As you can tell from my previous blog posts on healthcare, energy, and financial services, I’m doing a series on some of the critical infrastructure Sectors. I was inspired to do this after reading the Biden administration’s new National Cybersecurity Strategy.
The critical infrastructure component of Biden's strategy includes a proposal to expand minimum cybersecurity requirements for all operators of critical infrastructure. While voluntary approaches to cybersecurity in critical infrastructure sectors have produced improvements, the lack of mandatory requirements in some Sectors has resulted in inadequate and inconsistent outcomes. The Cybersecurity & Infrastructure Security Agency lists 16 critical infrastructure sectors vital to the United States:
The NCS’s viewpoint on the cybersecurity posture of critical infrastructure sectors reminded me of the podcast Rob Aragao and I did with Joshua Corman - COVID-19, The Cavalry, and Cyber – No one is coming to save you. Corman said in our podcast that the nation has seen successful cyber disruptions in critical infrastructure, including access to water, food, fuel, and patient care. He characterized the sectors as 'target rich, cyber poor'.
Primer on U.S. Critical Infrastructure Sectors
The US Government has defined 16 sectors of critical infrastructure that are vital to the continuity of the nation. Some of these sectors are clearly defined and labeled, making them easily understood. For example, sectors such as Dams, Energy, and Government Facilities are self-explanatory. Some sectors have very specific or very broad applicability. On the “more specific” end of the scale might be the Defense Industrial Base, and on the broad end of the scale, the Critical Manufacturing (MFG) Sector – which will be the focus of this blog. Before delving into the MFG sector, I’m going to go broad and address sector-wide dynamics.
Using the nomenclature “sector” implies that they are independent verticals that operate alongside each other. In reality, some organizations operate in more than one sector due to having multiple products and services or multiple uses for a specific product, and thus a more complex alignment with the Sectors descriptions.
A way to describe how the sectors operate would be as “nodes” within an interconnected ecosystem. Each node has multiple inputs and outputs and a multi-dimensional supply chain of dependencies on each other. The infrastructure within each sector needs maintenance, repairs, retrofits, and other inputs to continue operating. These day-to-day needs create a heavy demand for raw and finished goods, which subsequently need to be transported to other critical sectors to sustain the infrastructure and the operations of it.
As shown in the figure above, organizations generating electric power take inputs of natural gas, which is reliant on the transportation systems sector for transport and so on. Ensuring continuity of these disparate industries that supply the Sector ecosystem is critical to maintaining and sustaining operations within each Sector.
The Critical Manufacturing Sector
The MFG Sector was created in 2008, highlighting the importance of serving the underlying needs of other sectors. The four main MFG Sector components are captured in the figure below. Associated assets are privately owned and operated and include manufacturing facilities, processing and distribution facilities, sales offices, corporate headquarters, and product storage.
The MFG Sector is responsible for the production, manufacturing, and processing of huge amounts of raw goods and produces specialized parts and equipment that are essential to primary operations in several industries. The MFG Sector is an essential node that provides inputs into other sectors, enabling them to stay up and running. A major disruption or failure in the inputs from the MFG Sector could quickly cascade and cripple other critical infrastructure and prevent them from fully performing their functions. In the last few years, we’ve unfortunately witnessed examples of this type of impact.
A major byproduct of the COVID-19 pandemic effect on manufacturing was the disruption to production and supply chains, as goods and commodities in the upstream supply chain were produced in lower quantities or sometimes not at all. We all remember the global shortage of basic personal protective equipment (PPE) early in the pandemic. Nowhere to be found were hospital gowns and gloves, surgical masks and respirators, goggles, and face shields. Healthcare workers needed them in higher volume than manufacturers could produce, and the global supply chain issues exacerbated the problem.
During a time of a national emergency, many of the MFG industries can be converted to other critical functions in support of those efforts. For example, vehicle manufacturers that produced ventilators in support of Healthcare and Public Health Sector initiatives during the COVID-19 pandemic.
The fiscal enormity of the MFG Sector, along with the complexities of securing a dissimilar group of industries, are major drivers for addressing the risks to this crucial aspect of the national supply chain.
Cybersecurity Threats to the Sector
It’s not surprising that the MFG Sector can be impacted by supply chain disruptions; natural disasters and extreme weather; geopolitical unrest; and deliberate attacks, including terrorism. However, as manufacturing has become more reliant on data and technology, the threat of cyberattacks on sector companies has increased, including ransomware attacks.
Ransomware attacks on the MFG Sector have been growing, like they have for everyone. In fact, Dragos recently reported that such attacks surged 87 percent in 2022, with 13.9 percent of incidents in North America in the last year being on manufacturing companies.
Dole Foods was a recent ransomware victim. The firm was hit by a ransomware attack in early February that led to shutting down production systems throughout North America, and halted shipments to numerous retailers and distributors.
Ransomware attacks are so effective against MFG firms because of the time constraints involved. Time is money, and manufacturers will often choose to pay a ransom, as the payout to threat actors could end up being less than the losses accrued from manufacturing delays. The MFG Sector is particularly susceptible to ransomware because of the abundant usage of computer-aided design (CAD). Access to these files is required for manufacturing to proceed, so making them unusable can be crippling to a company.
