The new major cyber threat facing the manufacturing industry: ‘disruptionware’

The world of cybersecurity is built upon layers of actions, reactions and counter-reactions. As enterprises, industries and nation-states develop new cybersecurity measures, threat actors are at work to develop the next method to exploit vulnerabilities identified in their systems. This results in the former counter-reacting with new security techniques, and thus the cycle continues.

When we look at the patterns that cyber attacks have traditionally followed, more often than not criminals set out to infiltrate systems with the clear objective of finding monetary gain from their efforts. However, in recent times we’ve seen that attackers have changed tactics considerably. While profit still remains the key objective for some, others are focusing in hampering critical industries by degrading, halting and denying processes and key operations, causing huge downtime and reputational damage in the process. 

The motivation for such an attack can often lie in competition between businesses, brands and even nation states. Consider a situation where encrypting the IT network of a US steel manufacturer could result in a lucrative contract being awarded to a Russian firm, or where wiping the systems and backup servers of a tech startup provides a Chinese firm with a technological advantage: this type of corporate espionage is already occurring. 

This new phenomena, known as ‘disruptionware’, largely targets operational technology (OT) such as that which is imperative to industries including manufacturing. The problem is that these devices - such as PLCs or RTUs as well as other assets - are increasingly becoming IP-enabled, despite the fact that they were never designed to be connected to the internet. The scope of devastation afforded by this new type of attack is so large that academics have even suggested that it could pose “an existential threat” to any business that does not have proper cyber controls in place. Recent research also supports that the time is now for businesses to take their counter-action: nearly eight in 10 manufacturers (79%) have suffered some form of IoT cyberattack in the past year.

One pertinent example of the potential devastation this can leave is in the 2019 attack of Norsk Hydro. The company, one of the largest aluminium producers and manufacturers in the world, was unfortunately afflicted with the LockerGoga ransomware and the attack had a detrimental impact on their operations worldwide. Norsk declined to pay the ransom and instead engaged its incident response procedures and switched to manual operations while its systems were restored and the ransomware infection was removed. Nevertheless, a week after the attack, it estimated its losses at $40 million despite reporting a full recovery, and many manufacturing firms that rely on automated systems do not even have the option to efficiently or safely operate manually.

So, with this in mind, businesses in this sector need to wise up to their vulnerabilities or risk becoming part of the statistics. The questions that will help them on this journey include the following: what are the distinct challenges faced by the manufacturing industry when it comes to this new dawn of cyber threat? How can businesses in this sector seek to improve their cyber hygiene and keep the bad actors at bay? And, perhaps most importantly, how can they stay resilient to the future threats that don’t even exist yet?

The peaks & pitfalls of innovation

Manufacturing plants and those in the infrastructure sectors have undergone huge digital transformation in recent years. This transition can largely be associated with the technological advancement of the industrial internet of things (IIoT) and the convergence of information technology with OT. The increasing interoperability of processes has meant that suppliers now have access to big data as well as more understanding of the information that lies within the business, and so in turn can offer more services and make operational efficiencies that save on both time and cash.

However, with the competitive advantage also comes risk. Each IIoT device connected to the network has the potential to become a gateway for attack if improperly secured. Unregistered devices pose a large portion of this threat as they often ‘creep’ onto the network - sometimes unintentionally - without being seen. This inevitably causes a huge problem as devices which are not visible to the security team have no idea they are there and that they may be leveraged as unsecured access points for targeted attacks such as ‘disruptionware’. A lot of these devices also lack layered security by design, hold default administrative credentials and are irregularly patched to safeguard vulnerabilities.

For many firms, manual maintenance of these devices is deemed too expensive compared to remote access solutions, especially if the systems are located overseas. Maintaining dedicated staff on-site to patch, update, and repair a system is considered too costly in comparison to cheaper remote access or automated alternatives. As a result, adversaries often leverage the remote desktop protocol (RDP) ports, generally TCP 3389 and UDP 3389, that are often used for remote maintenance, to install malware onto networks or laterally infect additional devices.

Proactive protection & prevention

It becomes clear, then, that manufacturing organisations have some key obstacles to overcome if they want to diminish the threat of ‘disruptionware’. The first step to reducing the risk is to guarantee full sight of the devices and connections on their networks, gaining knowledge into the ways in which assets interact with one another and where the potential blind spots for hackers to take advantage of lie. The only way this can be achieved is through full and uncompromising network visibility and control; that is, an inventory of assets on every network and classifies them by operating system, type of device, and function. Technology that provides this capability will often also audit for unauthorised access attempts and will practise penetration testing to determine the level of vulnerability within the network.

Keeping all systems patched - including hardware, mobile devices, operating systems, software, applications, and cloud locations and content management systems - can be one of the most critical steps to a secure network. As we know, for manufacturing companies these assets may be spread across industries and so the most helpful solution to ensuring this process is in place is to use a centralised patch management system.

OT controllers and security personnel are beginning to understand the requirement for a structured approach to cyber hygiene that pairs their knowledge of the machinery and IIoT devices together in order to ensure that assets do not fall into nefarious hands. An effective manifestation of this pairing is a properly segmented network that limits movement across to other at-risk areas. In scenarios where devices are constantly joining and leaving the network such as a head office or supplier depot, a segmented network is also able to separate third parties with different passwords into their ‘zone’ which allows for access to potentially compromised resources without also providing a pathway to the larger network.

Safeguarding for the future

While the term ‘disruptionware’ is new, the act is growing rapidly. As such, an increasing number of deviated methods are appearing, piggybacking off the success that attacks like LockerGoga have previously had against manufacturing companies as well as other industries. This new category of cyber attack presents a threat far greater than many seen previously; the potential collapse of Industry 4.0 that could happen as a result of disabling facilities, breaking down automation and hampering productivity has the potential to do damage that far outweighs the price of a typical profit-driven attack.

When faced with the scale of these risks, manufacturers and suppliers must act swiftly to achieve the protection necessary to mitigate any and all potential attacks. With the number of attacks on factories and plants increasing, now is the time for action. It is important to note that, for now at least, these attacks are not laden with sophistication; however, once more robust adversaries evolve the code involved or if nation-state sponsored threats mimic the attack vector with more complex malware, critical infrastructure firms may not be able to recover from the deluge of threat.