To summarize, either users are getting phished and downloading an attachment with a malicious payload, which leads to initial access by the threat actor, or a web application has a flaw that allows access to the internal network. From there, extortion actions take place given that the tolerance for production downtime is nearly non-existent.
The convergence of the OT and IT networks for such organizations is one of the main reasons these attacks are effective. A lack of proper segmentation between these two network types is what allows the initial intrusion that happens on the IT side to spread to the OT side. This is where the real damage can take place, such as a ransomware attack that can bring operations to a halt.
In our own testing, we have found a lack of awareness in how these networks are secured. Therefore, many manufacturers’ beliefs on segmentation practices at their companies are not the reality. Although it is critical that a layered approach to security is implemented across all organization types, manufacturing’s specific vulnerabilities and threat actor knowledge on how to exploit them, make for a mitigation strategy that is somewhat unique.
In other words, segment, segment, segment, then test, test, test!
More holistically, a plan to implement a security standard that includes segmentation, as well as the more generally understood security controls is also a necessity. We often find the following security issues with manufacturing companies far more often than any other industry:
- Weak password policies that allow for eight characters, sometimes even less
- Legacy operating systems that are not properly segmented (there’s that word again) from the rest of the network
- Large gaps in asset management and knowledge of what is actually on the network (and belongs there)
- Ancient Active Directory tech debt that often allows for rapid privilege escalation by threat actors
- Lack of strong controls to prevent a social engineering attack from being successful
- Poor physical access controls
We understand that the nature of this industry has baked in vulnerabilities, but the cost of not properly balancing them with a robust security program is dire. In fact, the cost of a breach in manufacturing is higher than the overall average across all industries. Just ask Honda, Norsk Hydro, and many others that have suffered both in public and private due to a devastating breach.
If you are an organization in this space seeking assistance in implementing your security program, please reach out to a member of our team today!