Cybercriminals Increasingly Target Manufacturing, IP

Recent attacks targeting intellectual property (IP) and critical infrastructure are raising the security stakes for manufacturing organizations, as the industry records one of the highest attack rates of any sector since the onset of COVID-19.

One in five manufacturing companies in the U.S. and UK have been victims of a cyberattack in the last 12 months, according to a report released by Morphisec.

The 2021 Manufacturing Cybersecurity Threat Index study found 57% of the 567 manufacturing employees surveyed are more worried today about their organization being targeted to gain IP by cybercriminals than they were a year ago.

When it came to attempted attacks targeting servers, Morphisec found manufacturers experienced the most attempted exploits focused on initial access, while ransomware was also highly used by attackers targeting the servers within manufacturing organizations.

Long Road to Recovery

The report also found that in most cases, organizations that were hit by a cyberattack needed up to a week to recover, and one-fifth of incidents needed two weeks.

“This is hugely concerning given the influence that the manufacturing industry has on American and British economies—especially since both countries are still recovering from the pandemic,” said Daniel Petrillo, director of security strategy and products at Morphisec.

He said manufacturing organizations need to conduct basic security hygiene, rather than relying on endpoint protection solutions alone to protect themselves, and noted that training people on security awareness, leveraging native controls and practicing the principles of least privilege can go a long way toward limiting a manufacturing company’s overall cybersecurity risk.

“Beyond that, ensuring that zero-trust is fully implemented in their architecture, from the access management level to the network level and beyond, can be hugely beneficial when it comes to limiting risk,” Petrillo said.

Setu Kulkarni, vice president of strategy at application security provider WhiteHat Security, noted that although manufacturing was traditionally never internet-connected as an industry, with rapid advancements in operational technology (OT), more and more legacy systems and software now need to be internet-enabled for remote monitoring, at least, if not remote operations.

“The lift and shift of applications that were never meant to be internet-facing to become internet enabled has likely resulted in this high risk,” he said. “The other factor we have seen is that, in manufacturing, supply chains are now increasingly software driven, which means business partners are now having to open up otherwise internal applications to integrate with supply chain partners. This means existing vulnerabilities that were previously unexploitable now become publicly exploitable.”

Reducing the Risk of a Breach

In order to mitigate these threats, Kulkarni said, manufacturers must reduce the risk of being breached in production.

That means organizations must take inventory of public-facing apps, scan them continuously in production and take a risk-based approach to fix in-production issues.

Oliver Tavakoli, CTO at AI cybersecurity company Vectra, pointed out that manufacturing companies often are limited in how often they can patch the underlying software in their networks; general-purpose software which is embedded inside manufacturing equipment cannot be modified without the support of the vendor which produced the equipment.

Additionally, manufacturing is often physically distributed and most of the operational teams are focused on limiting downtime due to equipment failure rather than a cyberattack.

“So, they may view enabling access for remote diagnostics across the internet as something which improves their system reliability, right up to the point where an attacker gains access through such a mechanism,” he said.

From Tavakoli’s perspective, endpoint security (in the form of endpoint detection and response) and remote access (in the form of zero-trust network access) are two aspects of an overall security strategy which have undergone a fair bit of change as a result of the pandemic.

“However, these are by no means the only attack vectors being leveraged by attackers, and most manufacturing systems make no provision for an EDR agent,” he said. “Visibility and constant vigilance related to the network environment surrounding those systems, in the form of network detection and response, is part of the table stakes which have emerged as we near the end of the pandemic.”

Hank Schless, senior manager of security solutions at Lookout, a provider of mobile phishing solutions, noted threat actors targeting the supply chain want to steal IP and disrupt operations.

“IP theft is principally executed by gaining access to the corporate infrastructure through mobile phishing and exfiltrating the data to a remote server outside your organization,” he explained.

Operational disruption can then take place in several ways. Primarily, it could be done using the same credential phishing process as IP theft, but there’s also the possibility of introducing malware, such as surveillanceware or ransomware, into the infrastructure.

“With access to research data, orders, manufacturing plans and delivery routes, a threat actor could find many ways to disrupt operational efficiency,” he said. “They could also leverage this data to bring your entire internal system to a halt and demand payment.”

Morphisec’s Petrillo noted the impact of the pandemic on the threat landscape for manufacturers has been dramatic.

“The crisis has been a catalyst for state-sponsored organizations to essentially hit the world’s biggest economies while they’re already down,” he said.

The manufacturing industry—with its valuable IP and critical infrastructure—has been a highly popular avenue for threat actors to do this, and the fact that the manufacturing industry has (at least somewhat) gone remote over the past year has only aided these cybercriminals.

“As these companies continue to shift between hybrid work environments, they must treat the endpoint as the last true perimeter with automatic protection that stops ransomware, infostealers and other advanced attacks before the breach,” Petrillo said.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 277 posts and counting.See all posts by nathan-eddy