Cyber Breach: It’s Not a Matter of If...It’s When
Although cybercrime and attacks are on the rise, more than half of OEMs have zero cybersecurity measures in place. Experts weigh in on how to protect your people, processes, assets, and reputation from cybercriminals.
For tips on managing cybersecurity during the COVID-19 pandemic where cyber attacks are rampant and companies are more susceptible, scroll down for an exclusive Q&A with PMMI's IT Director, Andy Lomasky.
Manufacturers aren’t safe from cyber attacks. In fact, they are increasingly being targeted by hackers who are after sensitive information and money.
Delkor Systems experienced these cybersecurity challenges firsthand in August 2017. They encountered a couple of phishing attacks where emails were received by their employees. The phishing emails are typically used to gather user credentials so hackers can gain access to employee accounts. The hackers then use these credentials to send emails out to vendors and customers to gather more credentials. This was also followed by an imposter fraud attempt where hackers inject themselves in the invoice payment process and request changes to the banking information that customers are using to send payment. In both cases Praveen Rokkam, chief information officer had to send quick communications to all affected parties notifying them of potential security risks. Phishing attacks along with Imposter Fraud are a few of the many attacks plaguing manufacturers.
According to Techradar, more than three trillion phishing emails are sent per year, which is why it wasn’t surprising that this had happened to Delkor a few times after the initial attack. But Delkor isn’t alone. In fact, professional services firm Sikich found that more than half of manufacturers suffered a data breach or cyber attack involving computer systems or networks last year—11% reported the attack to be a major intrusion. Manufacturers are not only being invaded by hackers, but also by cyber criminals and other companies and nations trying to extract money and information, strategically disrupt business, or gain a competitive advantage, a recent case study from Deloitte states.
Since the attacks in 2017, Delkor has implemented numerous additional security measures and safety nets, including a multifactor-authentication (MFA) feature within its Office 365 platform—an approach that would only allow employees to access their Office 365 account (Email, SharePoint, One Drive, etc.) if they entered a code that was sent directly to their mobile device. The OEM has also enabled Advanced Threat Protection through Office 365, implemented a very secure firewall where MFA is required for employees to remotely connect via VPN, Mandatory KnowBe4 Cybersecurity awareness training for all employees, Cloud and SAN data storage solutions for backup strategy, and protection against potential ransomware attacks. Praveen says the OEM hasn’t experienced an attack since.
But unlike Delkor, more than half of manufacturers told Sikich they haven’t updated or even implemented cybersecurity measures, leaving many OEMs vulnerable to cybercrime.
Practical considerations for implementing and improving cybersecurity measures
OEM Magazine
Train your employees to be aware of cyber threats. One of the biggest threats to cybersecurity may be in your facility right now, and you might even be sitting next to them. That’s right: your colleagues could either be the greatest risk to your company’s security—if they are not properly trained and educated—or they can be your first line of defense against cyber attacks.
Andy Lomasky, PMMI’s IT director, hosted a panel discussion on cybersecurity for manufacturers during the association’s 2019 Annual Meeting in Cincinnati. One of the common themes discussed by machine builders during the panel was around educating employees.
“I think that training component is so important,” Lomasky says. “From employee computers to machines, anytime you have devices connected to a network, they’re potentially at risk of being hacked. But you can mitigate those risks by having good security controls and by making sure that you’ve properly trained the workforce so that they aren’t easily opening up doors for hackers.”
Phishing emails are becoming more sophisticated and appear to be more genuine, says Elliot Forsyth, the vice president of the National Cyber Program at the Michigan Manufacturing Technology Center. Scammers are using phishing emails that look just like they came from a trusted source, coworker, customer, or vendor. This is why it’s critical to train your employees as well as make sure your employee practices minimize exposure risks to your business.
