A Vision for the Future of Industrial Cybersecurity
1
Manufacturing: A Unique Threat Environment
Manufacturing organizations are getting smarter when it comes to cybersecurity. Unfortunately, so are the cybercriminals who target these organizations. Unlike industries such as retail and healthcare where hackers seek to monetize stolen data to sell on the black market, manufacturing sees more threats centered on cyber espionage and cyber terrorism. The intellectual property (IP) and data that underpin the manufacturing ecosystem are the main prizes cyber attackers are after.
According to the Global Threat Intelligence Report, manufacturing experienced a 300 percent increase in worldwide attacks in 2021. What are your processes for monitoring for risks? What happens if you have an incident?
300%
The Challenges
The unique environment of manufacturing creates three main cybersecurity challenges:
2
extended perimeter
Safety
uptime
Protecting Interconnected IT and Manufacturing Infrastructure Manufacturers operate with a level of trust between their manufacturing networks and their IT systems, creating a possible entry point for hackers seeking intellectual property like patents, proprietary processes, and even costing and pricing for complex bids. Securing Legacy Equipment Aging industrial control equipment was not designed with security in mind, and numerous gaps exist for hackers to exploit. Cyberattacks against industrial control systems (ICS) have increased in frequency and intensity as threat actors use evasive and persistent tactics to avoid detection.
3
65% of firms focusing on manufacturing, oil and gas, utilities and mining see cybersecurity as their highest priority for proper governance. How does this compare to your priorities?
65%
Deloitte’s 2022 Manufacturing Industry Outlook
Uptime
Maintaining Equipment Uptime Factories often run 24x7 with around-the-clock production to optimize equipment and meet aggressive deadlines. Unlike IT systems that can be taken offline or patched at night, updating legacy manufacturing systems to remove common threats and vulnerabilities is a challenge.
4
The impact of the risk to downtime is significant. Unplanned downtime costs manufacturers, on average, $148 a second – almost $9,000 a minute If you have unplanned downtime, how much would you lose?
$148
Senseye’s The True Cost of Downtime Study, 2021
a second
Extended Perimeter
Expanding Attack Surface The extended perimeter in manufacturing includes devices within the four walls of a facility along with interconnections to third parties in the supply chain. Manufacturers increasingly use data to make better decisions and enhance the speed of delivery, enabling organizations to take advantage of last-minute orders or changes in demand. With multiple locations and components arriving from various places, the perimeter is ever-increasing.
5
Threats and threat actors are continuously evolving, pushing manufacturers to proactively and actively prevent, detect, and respond to cyberattacks. Security analysts have the daunting task of staying abreast of the threat landscape and this ever-shifting threat. How do you utilize threat intelligence to guide decisions and fortify your environment?
The Threats
For manufacturers to understand their risk, they first must understand the five main threats they face.
6
ransomware
business email compromise
Targeted Attacks
Resource Exhaustion Attacks
worms
Ransomware
Cyber criminals have realized intellectual property in manufacturing is an attractive target, with the added effect that IP theft can also create a media stir and get more scrutiny. An Evolving Cybercriminal Ecosystem The sheer volume of ransomware attacks is being fueled by an ecosystem financed by ransomware successes. This ecosystem includes ransomware developers selling their capabilities on an as-a-service basis, affiliates that specialize in operationalizing RaaS offerings, and facilitators that specialize in gaining access to target environments. Don’t Make Yourself an Easy Target Ransomware defense should be about making the environment tough enough to not be worth the trouble. Prepare a Ransomware Response Ransomware response is about prevention and detection. Both are needed because prevention may not be completely effective every time. If an attack does get through, you need to have the ability to speed detection to mitigate before it can fully execute.
7
Manufacturing has seen a marked rise in ransomware-related breaches. 82% of the threat actors are external. How are you equipped to defend, detect and respond?
Verizon Data Breach Investigations Report, 2021
Business Email Compromise
One of the most harmful cybercrimes facing manufacturing is Business Email Compromise (BEC). The Secureworks report, “State of the Threat: A Year in Review,” found that BEC remains a significant threat and that the “flourishing landscape of loaders and downloaders continues to service the demand of malware-based network access for all types of adversary groups.” Address Each BEC Case by Case Every BEC must be addressed in the context of the specific attacker’s intent at that particular time and place. In many cases it is part of a multi-stage attack. A BEC can be narrowly focused on getting someone to authorize a payment to the attacker’s bank account. However, BECs can also follow a preceding breach that enabled the attacker to hijack a legitimate user’s email account. Attackers can also use socially engineered BECs to launch an attack by introducing malware into a victim’s environment—allowing them to then attempt much broader infiltration.
