COMMENTARY
Manufacturers have been feeling urgency around cybersecurity for several years — and it’s little wonder given their sector remains the No. 1 ransomware target. Ransomware attacks threaten to affect manufacturers by interrupting operations that ripple through supply chains, leading to significant financial losses through ransom payments, revenue decline, and recovery costs.
Despite the looming threats, there is a notable shortage of cybersecurity professionals who can shield manufacturers from bad actors. But with the proper training and tools, manufacturers can still implement a strong security posture, even if they don’t have a security expert on staff. Let’s drill down on how can manufacturers can bolster their cybersecurity defenses and, should an attack occur, steps they should take to control the damage.
Considerations for Securing the Entire Ecosystem
Small to midsize manufacturing businesses are especially vulnerable to cyber threats due to a lower level of preparedness as compared to enterprises, unprotected data, and willingness to pay ransoms. Strengthening cybersecurity is crucial for product safety, quality assurance, and operational efficiency. For instance, implementing stringent controls on industrial control systems (ICS), operational technology (OT), and enterprise resource planning (ERP) systems can reduce vulnerabilities.
With a comprehensive risk management strategy, manufacturers can protect end customers, ensure operational continuity, safeguard intellectual property, and maintain fiscal responsibility. However, even with robust preventive measures, the possibility of a cyberattack remains. Therefore, manufacturers need to be prepared to identify risks.
Warning Signs of Ransomware
Timing is critical when assessing cyber threats in manufacturing, and early detection is the most effective way to prevent ransomware. The longer a breach goes undetected, the more damage attackers can inflict on production lines, supply chains, and intellectual property. Fortunately, even lean manufacturing IT teams can implement robust defense measures without the need for a dedicated cybersecurity expert.
In manufacturing, common warning signs include unusual activity on the network segments that control machinery, production lines, or ERP systems. Another common indicator is unusual network traffic, which can mean that someone has external data access or is conducting other malicious activities within the system. Manufacturers might notice unexpected data transfers from supervisory control and data acquisition (SCADA) systems or other critical OT components.
Consider a scenario where a manufacturer notices an unusual spike in network traffic late at night when production lines are typically idle. This anomaly could indicate an unauthorized party is attempting to transfer data or conduct other malicious activities. Other red flags include unauthorized administrative activities, such as installing programs without official approval or user sign-ins from unusual locations or unfamiliar devices.
Recognizing these warning signs is crucial for early detection and prompt response, preventing minor breaches from turning into major incidents. However, if a ransomware attack occurs, act quickly and efficiently to mitigate damage and begin recovery.
What to Do in the Event of an Attack
If hackers strike, manufacturers should take these critical steps to prevent significant damage and begin the recovery process:
-
Isolate impacted systems: Immediately identify and isolate compromised systems — including production machinery, assembly lines, SCADA systems, or ERP software — from the network. If isolation is not possible, shut them down to prevent further spread.
-
Create an incident document: Maintain and update a document to log discoveries and affected systems — e.g., computer numerical control (CNC) machines, robotic systems, or programmable logic controllers (PLCs) — and coordinate response efforts across the team.
-
Examine detection systems: Review existing detection systems — such as antivirus, endpoint detection and response (EDR), security, information, and event management (SIEM), and intrusion prevention (IPS) systems — for signs of compromise, such as newly created accounts, or indications of persistence mechanisms. This process should include checking logs from ICS and OT monitoring tools.
-
Report the incident: Contact agencies, such as the US Cybersecurity and Infrastructure Security Agency (CISA), your security vendors, the FBI, or the US Secret Service for assistance and to report the attack. Additionally, inform industry-specific bodies or associations that may provide support.
-
Coordinate communication: Work with communications staff to ensure accurate information is shared internally and externally, according to the company’s corporate communications guidelines. Use nonstandard communication methods (e.g., phone calls and encrypted messaging apps) to avoid alerting attackers. Notify key stakeholders, including suppliers and customers, about potential impacts on production schedules.
-
Rebuild and restore systems: Prioritize and rebuild critical systems, focusing on restoring manufacturing operations, such as manufacturing execution systems (MES), human-machine interfaces (HMI), and other essential production control systems. Issue password resets for affected accounts and restore data from offline encrypted backups to ensure the integrity and availability of production data.
-
Document lessons learned: After the incident is under control, document your insights and update organizational policies, plans, and procedures accordingly. Conduct a post-incident review to identify gaps in the response and improve resilience against future attacks. Include lessons learned about specific manufacturing processes and impacted technologies.
Manufacturing organizations and professionals know the urgency required to address cybersecurity threats. By recognizing early warning signs, responding swiftly to incidents, and strengthening their cybersecurity posture, manufacturers can protect themselves against the growing wave of attacks, allowing the industry to build resilience and ensure the continuity of critical manufacturing processes.
Source: www.darkreading.com