🖥️ Cybersecurity Baselining for Manufacturers

Ease of mind is expensive in the cybersecurity space. This is especially true for small and medium sized manufacturers facing margin pressures from lower sales volumes, rising debt costs, and supply chain disruptions.

In 2022, 76% of organizations were targeted by a ransomware attack, out of which 64% were actually infected. Only 50% of these organizations managed to retrieve their data after paying the ransom. Additionally, a little over 66% of respondents reported to have had multiple, isolated infections.

Almost all of the affected organizations (90%) had a cybersecurity insurance policy covering ransomware attacks, and most (82%) insurance companies agreed to pay the ransom, either in part or in full. The high percentage of companies having cybersecurity insurance is why a large number of organizations were willing to pay ransom, with 64% of those infected paying at least one ransom — a six-point increase from the previous year — according to CSO.  

Cyberattacks are increasing in both frequency and price, meaning that organizations have no option but to prepare. From here there are two routes: 

  1. Cost be damned
  2. These resources

Before jumping into the resources, there are some basic steps manufacturers can take before adding another platform to their tech stack to make a few unknowns, known; and making the cybersecurity platform onboarding process less embarrassing for the IT professional tasked with it.

These cases are perfectly simple and easy to distinguish. In a free hour, when our power of choice is untrammelled and when nothing prevents our being able to do what we like best, every pleasure is to be welcomed and every pain avoided.

The easiest and occasionally most uneasy step is searching for your security cameras and industrial equipment on Shodan. This is the search engine for the open source internet. If you find your equipment or live video feeds on here - run, don't walk to a cybersecurity firm.

Rachel Tobac over at SocialProof Security is an old mentor of mine and she's a great resource.

Multi-Factor Authentication (MFA)

MFA requires users to provide two or more forms of identification before gaining access to an account or system. This significantly reduces the risk of unauthorized access, even if a password is compromised. Here's how a manufacturer can implement MFA:

  1. Choose the Right Factors: Decide which factors will be used for authentication. Common MFA factors include:
  2. Implement Authentication Policies: Define the rules and policies for MFA usage. For example, you can specify which user roles or access levels require MFA, set session timeout, and determine the number of failed attempts allowed.
  3. Integrate MFA into the Authentication Process: MFA should be integrated into the existing login process seamlessly. Users should be prompted to provide additional authentication factors after entering their username and password.
  4. Mobile Authenticator Apps: Mobile apps like Google Authenticator, Authy, or Microsoft Authenticator are commonly used for generating time-based OTPs. Users install these apps on their smartphones and link them to their accounts.
  5. SMS or Email Verification: Sending OTPs or verification codes via SMS or email is another popular method. However, it's worth noting that this method can be vulnerable to SIM swapping or email account compromise.
  6. Hardware Tokens: Physical hardware tokens generate one-time passwords and are considered highly secure. Users carry these tokens and enter the generated code during the authentication process.
  7. Biometric Authentication: Implementing biometric authentication requires compatible hardware (e.g., fingerprint scanners or cameras) and appropriate software to process and validate biometric data.
  8. Backup Authentication Methods: Consider providing backup authentication methods in case the primary method fails or is unavailable. For example, if a user's phone is lost, they should have the option to use backup codes or alternative contact methods.

Open-Source Codebase Review

Almost all applications contain at least some open source code, and 48% of all code bases examined by Synopsys researchers contained high-risk vulnerabilities.

Understanding where cybersecurity work needs to be focused initially (these codebases) makes you look like you sharpened your pencils before the test. Before a manufacturer even utters a cybersecurity acronym, they should have an idea of where to apply it.

  1. Assemble a Review Team: Form a team of experienced developers and engineers with expertise in the programming languages, frameworks, and technologies used in the codebase. The team should also have knowledge of open-source licensing and security practices.
  2. Document Dependencies: Create a comprehensive list of all the open-source dependencies used in the codebase. This includes libraries, frameworks, and other third-party components.

