A “firewall sandwich”, represents little more than speed bumps in the road to organized hackers. To safeguard spreading security perimeters manufacturers must monitor all activity on OT networks.
Over the last half-decade, cyber-attacks on industrial facilities have been escalating, both in terms of frequency and severity. In the face of determined threat actors using nation-state-level malware and techniques, tactics and procedures (TTPs), manufacturing industries on both sides of the Atlantic have so far been slow to develop effective defenses against the level of attacks being devised by highly-skilled state-sponsored hacker groups from countries such as Russia and China.
According to the UK’s Ministry of Defence (MoD), cyber-criminals using nation-state-level technologies and nation-states such as Russia and China covertly sponsor existing criminal hacker groups to target specific industrial installations have made the dividing line between cyber-crime and cyber-warfare wafer-thin.
“Cyber-space is already an active battleground, with state and non-state actors continuously searching for adversaries’ vulnerabilities, trying to obtain secret information, developing weapons and occasionally deploying them,” reports the MoD’s Global Strategic Trends program, adding that “cyber-attacks can be used to disable industrial facilities…”.
In 2014, manufactures in Europe and the US were made brutality aware of their growing cyber-vulnerability when hackers infiltrated the control system of a German steel mill. The hackers took almost total charge of the control system, manipulating it so effectively that they prevented the mill’s operators from shutting down a blast furnace, resulting in massive damage.
In May of 2017, attacks using WannaCry ransomware believed to have originally been developed by North Korea, crippled manufacturers in countries spanning several continents and brought many factories to a standstill. On March 18 of this year, a ransomware attack on Norwegian aluminum manufacturer, Norsk Hydro, cost the company US$ 52 million (£40 million).
Although the exact source of the Norsk Hydro breach is being debated, successive cyber-attacks on manufacturing facilities across the world reveal glaring weaknesses in the cyber defenses generally deployed by the manufacturing sector. Too many organizations see installing a firewall as a silver bullet for cyber-security at a time when their security perimeters have expanded well beyond the perimeters of existing firewalls.
The fourth industrial revolution, sometimes called ‘Industry 4.0’, is accelerating the already rapid process of digitization already taking place across the manufacturing sector. The current pace of digitization frequently dictates the use of third-party services and systems providing hackers with further ways to circumvent firewalls. The recent inclusion of previously stand-alone systems such as surveillance cameras and building management systems into the Internet of Things (IoT) also creates further vulnerabilities in manufacturing facilities and other “smart buildings”.
As those operating power facilities increasingly reach out to third-parties for new IT hardware and software and services, they open potential new doors for hackers. Any organization working closely with a manufacturing facility needs to be secured just as effectively as the systems running the power facility itself. Organized hacker groups become increasingly proficient at using poorly-secured third-party systems to infiltrate otherwise secure organizations with malware.
Firewalls on their own also do little to protect facilities against the greatest security flaw of all – human error. Software engineers working on tight deadlines, for instance, sometimes make configuration errors that can be identified and exploited by threat actors before they can be fixed. This kind of breach is tough to anticipate or detect as staff may try and cover up procedural mistakes.
Employees using email are vulnerable to increasingly sophisticated socially-engineered spear phishing attacks. After tracking the victim across social networks such as LinkedIn and Twitter, hackers assemble a detailed profile of the key employee or executive in order to execute a successful spear-phishing or whaling attack. Typically, the email appears to come from a trusted colleague and contains a link which, if opened, transmits malware designed to infiltrate the manufacturing facility’s control system.
With so many attack vectors to choose from and with access to state-level TTPs, hackers now see firewalls as purely temporary obstacles. The deployment of multiple firewalls called a “firewall sandwich”, represents little more than a series of speed bumps in the road to organized hackers.
The only effective way for manufacturers to safeguard their spreading security perimeters is to monitor all activity taking place across the facility’s operational technology (OT) network. Ideally, passive technologies should be used to monitor activities within the OT network without affecting their efficiency in any way. To achieve this, a passive platform must be capable of catering for the very high outputs generated by the increased digitalization of OT to ensure minimal numbers of false positives.
Manufacturing facilities must aim to create a virtual replica of their network traffic in order to identify indicators of a potential attack before it materializes. This should be followed up by a real-time response to the threat followed by a swift investigation of the incident to contain incoming attacks while safeguarding against future threats.
Contributed by Michael Yehoshua, vice-president global marketing, scadafence.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.