more than half of the workers admitted to using company laptop for engaging in personal activities, be it online shopping, downloading a movie, or conducting internet banking services[xiv]. Little are they aware that hackers can be looking behind their backs and injecting malicious codes to their company network along the way. Secondly, weak authentication and encryption, poorly managed remote access control and passwords for contractors and suppliers, open backdoors in company's firewall and VPN, all leading to monetary losses accumulating to millions.
With manufacturers moving to cloud as part of their Industry 4.0 evolution, companies should consider a structured approach to security. Robust access management, protect your data, gain visibility to all devices and users, and actively assess your risk exposure at all times. More importantly, avoid firefighting!
It's not if, but when.
For manufacturers who are looking to make the first move into developing a proactive security strategy, here's a quick checklist of questions to get you started in the right direction:
- When is the last time that you have performed a formal security evaluation and assessment of your network?
- How and where are your handling, storing and distributing your intellectual property and R&D data?
- How are you managing access control and passwords for your contractors, remote workers, and suppliers in the ecosystem?
Remember, a manufacturing company is no different to any other industry when it becomes the target for the next cybersecurity attack.
Lastly, it's not if, but when.