According to Manufacturing.Net, other cybersecurity related threats to the sector include:
- IP Theft - A manufacturer’s intellectual property (IP) is what differentiates it from its competitors. Therefore, as one of the most valuable assets of a manufacturer, theft of IP can have disastrous results. IP theft can be carried out by outside parties looking to steal trade secrets or other sensitive information, but it can also be carried out by insiders looking to sell the information to make some quick cash. A nation-state threat actor known as APT 41 (also known as Winnti) is attributed to having been behind a massive IP theft operation that included targets in the MFG sector.
- Equipment Sabotage – With firms relying on automation and intelligent systems, the MFG Sector is increasingly at risk of sabotage from malicious actors. These actors target factory operational technology (OT) equipment with the goal of controlling it, stopping it, or destroying it. Their objective is not theft of a firm’s IP, but to access the industrial controllers that regulate the factory equipment. These kinds of attacks are made easier as OT equipment has increasingly become connected to business networks.
It’s possible for threat actors to use these machines as entry points into a secure network, but it’s also possible for them to disrupt operations by simply shutting them down or irreparably damaging them. An example of this type of sabotage occurred to steel companies in Iran in 2022 when hacktivists damaged equipment through a cyberattack.
- Supply Chain Attacks – I focused on software supply chain attacks in my blog on the Financial Services Sector last week. More broadly, supply chain attacks occur when attackers target a company’s business partners or suppliers. This can be done through phishing attacks or otherwise compromising the networks of trusted third parties. Once an attacker has gained access to the network, they can then attack the manufacturer to steal data, plant malware, or simply disrupt the supply chain enough to halt production.
The manufacturing industry is so susceptible to supply chain attacks because of the number of vulnerable endpoints present across a wide number of interconnected suppliers. This gives threat actors multiple ways to access a network and ultimately attack the manufacturer. Additionally, because each step in the supply chain is often reliant on other firms in the chain, an attack on one supplier can quickly cripple many other firms too. An example of this occurred in 2022 when Toyota suspended operations in 28 production lines after a key supply chain player was hit by a cyberattack.
- Nation-State Attacks - Cyber threats to manufacturing companies aren’t always carried out by competitors or independent actors. Attacks can be carried out by the governments of other nations or threat actors employed by the governments of other nations. These attacks can often be extremely sophisticated and can have incredibly serious impacts.The IP theft by APT 41, a Chinese-based threat actor, cited above is an example of this.
Nation-state attacks against the MFG Sector can be used to try and destabilize the economies of foreign powers. They could also be militaristic in nature, with foreign governments attempting to strengthen their own military strategies while weakening their rivals’ strategies.
- Data Leaks - Data leaks or spillages occur when sensitive data is accidentally released. This could be through the sending of an email to the wrong recipient or through storage devices being lost or stolen. Data leaks can affect companies in any industry, including manufacturing. However, the risks presented for the manufacturing industry may be higher than others.
- Remote Worker Risks - The advent of telecommuting and better software system integrationhas allowed many employees to work from home. This has allowed manufacturers, like other companies, to benefit from global workforces and providing greater flexibility for many employees. The number of MFG employees working remotely has increased steadily in the past couple of decades, with a sharp increase during the pandemic.
- Phishing - MFG companies are often more vulnerable to phishing attacks due to a long supply chain that comprises many disparate organizations, providing more points of entry for threat actors. In January, Mandiant shared details of their research into industrial-themed phishing campaigns.
Manufacturers are at increasing risk from cyber threats as the industry increasingly relies on interconnected systems and stores more and more data. Steps must be taken to ensure that companies minimize the risk and impacts of cyberattacks.
Actions for Manufacturing Companies Moving Forward
MFG businesses must consider themselves warned. Rather than continue in a passive stance, they must adapt and evolve their approach to address the cyber threats enumerated above. Evolving requires MFG Sector organizations to anticipate attacks before they happen, detect alarms to contain attacks, and adopt a tiered approach to protecting critical assets.
Although the industries within the MFG Sector are different, they do (mostly) have one thing in common - they are profit-driven organizations. In many cases, availability and uptime are the primary strategic goals of these organizations, driven by the business requirements to generate profit. The voluntary approach to implementation of cybersecurity controls to mitigate cybersecurity threats frequently takes a back seat to profit objectives. Specifics associated with the NCS proposals for mandating cybersecurity on critical infrastructure operators are still unknown, and it will be difficult in the MFG Sector given the diversity of the firms in it.
There are signs that manufacturers are shifting from a historically low focus on cybersecurity to making it a priority. The introduction of CISO roles in MFG businesses may drive change as manufacturers realize how essential security controls are for mitigating cybersecurity threats. But engrained cultures can make change difficult.
How OpenText Cybersecurity Can Help
OpenText Cybersecurity brings the expertise of one of the world's largest security portfolios to help our customers navigate the changing threat landscape by building both cyber and business resiliency within their teams and organizations.
Fortify FoD – Coco-Cola FEMSA
NetIQ IdM & Access Manager – Automotive Manufacturer
NetIQ IdM, Access Manager & AA - Nestal
NetIQ IdM & Access Manager – Haier Group
NetIQ (IdM, Access Manager, PAM, eDirectory) & Fortify - Grupo Arcor
NetIQ IdM, Access Manager, Sentinel, SSPR - Global Major in Metals and Mining
ArcSight Intelligence – High Tech Manufacturer
ArcSight Intelligence – Global Manufacturer
Voltage SecureData – Global Logistics Organization
New Perspectives in Cyber - Brett Harris, Product and Solution Security Officer with Siemens