8
The FBI says that BEC is the #1 costliest cyberattack in the U.S., accounting for nearly $2.4 billion in losses. How are you sure you are not falling prey to the evolving schemes of fraudsters?
FBI 2021 Internet Crime Report
®
targeted attacks
More sophisticated malware attacks have been deployed on systems comprising critical infrastructure in order to compromise the system and reduce access in cases of cyberattack and “hacktivism.” Nation-State Threats Many threat actors, who want IP such as patent data, may also be from developing countries. Stealing IP can help them improve their manufacturing processes without investing substantial funds in R&D or winning bids and manufacturing sales proposals fairly.
9
According to the National Association of Manufacturers, manufacturers drive more innovation than any other sector. How are you making sure your competitive differentiation remains yours?
National Association of Manufacturers
Worms exploit vulnerabilities in operating systems. Inadvertent release of worms in a manufacturing environment can have a significant impact. For instance, WannaCry in 2017 spread more effectively than its creators intended. As a result, it hit a number of manufacturing environments. Outbreaks of this worm are still seen every few months in manufacturing companies due to old systems that cannot be patched. Legacy Systems Can Pose Big Risks Manufacturing environments are susceptible to worms because of out-of-date patching. Industrial control equipment can be an aging patchwork of vendors and equipment, none of it designed with security monitoring and management as a primary focus. Unpatched vulnerabilities are a great threat to a manufacturing organization’s security.
10
Some worms are intended as cyber warfare between nations but end up impacting other organizations. NotPetya was a Russian cyberattack against Ukraine, but because of the way it spread, it impacted manufacturing environments worldwide. How are you making sure your competitive differentiation remains yours?
Resource exhaustion attacks are used to exploit a design deficiency in a software program and overwhelm a network. The New Threat of Cryptojacking Examples of this include cryptocurrency mining and denial of service attacks—things that consume resources and can potentially take systems offline. This primarily impacts the IT environment. One recent trend is cryptocurrency mining released into cloud infrastructure. If a criminal can scrape API keys or tokens from public-facing repositories, they are able to use those to access development environments and spin up VMs. They then use those VMs to mine cryptocurrency and use the resources of the manufacturing company’s environment. Beyond taking systems offline, this can run up an enormous bill for the company.
11
According to Interpol, “The primary impact of cryptojacking is performance-related, though it can also increase costs for the individuals and businesses affected because coin mining uses high levels of electricity and computing power." How prepared are you to detect activities such as cryptojacking that in addition to taking systems offline can run up an enormous bill?
Not Enough People for the Battle
12
According to the (ISC)² Cybersecurity Workforce Study, nearly one-third of respondents said that it’s been challenging to respond to cybersecurity incidents due to lack of skills within their team. Manufacturing is already struggling with a shortage of skilled workers. The consequences of the skills gap include misconfigured systems, not enough time for risk assessment, and slowly patched critical systems.
By 2030, it is expected that there will be a shortage of 2.1 million* skilled jobs in manufacturing. Research by (ISC)² suggests the global cybersecurity workforce needs to grow 65%** to effectively defend organizations’ critical assets. How is the lack of skilled candidates for jobs impacting your operations?
* Deloitte’s 2022 Manufacturing Industry Outlook ** 2021 Cybersecurity Workforce Study
2.1M
Control Coverage
13
The factory of the future utilizes “always on” data such as inventory and production parameters that require access to shop-floor systems and supply-chain partners. This merging of physical and digital ecosystems creates new optimization benefits and opportunities — as well as risks. Avoid Siloed Security Decisions Manufacturers are often dealing with IT and operational technology (OT) professionals making separate security decisions. However, cybersecurity issues cannot be solved in isolation. IT Protection is OT Protection While manufacturers are concerned about protecting their operational technology (OT), our experience in defending, detecting, and remediating threats in industrial environments has shown us that most OT threats start in the IT environment. The right first step is to mature IT security to best defend operations. The Purdue Model for Control Hierarchy describes six levels of critical infrastructure in a production environment and how to secure them. The Enterprise Zone is the prime place for the bad actors to try to gain entry. For this reason, hardening the border between the company network and the OT network is critical.
