By Stephanie Neil on Jul 9, 2018
What Lies Beneath a Cyber Breach
All across the U.S., manufacturers are silently struggling with an invisible force that threatens the livelihood of their businesses. This dark entity slips into an organization—often undetected—to steal passwords and intellectual property. Sometimes it demands money in exchange for unlocking enterprise servers. Sometimes it maliciously shuts down industrial machines in an attempt to cause physical harm, like an explosion. Other times, it’s not interested in the immediate prey, but has its sights set on a bigger victim, and therefore uses a company as a gateway into their partner networks.
It is the hackers of the world that are wreaking havoc on unsuspecting organizations. And it is not just large multinational manufacturers that are targets, but everyone in the supply chain, including OEMs.
Bad words like “Stuxnet,” “Triton,” “WannaCry,” and “NotPetya” have been headline news over the last few years indicating that we’ve entered the era of cyberwarfare, and data is the weapon. In this new threat landscape, we’ve seen nation states, criminal gangs and “hactivists” navigate cyber channels to manipulate enterprise databases, critical infrastructure and industrial control environments. And, it’s difficult to stop, despite the decades of IT experience a company—or government—may have.
“Security in a digital world is still so hard,” says General Michael Hayden, a retired U.S. Air Force four-star general and the former Director of the National Security Agency (NSA) and the Central Intelligence Agency (CIA). Hayden was addressing attendees in the oil and gas industry during a keynote presentation at the 2018 PAS OptICS security conference earlier this year. But cybersecurity impacts every segment of the manufacturing industry. “We have a lot of bright people working on this problem, but the faster we go, the more behind we get. We don’t seem to be getting ahead of it.”
In order to protect our country and our companies, General Hayden says government and corporate America have to work together, and that means taking personal responsibility for protecting your business. It starts, he says, just like any other military exercise, by mitigating risk.
Hayden, who once held the role of the Commander of the Air Intelligence Agency and Director of the Joint Command and Control Warfare Center, uses a classic risk equation used in combat: Risk = threat x vulnerability x consequence.
First, you identify the most likely threats to the organization. Then, you assess your vulnerability and do your best to defend the perimeter—don’t let the bad guys in. But they are getting in, he says, so you have to manage the consequences. “Now it is all about the time between penetration and discovery,” he says.
But the ability to discover a bad actor after a break-in is the hard part. That’s why many manufacturers are oblivious to the fact that they’ve already been hacked.
According to Rebecca Taylor, senior vice president, strategic partnerships for the National Center for Manufacturing Sciences, 47 percent of manufacturers they polled said they weren’t experiencing any cybersecurity attacks. But that number is inaccurate, she says. In fact, most manufacturers don’t know they’ve had a security breach, or, they keep it a secret.
Learn the factors behind Taylor’s reasoning and get the latest on cybersecurity threats in manufacturing by visiting: oemgo.to/cyber
“Depending on the nature of an incident, reporting requirements for manufacturers vary but can be far less stringent than some other industries,” adds Brendan Rooney, director at The Crypsis Group, a digital forensics and incident response firm, noting that, despite handling just under 500 incidents that required forensics in the past year, these events are often not made public. The top three intrusions include ransomware, phishing and IP theft. But you don’t hear about it. “There are a lot of reasons you don’t see mid-market manufacturers popping up in the news or admitting to a compromise,” he says, “mostly, because they would incur a significant level of reputational harm.”
Many times, the investigation show that these cybersecurity incidents could have easily been prevented. The problem is, most machine builders don’t take it seriously, simply because they don’t think they are a target. Maybe not, but what’s not talked about is the ulterior motives of the perpetrator. Once in, “a threat actor has access to all of the lines of communication that you have with your customers,” Rooney says. “Threat actors are opportunists.”
Hackers get in through open ports or they gain access to user credentials or software programs with known vulnerabilities. So, most often, the best first line of defense—like General Hayden says—is to understand and identify the threat. For that, you may need a team of external experts.
How to hijack the hackers
Rooney and the Crypsis team are called in after a cyber incident. It often starts with a call from an attorney who has determined that an investigation is required. Crypsis runs proprietary programs and deploys their team of expert consultants to see how a hacker gained access to the network and where the IP address originated. They also determine how long the hacker retained access to the system and what information they had access to. That report is passed back to the attorney to work on remediation of the issues to stop a future attack.
“Once we have the findings we determine what the disclosure obligations are and we work with law enforcement to assist in the investigation process and any public relations or disclosure concerns,” says Jennifer Coughlin, a partner at the law firm of Mullen Coughlin, which specializes in data privacy and cybersecurity.
