The business impact of phishing is becoming increasingly more pronounced. According to the recently released 2018 Verizon Data Breach Investigations Report, 93% of all reported IT security breaches are the direct result of some form of phishing. The manufacturing industry is likely feeling this impact more than most, with targeted attacks on the rise. The Verizon report underscores that most computer intrusions in the manufacturing industry begin with a well-crafted spear-phishing email, containing a malicious link or attachment sent to a company employee.
Seagate Breach Underscores Risks
A much-discussed example occurred in 2016, when a Human Resources employee at Seagate Technologies, a manufacturer of precision-engineered data storage technology, received an email purporting to be from the CEO requesting employee tax documents (W2 forms, specifically). The dutiful employee complied with the request, sending materials that included social security numbers and salary data for 10,000 current and past employees—and their spouses! Unfortunately, it appears that cybercriminals carefully targeted the Seagate HR employee, using the “imposter email attack” technique.
After Seagate discovered the breach, employees were given free two-year credit protection, but obviously this is a bit of closing the proverbial barn door, and doesn’t stop the criminals from leveraging the data in myriad ways. In fact, within days of receiving the data, the hackers were filing fraudulent federal and state tax returns for not only the employees, but also their family members. The company’s headache didn’t end there—as a result of a lawsuit filed against the company by the current and former employees for negligent handling of data, the breach could end up costing Seagate north of $1 million.
Why Are Manufacturers Being Targeted?
While it would be nice to say that the Seagate cyberattack was unique, the sad truth is that phishing attacks aimed at stealing employee data or intellectual property are all too common. In a May survey by Osterman Research, 28 percent of IT managers reported suffering one or more phishing breaches in the prior 12 months, making it the top threat category reported. There are several reasons why the manufacturing industry is viewed as a preferred phishing target by cybercriminals:
1) Manufacturers possess more valuable information than they realize—As the incident with Seagate Technologies demonstrates, data on employees can garner a criminal thousands (if not tens of thousands) of dollars through false tax filings, or even resale on the dark web. Manufacturers may also possess intellectual property that cybercriminals find attractive. The 2017 Verizon report found that 91% of all breaches into manufacturing businesses involved the stealing of trade secrets, business plans, and valuable intellectual property.
When it comes to what constitute “trade secrets,” criminals are interested in a surprising range of information, and well-developed sites on the “dark web” give them a ready ability to monetize the data. Hackers may steal intellectual property and sell it to “interested parties” (e.g. other competitors) on the dark web. Alternatively, foreign and domestic competitors may engage in direct cyber espionage against a U.S. or U.K. manufacturer, using their own internal hackers to breach a system.
2) Manufacturers are interconnected to suppliers, partners, and customers—Manufacturing supply chains are connected, integrated, and interdependent—security of the entire supply chain depends on security at the smallest supplier or local factory. Cybercriminals know that accessing a key target may be as simple as breaching the weakest link in the supply chain. The infamous 2013 Target Corporation breach began with criminals hacking into the operational systems of Target’s HVAC vendor (a small business with only about 70 employees). The end result was the theft of forty million credit and debit cards, as well as email and mailing addresses for 70 to 110 million people.
The fact that criminals could leverage an HVAC vendor’s access into their client’s large-scale corporate system is unsurprising. According to Forrester Consulting’s research into the use of operational technologies and SCADA in manufacturing, more than 60% of the companies surveyed stated that they provide either “complete or high-level access to their SCADA/ICS” to other companies in their supply chain, including outsourced suppliers, business partners, and government agencies.
3) Small manufacturers under-estimate risk—According to the U.S Bureau of Labor Statistics, the vast majority of manufacturing companies are small. And, small companies tend to believe they can fly under the radar when it comes to cybercrime, choosing not to invest in cybersecurity technology. Yet, the 2018 Verizon study reports that small businesses are far more likely to be the target of cyberattacks, with small businesses victimized 58% of the time.
4) Manufacturers often have unsupported and unprotected operational technologies—Operational technologies and control systems like supervisory control and data acquisition (SCADA), have been in use for years, but have only recently begun to be connected to the corporate network, which in turn is connected to the internet. Because many SCADA systems are running embedded operating systems and applications that are unsupported or obsolete, the systems are highly vulnerable to attack by threat actors. In fact, according to a January 2018 study by Forrester Consulting, 56% organizations using SCADA or ICS indicated they experienced a breach in those systems in the past year. Perhaps more notably, only 11% indicated they had never been breached (which suggests that many manufacturers don’t know or aren’t willing to acknowledge that they’ve been attacked and infiltrated.)
Business Email Compromise is the Most Common Attack
The most common phishing attack on manufacturers is business email compromise (BEC) or imposter email attacks. Also known as “spear phishing” or “whaling”, these types of phishing attacks can take several forms. In the simplest rendition, the hacker may be after internal corporate data. So, they will send an email pretending to be someone that the recipient knows, such as the CEO or a trusted partner. The perpetrator may request user names and passwords to corporate networks, a list of employee social security numbers or email addresses, the names and email addresses for current clients, or even proprietary data, such as product schematics. Often this type of information can be sold on the black market or used as a starting point for additional phishing attacks on other partners, vendors, or customers.
Critical Business Risk Requires "Defense-in-depth"
Manufacturers are in a unique position. The operational technology (OT) that drives the machinery and equipment was traditionally safe from hacking due to "air gapping". However, as OT becomes connected to corporate systems and servers, the risks associated with the interaction between unsupported embedded operating systems and modern corporate systems is magnified, and the dangers associated with this intersection should not be dismissed.
A successful cyber attack against OT or a SCADA control system not only has the potential to damage the business financially, but also could result in physical consequences to such things as infrastructure and services, the environment, and possibly human life.
As manufacturing operational technology grows more interconnected and cyberattacks occur at a faster rate, manufacturers need to view threats against OT as a critical business risk. Patching vulnerabilities is the first line of defense. However, today most threats appear more quickly than IT or production staff can patch. Further, some operating systems are currently running on unsupported OT, so patching simply isn’t an option.
To combat threats against OT and other corporate manufacturing systems, a “defense-in-depth” security approach is recommended by numerous manufacturing industry organizations, including the International Electrotechnical Commission (IEC) and National Institute of Standards and Technology (NIST), as well as the Department of Homeland Security (DHS). Manufacturers need to augment traditional security technologies with next generation detection, including both endpoint security and cloud-based web and email gateways to block access to phishing and other malicious sites, as well as stop new, zero-day malware downloads and outbound communications with botnet Command & Control servers from compromised endpoints, control systems, and IoT devices.