Cybercriminals have intensified their attacks on the manufacturing sector, exploiting vulnerabilities in operational technology (OT) networks and OT/IT convergence to cripple production lines. The 2022 IBM Security X-Force Threat Intelligence Index1 revealed a disturbing trend – manufacturing was the most targeted industry in 2021, surpassing even financial services. The report found a 33 percent year-over-year increase in attacks leveraging unpatched software vulnerabilities, which accounted for a staggering 44 percent of all observed ransomware attacks.
The severity of the ransomware problem is highlighted in the State of Ransomware in Manufacturing and Production 2023 report by Sophos2. The findings are alarming: 56 percent of manufacturing organizations were hit by ransomware attacks between 2022 and 2023, and the rate of data encryption reached its highest point in three years, with an overwhelming 68 percent of attacks leading to encrypted data. This upward trend indicates that threat actors are refining their methods of attack, as only 27 percent of incidents were stopped before data could be encrypted.
Why do cyber threats so frequently target industrial networks?
- Much of their vulnerability stems from a reliance on legacy OT systems, which are often challenging or impossible to patch due to criticality, legacy components, and operational constraints.
- Examples include programmable logic controllers (PLCs) running real-time operating systems such as VxWorks, QNX, or custom firmware developed by manufacturers.
- Supervisory control and data acquisition (SCADA) systems using legacy software like Windows XP or proprietary Unix-based platforms.
- Human-machine interfaces (HMIs) integrated with control systems on embedded operating systems.
- Complex distributed control systems (DCS) with multi-vendor subsystems, causing compatibility issues. This creates a perfect breeding ground for ransomware to spread.
A defense-in-depth security strategy is essential to protect manufacturing data and operations from the constant threat of ransomware. This approach involves implementing multiple overlapping security measures to cover different aspects of the manufacturing network.
Zero Trust: The Foundation
Adopting a zero-trust architecture is crucial for securing Industrial Control Systems (ICS) and OT environments, especially those filled with outdated systems that can’t be updated—like Windows XP systems. This model assumes that no one, whether inside or outside the industrial network, should be trusted automatically. It requires constant verification and validation of every access request to critical OT assets and, most importantly, in the context of ransomware, storage systems, including NAS devices and backup systems.
Network segmentation with virtual local area networks (VLANs) is also key as it helps contain breaches to just one area, prevents them from spreading laterally, and reduces the overall risk of a larger, more devastating impact on the entire industrial control system.
Air-Gapped Backup Vaults
Frequent backups empower manufacturers to swiftly restore mission-critical operational data, configurations, logs, and regulatory records in the aftermath of a cyberattack or system failure.
However, ransomware actors often target these backups.
To truly insulate backup repositories from ransomware’s clutches, manufacturers must embrace air-gapped backup architectures. In this hardened configuration, backup systems are physically and logically isolated from industrial networks, creating an impenetrable air gap that nullifies ransomware’s ability to encrypt or corrupt backup data.
Immutable “Wrote Once, Read Many” (WORM) cloud storage solutions like AWS Object Lock offer robust immutability guarantees, rendering backup data impervious to encryption or deletion. Hosting backups in the cloud or at discrete physical sites with stringent access controls further fortifies this last line of defense.
Deception for Defense: Honeypots as Ransomware Traps
Manufacturers can further augment their defenses through deception techniques like deploying honeypots – systems deliberately designed to lure and entrap malicious actors. Honeypots are decoy assets meticulously crafted to mimic high-value targets within the manufacturing environment that actually serve no operational purpose other than to entice and detect unauthorized probing attempts or attacks.
By strategically placing honeypots across the converged IT/OT infrastructure, manufacturers can monitor these digitally fabricated assets for any anomalous activity. Ransomware operators, driven by financial incentives, are likely to take the bait, believing the honeypots contain lucrative intellectual property or sensitive operational data ripe for encryption and extortion.
Once malicious activity is detected, it triggers automated security orchestration mechanisms that contain the threat, minimizing its potential to propagate laterally and impact production systems. Concurrently, security analysts gain invaluable insights into the threat actor’s tactics, techniques, and procedures (TTPs), empowering them to fine-tune defensive countermeasures proactively.
Artificial Intelligence: A Cybersecurity Force Multiplier
Artificial intelligence (AI) and machine learning (ML) have emerged as force multipliers for industrial cybersecurity. Modern security platforms leverage these technologies to perpetually monitor OT networks and IT infrastructures, detecting anomalous behaviors that may signify an impending or ongoing attack.
By integrating AI/ML-powered hybrid cloud solutions that consume and analyze log data, particularly file access patterns, manufacturers gain enhanced visibility into their converged IT/OT environments. This empowers them to expedite threat detection, automate defensive responses, and proactively neutralize ransomware campaigns before they can encrypt production data or disrupt operations.
Moreover, behavioral anomaly detection powered by machine learning algorithms enables the identification of subtle deviations that may be indicative of stealthy threats, further strengthening cyber resilience.
The manufacturing sector forms the bedrock of modern economies, driving innovation, productivity, and economic growth. It fuels employment opportunities but catalyzes technological advancements that shape our daily lives. However, the disruptive impact of ransomware on global supply chains is a significant concern, particularly as these attacks not only disrupt operations but also pose a severe risk to data. As cyber threats continue to evolve, so too must the defensive strategies of manufacturing companies.
To effectively combat the ransomware threat, manufacturers need to adopt a robust, layered, and proactive approach to cybersecurity to protect their global assets, reduce disruptions, and quickly recover from even the most damaging ransomware attacks. This involves more than just protecting data; it’s about ensuring the continuity of operations and the integrity of the supply chain.
[1] IBM Report: Manufacturing Felt Brunt of Cyberattacks in 2021 as Supply Chain Woes Grew https://newsroom.ibm.com/2022-02-23-IBM-Report-Manufacturing-Felt-Brunt-of-Cyberattacks-in-2021-as-Supply-Chain-Woes-Grew
[1] The State of Ransomware in Manufacturing and Production 2023 – Sophos https://www.sophos.com/en-us/whitepaper/state-of-ransomware-in-manufacturing-and-production