Tackling the cyber threat to manufacturing businesses

The manufacturing industry has become a major target for ransomware attacks. The reason is simple: if criminals can cripple the operational technology that controls the manufacturing plant, a company will rapidly come to its knees. With no product to sell, any company will fear for its existence – and with that fear, the criminals believe any manufacturing company will be more likely to pay a sizable ransom to stay in business. Sophisticated cyber criminals understand this. They choose and research their targets and set their ransom to the maximum amount they believe the company can afford to pay.

For many years, the manufacturing industry didn’t worry about cyber threats. Its operational technology (OT) was air-gapped from outside interference, and was therefore safe from external compromise. This is no longer true. The advent of the fourth industrial revolution – otherwise known as business digitisation – has eroded that airgap. IT and OT are now totally interdependent. Bringing down a manufacturing company’s IT will almost certainly have a knock-on effect against its OT.

A classic example was seen in the U.S. with the recent ransomware attack against Colonial Pipeline. Colonial rapidly shut down the pipeline and paid the attackers’ demand for almost $5 million in bitcoin. The immediate assumption was that Colonial’s OT had been compromised. But this wasn’t true – it was Colonial’s payment IT that was crippled. Having no ability to be paid for its oil was as destructive to the firm as having no oil to sell.

But it gets worse for the manufacturing industry. Small firms might believe they won’t be targeted because attackers know they cannot afford to pay a large ransom. While it is true that they may not be targeted by the big gangs, they are still subject to untargeted spray and pray attacks. These attacks can use large scale spam and phishing campaigns that simply compromise any target that is within reach – the gangs neither know nor care who they are.

A recent example was the July ransomware attack against the UK’s Northern Rail. Northern Rail was ‘taken back’ by the UK government last year. The UK government does not pay ransoms. Any criminal gang that targets companies for big pay-outs would know this – that in fact there was no possibility of gaining any return from the attack. Northern Rail wasn’t targeted – it simply got in the way.

There are other reasons for small companies to suffer ransomware – they may be the victim of a supply chain attack against a larger enterprise. A small manufacturing company may well supply goods to a larger manufacturing company. If the small company can be compromised, it could yield trusted credentials into its larger customers’ systems – who could then be targeted with ransomware for a much larger sum. But since they’re already inside the small company, the criminals will drop ransomware there as well – either just because they can or even to cover their tracks.

Cyber-attacks and ransomware cannot be avoided

The UK Government’s Cyber Security Breaches Survey 2020[1] states, “Almost half of businesses (46%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (68%), large businesses (75%) and high-income charities (57%).

This is almost certainly no longer accurate. The survey used data from 2019 – that is, from a pre-pandemic Britain. Since then, attacks have increased, ransomware has surged, and the combined effects of Brexit and pandemic have weakened the financial standing of most small businesses.

Detailed ransomware figures for the UK are hard to find and of doubtful accuracy. Companies prefer not to admit being breached, and will often quietly pay a ransom rather than face the censure of government advice not to pay. A study by Sophos[2] in 2018 followed bitcoin transfers and concluded that about 233 victims worldwide had paid a SamSam ransom. This is many times more than the number of companies that admitted to being breached, and relates to just a single type of ransomware from a single criminal gang.

The unanswered question today, is how many companies already struggling with the economic climate can afford to pay a ransom – or ignore it and face the consequences – and still manage to recover?

Ransomware has evolved into something now known as a double extortion attack. The attackers breach the target, steal confidential and personal information, and then drop the ransomware. The first extortion is a demand for money (usually bitcoin or other cryptocurrency) to release the encrypted files. If the victim refuses to pay, the second extortion comes into effect: the attackers threaten to expose or sell the stolen data.

This is a double whammy for the victim. First it must cope with the business destructive effect of the ransomware, and then it must cope with either or both confidential data leakage and data protection fines. The UK’s current data protection law is effectively still GDPR, and could lead to a maximum fine of £17.5 million or 4% of global turnover, whichever is the larger.

Integrated defence that can cut across the attackers’ kill chain

Manufacturing and other industries cannot avoid being attacked. The only way to cope with the destructive and expensive nature of ransomware is to prevent a successful attack. This is not easy. The old advice to ensure good backup to allow easy recovery of encrypted files is no longer sufficient – the modern attacker may reside within the target’s network for weeks, preparing the attack, selecting the files to encrypt, and disrupting or destroying backup procedures.

The solution lies in an integrated defence that can cut across the attackers’ kill chain. This will require at the minimum sophisticated endpoint detection and response software, solid access protection, and effective Active Directory protection to prevent lateral movement around the network by any resident attacker.

This is difficult and expensive for the average SME. Not the least of the difficulties is finding, hiring, and affording the specialist skills required to manage the security defences 24/7 in a time of economic duress and cyber skills shortage.

The simplest, most efficient, and cost-effective solution is to transfer the entire cybersecurity problem to a third-party managed security service provider (MSSP). But it is important to choose the right MSSP.

A co-operative, hands-on approach to security, rather than simply providing a security management dashboard and sitting back is necessary. As is working closely with partner and clients to understand each individual enterprise and its unique needs. Combining industry-leading security technology, a breadth of expertise and this collaborative approach enables MSSPs to tailor bespoke IT and security solutions that fit each company’s needs.

[1] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020

[2] https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf