Industrial sector increasingly often victim of ransomware
The industrial sector will significantly benefit from further digitalization. Data should be able to be shared easily to enable smart decision-making. And processes must be automated to be able to achieve efficiency advantages. Amid all this digital violence, it is essential not to leave any back (or front) doors open for ransomware attacks. Industrial innovation must therefore go hand-in-hand with suitable security measures.
Digitalization and data-driven working
The prominent spot that digitalization has taken is a logical development in the industrial sector. Digitalization is the starting point if you want to profit off technologies such as robotization and Artificial Intelligence. Data-driven working can also be seen making its entrance; taking decisions based on experience or based on gut feelings is making way for data-driven working. This is partially enabled by the fact that more objects in the manufacturing environment are being equipped with sensors, which provide valuable data. Because of this, maintenance can be planned efficiently, and downtime can be prevented – for example. The rest of the logistics chain, such as the transport of goods and procurement of raw materials, also benefits from reliable data. But, with the advancing digitalization and the increasing number of devices, corporate IT, and Industrial Control System (ICS) environments are becoming more and more intertwined. This not only increases the technological infrastructure’s vulnerability, but also the costs of repairing a cyber attack’s damage.
Ransomware
Investments in innovation and digitalization can therefore not be seen separately from increasing vulnerabilities in the context of cybersecurity. Every device and every machine that, for instance, is equipped with a sensor, chip, or a Wi-Fi receiver, could be a target. This also means that every device must be supplied with the newest updates and patches. Similarly, the network connections will have to be monitored and protected just as well. After all, the industrial sector remains an important target for cyber attackers.
Verizon analysts, which investigate tens of thousands of incidents and data breaches every year, are seeing that industrial companies in particular are being swarmed with system intrusion. That is to say that a number of attacking techniques are being used to reach the core of an organization. That could be through the office environment, but also through the operational systems such as the machinery with camera’s, robots, and production lines. Increasingly often, IoT devices and PLCs (Programmable Logic Controllers), among others, are attacked as a means of gaining access to an organization. Within the industrial sector, that mainly applies to the Industrial Control Systems (ICS), which control production. A simple search query on a website like Shodan shows that various ICS systems are directly connected to the Internet. In case a similar can be exploited, it can be a breeze to access the rest of the network and, for example, perform a ransomware attack.
At this moment, specific malware for ICS systems, such as Industroyer and Industroyer2, exists. Considering that encrypting an ICS means that production can be shut down entirely, it is thinkable that you, as an organization, will comply with the demands if a ransom is demanded in exchange for encryption of the systems. Factors at play in such a case are, for example: do I have recent backups, are they reliable and can they be restored? How long can I endure this without going bankrupt? In a number of cases, there will be no other option but to give in to the demands and paying the criminals to continue production.
Map vulnerabilities
Looking at the background of cybercriminals, we can see that they are mainly criminal groups and state actors out for businesses’ crown jewels: business plans, R&D information, intellectual property or personal information. Now that you know where the danger is coming from, and which methods cyber attacks use, it is a logical step to take a number of basic measures to prepare for a possible cyber incident. The first step is to create an overview of your most important assets. What information is key for the primary process, which systems do you need for that, and which machines really cannot be shut down? Then consider the measures you have already taken to keep cybercriminals out and what measures you would need to optimize your digital resilience. This allows you to create some sort of heatmap, which shows where to focus your efforts.
The big appeal for the industrial sector is clear: identify your vulnerabilities and act on them. For example, think about setting up or purchasing a (managed) Security Operations Center (SOC), with which you can monitor and respond to incidents 24/7. In industrial environments, the choice for a Network Detection and Response (NDR) solution might be more apparent than the choice for an Endpoint Detection and Response (EDR) solution, because you cannot intervene with the devices/machines themselves. In addition, it is important to secure all forms of access to the (industrial) infrastructure in multiple ways. An example of such is multi-factor authentication, which might sound trivial, but is not implemented correctly in all cases.
Security in the supply chain
Specifically for the industrial sector it is important to also pay attention to supply chain partners’ efforts in with regard to cybersecurity. New legislation, such as the European security directive NIS 2, will be embedded into Dutch legislation somewhere in 2023. Not only will this directive apply to a lot more companies, but it is also expressly stated that you are expected to monitor supply chain partners’ security measures. This is not an unnecessary luxury as the number of supply chain attacks is rapidly increasing world-wide. This should be a point of attention for industrial companies.
A big advantage of the industrial sector is that it is well-organized an actively shares cyber intelligence and threat analyses among its members and the with the government. This is a good beginning to a close defense. It does not take away the fact, however, that every organization can already take steps to improve its cybersecurity and reduce its chances of falling victim to ransomware (and other forms of digital attacks) right now.