Having a response plan in the event of a security breach is essential, Coughlin says. But knowing what the vulnerabilities are before something happens is a better option. For example, Crypsis also has a suite of “pre-breach” risk management capabilities in which they have the ability, in a contained environment, to actively exploit a client’s network to gain a foothold and then move laterally throughout the organization to identify areas that are vulnerable to compromise. “This can be very eye-opening in the sense that you don’t know what you don’t know,” Rooney says.
Once that is conducted, an attorney can counsel the OEM to understand what the vulnerabilities are and what the obligations they have in terms of notifying partners if something happens.
As for managing the consequences. “Get cybersecurity insurance,” Coughlin says. “It is something many organizations don’t appreciate, but you can shift this risk.”
Cybersecurity coverage. Are you sure you’re insured?
Many manufacturers carry general business insurance, but one size does not fit all, and, cybersecurity adds a new dimension that requires its own kind of coverage.
AHT Insurance specializes in providing insurance coverage for many industries, manufacturing included. Recently the company added cyber liability insurance to its offerings. Together with attorneys and cybersecurity firms, AHT can create customized insurance packages for manufacturers and machine builders alike. And, again, it all starts with a risk management—understanding the exposures and working with insurance carriers to create an effective program that may include business best practices, enhanced product safety and a safe working environment.
“From an insurance standpoint, when you pay premiums, part of the premium should always include some level of risk reduction,” says George Forrester, a principal at AHT Insurance.
In an effort to understand risk reduction, Forrester and team studied the ANSI/PMMI B155.1-2016 safety standard for packaging and processing machinery. “Statistics show that more than 80 percent of industrial accidents on machinery was operator error, not a defect in manufacturing or design. We now make risk assessment a centerpiece of our product safety program to get the manufacturer to proactively demonstrate, when an incident occurs, the safety, design and manufacturing processes, which makes them more defensible,” he says
About 18 months ago, when more industrial cyber incidents were on the rise, AHT recognized that cybersecurity threats are not only about hackers stealing credit card or personal information, but it represented a safety threat for manufacturers. From an OEM standpoint, the main area of interest is remote access and risk assessment.
“As a result of remote access you can have a product liability loss,” Forrester says. Through remote access, you could unintentionally lock up equipment and cause downtime as a result of a security breach. For that reason, machine builders should understand the difference between first and third party insurance coverages. “First party is direct damage to your own property or business as a result of a cyber [incident]. And liability to a third party is the result of what you are doing, perhaps with remote access.”
Many manufacturers are now putting clauses into contracts that make the OEM responsible for consequential loss and requiring them to have professional liability insurance. Soon, manufacturers may be demanding their machine builders carry cybersecurity insurance, too.
AHT addresses the many faces of cybersecurity threats, which include business interruption, loss of income, as well the potential for a product recall. Forrester’s mission is to educate his manufacturing clients on the legal requirements associated with a breach and the protection insurance can provide the company.
Forrester echoes Rooney and Coughlin in stressing that an upfront breach assessment is an important first step, and worth the investment. “Way too many companies are still not putting enough effort into the assessment exercise,” Forrester says “They are waiting, not on purpose, but they are going down the road—until a breach hits, and then the cost is exorbitant.”
Having cybersecurity insurance transfers the risk to a third party—the insurance carrier—which is increasingly important in a digital world.
Learn more about the B155.1-2016 Safety Requirements for Packaging and Processing Machinery standard: oemgo.to/cyberstandards
Addressing remote access and network risk
To help manufacturers and OEMs prepare for the inevitable move to remote services for predictive maintenance on equipment at a customer site, The OpX Leadership Network is getting ready to release a remote equipment access selection guide to provide a baseline of connectivity options.
“The guide is there to help end users select the type of connection paradigm they can use to allow OEMs to connect into the machine that is on their factory floor,” says Bryan Griffen, PMMI’s director of Industry Services.
The OpX selection guide offers six different options from a simple modem they dial into up to a remotely managed secure switch that is managed by a third party. The guide also provides the general cost, complexity and security levels, but it is not meant to be a technical tutorial, Griffen says. “It is for the end users so that they can figure out how to let OEMs into their factory systems without the OEM having to be present at the factory do any troubleshooting.”
Check the OpX Leadership Network page for updates: oemgo.to/opxln
While the guide is geared toward the manufacturing customers, it does have significance for OEMs, as they will need to understand the six different methodologies outlined and how to work with end user to ensure everything is properly connected. “It could mean OEMs will need IT experts on their teams who can deal with cybersecurity as well as the Industrial Internet of Things and Big Data,” Griffen says.
