Cybersecurity threats pose a major risk to production targets
Ransomware against industrial entities increased by 500 percent from 2018 to 2020, a trend that is likely to continue into the future. External threats range from foreign nations to financially motivated cybercrime, and both look increasingly similar. Other threats may emerge as insider attacks: a careless employee may become an unforeseen source of risk, or a vulnerable software update may enter through the supply chain.
Security Risks
Removable Media as Attack Vector
Removable media is a significant concern since it can contain malicious hardware/firmware, malware in hidden partitions, as well as infected files. This risk is dramatically compounded since using USB drives bypasses other security layers such as secure web and email gateways. The USB can then directly compromise the target machine, leading to initiating an attack propagation within the organization. In fact, researchers in the Ben Gurion University in Israel documented over 20 methods in which a USB device can be used as an attack vector. None of these attacks involve malicious files, but rather an exploitation of the device itself. To mitigate these risks, it is essential to create a physical barrier that will prevent connecting portable devices directly to endpoints.
The Danger of Transient Cyber Assets
Unlike removable media, transient cyber assets such as laptops and power system simulators are designed to perform managerial, monitoring, and diagnostic tasks on the ICS. These assets will not stay connected to the system for more than 30 days, but even then, they are still significant threat vectors. They could be affected by malware before being deployed into an ICS, which causes widespread infection. Worse yet, because transient cyber assets are not permanently based on site, malicious actors can steal them and make unwanted changes to the ICS. The Maroochy attack is a classic case that illustrates how much damage these assets can cause if they fall into the wrong hand.
Accidental Insider
The accidental insider includes IT and OT team members, engineers, and other personnel with direct access to OT environments and manufacturing systems. These individuals may inadvertently copy a malicious file onto
a portable media device, which is transferred into an OT environment, or they might unintentionally copy confidential information in the process of exporting data and analytics. These careless employees don’t mean to be the source of an attack—in fact, they rarely know that they are—but this is one instance where ignorance is not bliss.
Malicious Insider
The actions of malicious insiders and accidental insiders appear the
same, but their motivation is completely different. A malicious insider may knowingly introduce malware and vulnerable software updates, or they may intentionally steal away trade secrets, but they are motivated by financial incentives, a personal vendetta, or recruited by foreign nation-states, making them similar to cyberespionage agents.
Data Loss and Theft
Few things are more important to your company than proprietary technologies, formulas, and patents in your manufacturing process. DLP must be a key pillar in your cybersecurity program to ensure the protection of your data and processes. Industrial espionage is a real and pervasive threat that requires mitigation through Data Loss Prevention techniques. This threat vector includes contractors as well as company insiders. Exfiltrating company SCADA recipes, client information, employee private information, network diagrams, etc. can be accomplished through many vectors to include embedding information in images, or in the clear as raw files brought out of facilities on portable media. Sometimes exfiltration can be done unintentionally as well via support or log files exports.
Supply Chain Vulnerabilities: Third-Party Risk
The SolarWinds compromise is a recent reminder that software vulnerabilities can emerge through the supply chain. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) frequently publishes advisories for ICS vulnerabilities. Just like any other technology, these systems need to be updated as vulnerabilities are identified and patched, but it is also important to make sure that new software updates are not vulnerable themselves. Ultimately, these patches are most often applied directly by a removable media device, which is an additional source of risk.
Supply Chain Vulnerabilities: Country-of-Origin Risk
Another third-party risk that can affect the supply chain consists of devices made from countries with ties to malicious actors. These devices might contain intentional vulnerabilities that can be exploited once an attack occurs. Patches must be installed on these devices before they can be deployed to eliminate hidden vulnerabilities.
This is an excerpt from the “Secure Manufacturing Processed from External Media Threats” white paper.