Purdue Model for Control Hierarchy Framework
Top Actions You Can Take
14
Security tests to identify control gaps – Make sure you understand your cloud security control framework to avoid leaving gaps that a threat actor can exploit. Multi-factor authentication – Implement multi-factor authentication (MFA) to protect against attacks that exploit remote access solutions requiring only a username and password. Patches for internet-facing systems – Address what is perhaps your greatest single threat to security: unpatched vulnerabilities. Endpoint detection – Improve situational awareness by detecting signs of endpoint compromise. Privileged account management – Audit admin accounts as frequently as possible to ensure they map to an actual network admin who still has a valid need for privileges. Due diligence — Assess the security of third-party providers, acquisitions, etc. OT understanding and monitoring – Remove unnecessary interfaces, conduct passive log collection, and separate roles.
• • • • • • •
The complexity of network environments, compounded by the increasing number of vulnerabilities, dramatically increases the chance of being breached. The only question is how soon — and how badly. Here are the top actions you can take to address risk.
How We Have Helped Others
15
the situation
the challenges
the solution
Because they were formed through acquisitions, there were special challenges to overcome —unifying discrete systems under one security program and covering six sites across multiple countries while addressing geographic risks. With security vulnerabilities on multiple fronts, company leadership understood the risks they faced. A single cyberattack could cost the company millions in lost revenue and business opportunity — not to mention reputational brand damage.
A manufacturer operating in three countries with 10,000 employees wanted to transition customers from a traditional transactional relationship to a maintenance, repair, and operations (MRO) as-a-service partnership approach in which they provide a trusted, cost-effective, technical solution built upon hands-on experience, knowledge, and technology.
With Secureworks, the company quickly ramped up a muscular security program with round-the-clock threat tracking and protection. Now, the enterprise has time to develop a top-notch internal team to work with their Secureworks partner. They were able to quickly establish protection from ransomware, breaches, and cyberattacks. Here is what the company’s IT Risk and Compliance Manager said that protection is worth to the company:
Estimated savings of $6 million annually by protecting the company from ransomware attacks. Estimated savings of $1.8 million per year by protecting company from breaches. Protecting ~$2 million per week in profits by preventing cyberattacks that could take down 75 production lines for multiple weeks. Estimated savings of at least $500,000 per year through eliminating the need for the recruitment, training, and retention of six additional employees.
• • • •
16
Because they were formed through acquisitions, there were special challenges to overcome — unifying discrete systems under one security program and covering six sites across multiple countries while addressing geographic risks. With security vulnerabilities on multiple fronts, company leadership understood the risks they faced. A single cyberattack could cost the company millions in lost revenue and business opportunity — not to mention reputational brand damage.
The Situation A manufacturer operating in three countries with 10,000 employees was looking to transition customers away from a traditional transactional relationship to a maintenance, repair, and operations (MRO) as-a-service partnership approach in which they provide a trusted, cost-effective, technical solution built upon hands-on experience, knowledge, and technology.
A manufacturer operating in three countries with 10,000 employees was looking to transition customers away from a traditional transactional relationship to a maintenance, repair, and operations (MRO) as-a-service partnership approach in which they provide a trusted, cost-effective, technical solution built upon hands-on experience, knowledge, and technology.
17
With Secureworks, the company quickly ramped up a muscular security program with round-the-clock threat tracking and protection. Now, the enterprise has time to develop a top-notch internal team to work with their Secureworks partner. They were able to quickly establish protection from ransomware, breaches, and cyberattacks.
our approach
18
• • • • •
The Secureworks Taegis™ XDR platform helps manufacturers address the challenges of evolving threats, creating a vision for the future of industrial cybersecurity:
A solution that’s purpose-built for extended threat detection and response. Secureworks Taegis XDR is built from the ground up by security experts for security experts. It isn’t a repurposed SIEM or EDR platform. It has been developed from of experience detecting threats and building technology to assist. Broad and deep threat detection. Taegis combines machine learning, 20+ years of cumulative human intelligence, and active threat intelligence based on real-time incidents and threat actors who are continuously monitored. Real-time detections. Secureworks supports 1,400 Incident Response engagements per year, performs thousands of adversary tests, monitors hundreds of threat groups, and manages cybersecurity solutions for thousands of customers. All of this experience is built into the Taegis platform. Proven expertise. Secureworks has been recognized as a leader by Gartner, Forrester, IDC, and other leading analyst firms. Built for collaboration. You won’t be alone in the fight. The Taegis XDR platform includes integrated expert chat, so you are never more than 60 seconds away from an expert response. Learn more about Secureworks and the Taegis platform.
Learn more
19
Learn more about Secureworks and how the Taegis platform can help your manufacturing organization remain more secure and maximize operational efficiency and existing investments.
