Manufacturing: An industry under cyber-attack
James Thorpe
Share this content
Kennet Harpsøe, Senior Cyber Analyst, Logpoint explains why the manufacturing sector needs to boost its cybersecurity resilience.
Manufacturing remains the most attacked global industry for the third consecutive year, according to the IBM X-Force Threat Intelligence Index 2024 – and the majority of those attacks are ransomware.
What’s more, such attacks are on the rise with The State of Ransomware in Manufacturing and Production survey (Sophos) revealing that these have leapt by 41% since the COVID-19 pandemic, with over half the sector having suffered a ransomware attack in 2023.
Ransomware attacks are also subtly shifting, with a rise in data exfiltration as opposed to just encrypting systems. This strategy is known as double extortion.
Some bypass encryption altogether and carry out extortion-only attacks because this gives them more leverage.
In this case, the attacker can publish or sell the data on the Dark Web if the organisation has backed up its data. As a result, the number paying the ransom almost doubled to 62% in 2023 compared to the previous year, found The State of Ransomware report.
Plus, manufacturers are becoming ensnared in equally lucrative software supply chain attacks, such as the MOVEit attack.
This year, we’ve seen such attacks force manufacturers to shut down operations temporarily. Notable examples include ransomware attacks against two German multinationals, ThyssenKrupp, the steel manufacturer and Varta, the battery manufacturer, in February.
The following month, attacks targeted Nexperia, a semiconductor manufacturer in The Netherlands, Hoya Corporation, an optical and medical instruments supplier from Japan and Duvel Moortgat, a Belgian brewery.
Halting production can be costly, and downtime is increasing, with Comparitech research finding the average downtime has doubled from 6.4 days in 2021 to 12.2 days in 2022.
Under siege
Ransomware aside, the sector is also experiencing cyber-attacks due to unintentional and malicious insiders and commercial/geopolitically motivated espionage in pursuit of IP or disrupting operations.
The resilience of the sector is weakening due to transformation on a number of fronts in the pursuit of interconnectivity. Industry 4.0 has seen the integration of smart systems such as the Industrial Internet of Things (IIoT), automation and AI.
Supply chains have also become more complex.
All of these factors have significantly increased the attack surface and risk exposure.
At the same time, there’s a dearth of cybersecurity talent, with four million new cybersecurity personnel needed worldwide and the gap is widening at 12.6% per annum, further increasing that exposure.
There’s now a growing clamour to increase cyber-resilience in manufacturing, with the World Economic Forum (WEF) publishing its Building a Culture of Cyber Resilience in Manufacturing in May.
It advocates that the sector adopt a ‘Resilience by Design’ approach by integrating cyber-resilience into each process and system by investing in education and training, integrating cyber into existing business processes, continuously improving operational assets and building out risk-based incident and response management.
The whitepaper illustrates what this might look like in practice by referencing manufacturers who have bolstered defences.
In addition to stress-testing incident response capabilities on a regular basis, WEF exemplifies having a security and operations centre (SOC) and the using of security incident and event management (SIEM) capabilities with OT scenario-based playbooks.
Outwitting the attacker
Incident detection and response is hugely problematic in manufacturing because these attacks are highly targeted and use valid credentials to gain access and escalate privileges.
The X-Force survey discovered a 266% increase in info-stealing malware for credential harvesting, for instance, and a 71% increase in the exploitation of valid user accounts.
These can then be used to easily bypass existing security controls; ransomware payloads usually include some element of persistence, enabling them to fly under the radar of detection systems.
For these reasons, it’s necessary to monitor the entire infrastructure for suspicious activity by correlating logs from various data sources to build up a picture of what is happening in real time.
Perhaps there is a lot of low level activity on the network, but because each event is happening in isolation, it may not qualify as an indicator of compromise (IoC) in its own right.
However, once the dots (or logs and alarms) are connected, a different picture emerges and one that could well be of more serious concern.
Case management tools that consider all the indicators, artefacts and other contexts can be used in this way to build a security case that not only gives a clearer view of what’s happening in the infrastructure but also aids in the decision making by providing possible actions to take forward.
Correlating these events is precisely how a SIEM functions, hence the reason it’s mentioned in the whitepaper. But it can also be complemented by other technologies, such as behaviour analytics and automation to aid detection and incident response.
Behaviour analytics sets up parameters of use for individual users, such as access to systems at set times/under specific circumstances, flagging any unusual access activity.
Automation orchestrates searches for IoCs and uses playbooks which align with threat types.
Once a threat is detected, the system prioritises the severity and alerts the SOC before triggering an automated response.
In the case of ransomware malware, for example, changes made to files and directories, such as the creation of new files or a change in the file’s extension, can only be spotted as a deviation from the norm.
Using file integrity monitoring (FIM), it’s possible to create a baseline of how a file system is used so that these deviant actions can be spotted.
Any spike in file creation, renaming or deletions by a user or process can then quickly be identified.
Issues with integration
However, implementing SIEM can be complex. For example, Eissmann Group Automotive, a producer of automotive parts based in Germany, sought to integrate the technology with a variety of point security solutions as well as its SAP solution.
It had more than 100 additional sources for log data, including firewalls, intrusion protection systems (IPS), security appliances and pre-existing Radius, Microsoft and Linux servers and needed access points for WLAN access; it needed a SIEM that could work with all these systems.
Choosing a SIEM solution that integrates easily with other systems and data sources allowed it to fulfil this criteria.
As well as being able to carry out threat detection and incident response, Eissmann now has extended automated monitoring that provides the IT security teams with centralised log management and tools for troubleshooting, root-cause analysis and forensic security analysis.
Because relevant data is now available and centrally located, Eissmann estimates that the expenditure for troubleshooting is now a twentieth of what it was prior to the project.
If we look to the future, the likelihood is that the manufacturing sector will see more regulation, with the new Network Information Security directive, NIS2, set to bring manufacturers in scope.
It comes into effect across EU member states from October and aims to increase the cyber-resilience of both important and essential entities so it will extend beyond critical national infrastructure.
Much like GDPR, the expectation is that it could well act as a blueprint for boosting national resilience.
It sets out clear requirements to oversee and monitor cybersecurity controls, which again points to the need for automated threat detection and incident response.