Griffen says the OpX remote equipment access selection guide is meant to be a starting point for a bigger conversation and does not act as a technical document for setting up secure networks. But, it—much like the more general risk management guidelines from the National Institute of Standards and Technology (NIST)—should serve as a wake-up call for OEMs to start thinking through how their machines and their companies fit into the connectivity and cybersecurity conversation. OEMs often view their machines as islands of automation, but as soon as a machine plugs into something else, it becomes a conduit, just like a printer—which is now a popular way to hack into networks. “No one ever thought they would have to protect a printer, but it sits on the network and becomes a back door into the facility,” Griffen says.
Another underestimated area of entry for bad actors are robot arms, which are often added to machines to enhance automation. But these robotic parts are not designed to be inherently protected from threats, says Nikolai Vargas, CTO of Switchfast Technologies, a Chicago-based IT managed service provider, which serves as the IT department for small and medium-sized businesses that don’t have their own internal team. “The disconnect between legacy equipment and modern technology has created a security gap in many manufacturing facilities,” he says. “Since robotic arms aren’t compatible with firewalls, cyber attacks have evolved to target these weaknesses, effectively making any facility a highly enticing payday for criminals.”
Vargas says that Switchfast clients are provided with a core set of security best practices, with the over-arching theme being “defense-in-depth,” a multi-layered approach that includes firewalls, anti-virus software and adding data encryption on the network for the systems that need to “talk” to each other. Part of the strategy is to create segmentation across the network to “shrink the attack surface so that it is easier to identify what is going on in each segment,” he says.
OEMs, while only responsible for the security of their own machines, need to understand how the equipment will be used at the end users’ facilities. If a machine is on a network and communicating with other systems, the OEM has a responsibility to ensure their machine is protected—or does not act as a conduit in a cyber breach.
“I would hope machine builders understand we live in a connected world and the fact that their machines are in connected factories means that they better think of connectivity, cybersecurity and protecting their equipment,” Griffen says.
Spencer Cramer, CEO of ei3 Corp., who contributed to the PMMI remote equipment access guide, echoes Griffen’s viewpoint, noting that many companies think they are protected by “top-secret” passwords. But there are many other avenues onto the factory floor, such as a technician visiting with a laptop that has malware on it. Once it’s connected to the machine, it too can become infected.
The ei3 technology, which includes Software-as-a-Service (SaaS) devices and networking products, provides a secure framework for machine builders to connect their own machines that are behind the manufacturer’s firewall. This managed secure network uses micro segmentation to build a ring around every machine, enabling managed secure access to equipment. It allows, for example, the technician to directly connect to a secure private cloud to perform analytics, modeling and reports on the machine versus moving that information through a customer’s firewall. This set up limits access to other systems on the network, and the use of security “tokens” are provided to designated individuals that are given granular control.
The ei3 Secure Access Control product is designed specifically for OEMs who want to do all that they can to protect their relationship with their customers. “The machine builder is a trusted and reliable partner to the manufacturer and they don’t want to be implicated in any type of malware that gets into their customer base,” Cramer says. OEMs are now motivated to become more cybersecurity savvy because they don’t want to be labeled as untrustworthy. “I really believe, from talking to C-level executives at OEMs, that it’s about maintaining their brand equity.”
Vargas concurs. While cybersecurity may not be a high priority in the building of a machine, “a lot of times we talk about [the OEM’s] reputation and that resonates with them.”
Time to take note
Whether its protecting a good reputation or its protecting a business from ransomware that could shut down operations, now is the time for OEMs to start to think about their role in cybersecurity, industry experts say.
“We need to push our members to understand that it is a connected world,” says PMMI’s Griffen, noting that anyone who is not “connected” won’t be in business for long. “End users want the data and they are trying to get set up so they don’t have to pay to have a technician to come in every time there is a problem. They want to do it remotely, and that means cybersecurity.”
There is a sense that cybersecurity is something that we can wait to address on another day because it’s something that is coming in our future. That’s a false sense of security—figuratively and literally, says Griffen. “The reality is, it is already here.”
It is here. From Triton to WannaCry, there will be many more attacks in our near and distant future. We must manage the risk, as General Hayden outlined in the equation he shared. Identify threats, vulnerabilities, but more importantly, manage the consequences.
“They are getting in,” General Hayden says, referring to the hackers. “Get over it and [figure out how to] operate while penetrated.”