“For example, scammers are creating phishing emails that appear to be identical to business leaders, such as CEOs, COOs, etc. This often includes signature lines, near identical email addresses, pictures, etc. This is becoming a common approach for scammers which occurs in many companies, including mine. Our president had his email duplicated in terms of how it looks with his picture. A scammer sent an email to our CFO with a request to deposit a large amount of money into a specified account,” Forsyth says. “Our CFO had been trained to recognize such attempts, and prevented a potentially negative outcome.”
Keep your cybersecurity suppliers and partners close. When a cyber attack occurs, things will move at the speed of light, and OEMs will need to have a plan to minimize the damage that could be caused. Lomasky recommends having a couple of partners—whether it be cybersecurity software providers or IT professionals—on call to assist and advise on next steps.
“If we were to have a breach, I want to make sure that I have—at minimum— a set of partners, consultants, or technology resources that I can go to,” Lomasky says. “Our managed services provider is a huge resource to me when I have a question or need to figure things out. We also have a relationship with an IT research vendor. If I had the need to go out and get a next generation firewall, we have a research membership with [IT consultant] Info-Tech where I could go to their service and download their research or talk to an analyst, and get their guidance so that I could make a wise purchasing decision. Those connections are invaluable.”
Have an effective backup system and plan in place. As an IT professional, Lomasky has seen many cyber tragedies, including companies losing all of their customer data, sensitive, propriety information, contacts, and more in a matter of minutes.
“An employee who was on vacation in a foreign country got an alert that their email was being logged into at a new location. They thought nothing of it because they figured it was them, but really, it was a hacker who gained access to sensitive information in their email and managed to hack into their company’s server,” Lomasky says. “They completely disrupted and imploded it. Hackers will withhold company information for ransom, which is why you need to have the proper backup solution to be able to get your information restored.”
Lomasky advises OEMs to consider if they need to buy a server or use cloud technology to get the backup infrastructure they need. He also asks: “If you have a backup, have you tested it? Not to mention, managing risks, keeping information safe, and restoring data requires a lot of time and energy. Manufacturers need to make sure they have the right resources in place to be able to do that. I will say, if you have one IT guy on staff, that’s not really going to cut it when you’re talking about a major restoration effort. That’s why you need to have backups and a solid action plan that you can enact quickly if needed.”
Monitor and protect control systems. Let’s talk about the industrial control systems (ICS)—the brains of the manufacturing process—because these controllers aren’t safe from cybercrime. ICS includes a number of different control systems used to automate industrial processes; including Supervisory Control and Data Acquisition (SCADA), distributed control systems (DCS), and programmable logic controllers (PLCs). According to Steve Bjarnason, senior security advisor, Secureworks, a cybersecurity software and services company, the ICS is often not completely segmented from the business network, which makes it extremely vulnerable to external and internal cyberattacks.
One way control systems can become vulnerable is when operators or engineers set up their own Internet access to the ICS area. Usually, a company will design its network according to the Purdue Model of Control Hierarchy. This framework is used commonly by manufacturers, and the structure has become a model for “cyber safety.” A manufacturer will also put up firewalls and other devices to keep these systems protected.
“So, when someone sets up an unauthorized Internet connection from a third-party service provider, the system becomes completely exposed to hackers who might be scanning the Internet looking for a vulnerability like that,” Bjarnason says.
Removable media, such as a USB, can also serve as a gateway to cyber attacks on an ICS. OEMs may have trusted partners, contractors, or employees coming into their facility, or their customer’s facility, to collect data through a USB stick. “But manufacturers rarely ask where that USB came from,” Bjarnason says. “You have to wonder, is it infected? Could it affect the SCADA, PLCs, and maybe the safety system? These attack vectors become another avenue for malicious code to propagate or data to be exfiltrated. The ICS needs to be monitored on a regular basis. OEMs should have a monitoring system that is constantly scanning for malicious activities and detect unauthorized changes to the environment.”
With adversaries remaining undetected for 111 days on average, it is critical that detection and response capabilities, such as Secureworks’ Red Cloak Threat Detection and Response (TDR) security software, and Managed Detection and Response (MDR) service are in place to ensure manufacturers rapidly recognize adversarial behaviors on their network and take prompt and appropriate response actions, preventing costly damage or even loss of life.
Leverage local resources. As the vice president of the National Cyber Program at the Michigan Manufacturing Technology Center, Forsyth recommends that manufacturers tap into local resources such as the Manufacturing Extension Partnership (MEP) centers, which is offered by the National Institute of Standards and Technology (NIST). MEP is a public-private partnership with centers in all 50 states and Puerto Rico dedicated to serving small and medium-sized manufacturers. Last year, MEP Centers interacted with 28,213 manufacturers, leading to $15.7 billion in sales, $1.5 billion in cost savings, $4.5 billion in new client investments, and helped create or retain 114,650 jobs.
MEPs have helped OEMs with their cybersecurity initiatives and awareness through Michigan’s MEP center and says it can be a great resource for manufacturers looking to educate and empower themselves.
If this information is jarring to you, it should be. A cyber attack happens every 39 seconds, and your organization could be next. The NIST has many resources for getting started with cybersecurity, and even has a cybersecurity framework that OEMs can use to base safety measures off of. For more information, visit: oemgo.to/nistcyber
How to Improve Cybersecurity Measures During the COVID-19 Pandemic
PMMI's Director of IT Andy Lomasky shares cybersecurity best practices that could save a manufacturer from experiencing a major cyber beach during this pandemic.Â
Why does the amount of cyber-attacks increase during difficult times like a pandemic? During the current pandemic, it has been widely discussed that many companies will transition as much of their workforce to teleworking arrangements as possible in order to keep the workforce productive. With this fundamental shift in the way we all work comes changes to business processes as well, particularly financial ones such as how companies approve and pay bills, receive payments, process wire transfers, or even purchase things like gift cards, since we are now approving and carrying out many of these activities remotely.Â
What makes these attacks more successful and organizations more susceptible than when attacks occur during usual times? As many business processes shift to being remotely executed, it opens the door for hackers to exploit gaps in these processes and take advantage of the lack of internal controls and structure that would normally be present but are suddenly absent.
For example, let’s say that a company previously required two signatures on every check in order to process it. With the shift to teleworking, those two employees may be remote, thus requiring a shift to electronic approvals and only one check signer. This is the perfect opportunity for an imposter to fake a payment approval or change of bank account, which the imposter can now take advantage of in order to redirect a payment to himself.
Hackers and scam artists only need to be right once in order to profit from a scam, and to them it is just a numbers game. They will take advantage of the chaos of the current situation and exploit new processes that haven’t been well-defined yet in order to make money wherever they can. That also includes more traditional cyberattacks like phishing, e-mail compromise, and malware. PMMI and its technology partners have all seen a rapid rise in phishing attempts in particular over the past few weeks.
What is some advice you have for manufacturers / PMMI Members that would be valuable to them and their cybersecurity measures during this pandemic? Now more than ever, it’s even more important to practice good hygiene (both health and cybersecurity-wise!). Even though the shift to teleworking and keeping businesses running remotely is happening rapidly, don’t compromise on your level of internal controls or cybersecurity measures. Continue training your employees on good security practices and common threats/scams to look out for, and communicate them often, even if it sounds repetitive. The Harvard Business Review has some good security practices that everyone should pay attention to.
Now is the time to ensure your cybersecurity foundation is in place. I recommend every company do an audit of its fundamentals—make sure your password policies are secure and consistent. Make sure your firewall and any VPN connections in use are secure. Ensure any solutions you’re deploying to facilitate teleworking are properly secured and make use of multi-factor authentication as much as possible. Encourage your employees to make use of secure password management tools while working remotely and recommend that they change them to longer and more complex passwords to make them more difficult to break. And finally, work to increase the level of vigilance of every single employee using a computer—they are your front-line defense against phishing and other cyberattacks, and can be the first to stop an attack from ever happening.