Languages for the team include:

  1. C/C++: C and C++ are widely used in embedded systems and low-level programming, which are prevalent in many manufacturing applications, especially in the context of IoT devices, firmware, and control systems.
  2. Python: Python is a versatile and popular language used in various manufacturing tasks, such as data analysis, automation, scripting, and web development. Many open-source tools for code analysis and security scanning are also written in Python.
  3. Java: Java is commonly used in enterprise applications, including manufacturing-related software. It is often used for building scalable backend systems, enterprise resource planning (ERP) software, and web-based applications.
  4. JavaScript: JavaScript is essential for front-end web development and is commonly used in manufacturing applications that have web interfaces or use web technologies.
  5. C#/.NET: C# is commonly used in Windows-based manufacturing applications, and it's especially relevant if the manufacturer utilizes the Microsoft technology stack.
  6. Rust: Rust is gaining popularity in the embedded systems and systems programming domain due to its focus on safety and performance. Manufacturers working on safety-critical systems might find Rust relevant.
  7. Go: Go (Golang) is known for its simplicity and efficiency, making it suitable for building scalable backend systems and cloud-based services often used in modern manufacturing environments.
  8. Shell Scripting: Shell scripting (e.g., Bash) is useful for automating tasks, deployment scripts, and various system administration tasks in manufacturing environments.
  9. SQL: Structured Query Language (SQL) is essential for working with relational databases, which are commonly used in manufacturing applications for data storage and retrieval.
  10. PHP: While not as prevalent in newer systems, PHP may still be relevant for older manufacturing applications and web-based interfaces.
  11. Perl: Perl, known for its text processing capabilities, may be relevant in specific manufacturing scenarios, especially when dealing with legacy systems.
  12. Swift/Objective-C: For manufacturers in the consumer electronics industry, especially those with iOS or macOS products, Swift and Objective-C are relevant for mobile and desktop application development.

Many of you may be thinking about PLC Systems at this moment.

PLC programming languages themselves are not inherently "hackable" in the same sense that software vulnerabilities can be exploited. PLC programming languages, such as Ladder Logic, Structured Text, Function Block Diagram, etc., are used to define the logic and behavior of the PLC, and they operate at a higher level of abstraction than low-level machine code or operating system code that might be vulnerable to traditional hacking techniques.

However, like any software, the security of PLC systems can be compromised if proper security practices are not followed. PLC systems are not immune to cyber threats, and they can be targeted if there are vulnerabilities in the PLC's firmware, communication protocols, or if the systems are not securely configured.

Some potential security concerns related to PLC systems include:

  1. Insecure Communication: PLCs often communicate with other devices or systems through various protocols. If these communication channels are not properly secured, attackers may intercept or manipulate the data flowing between PLCs and other components.
  2. Firmware Vulnerabilities: PLCs have firmware that may contain security vulnerabilities. If the firmware is not regularly updated or if the manufacturer fails to patch known vulnerabilities, attackers could potentially exploit these weaknesses.
  3. Default Credentials: Many PLCs come with default login credentials that are not changed by users, making them vulnerable to unauthorized access.
  4. Inadequate Access Controls: If access controls are not properly configured, unauthorized users may gain access to the PLC system.
  5. Physical Access: If attackers gain physical access to the PLC hardware, they might be able to tamper with the system.
  6. Malware and Ransomware: PLCs that are connected to networks are at risk of being infected with malware, including ransomware, which can disrupt manufacturing operations.

To mitigate these security risks, it is crucial for manufacturers and organizations using PLC systems to follow best security practices, including:

  • Regularly updating PLC firmware and software to patch known vulnerabilities.
  • Implementing secure communication protocols (e.g., VPNs, encryption) for PLC communication.
  • Applying strong access controls and authentication mechanisms.
  • Changing default credentials and using strong passwords.
  • Physically securing PLC hardware in restricted areas.
  • Employing network segmentation to isolate PLC systems from other critical systems.

Email Spam

Email phishing remains the #1 method by which ransomware attacks are launched.

About eight in 10 organizations (84%) experienced at least one successful email-based phishing attack in 2022, with direct financial losses as a result increasing by 76% compared to 2021, according to CSO.

Seventy-five percent of organizations worldwide reported an attempted business email compromise (BEC) attack last year. While English remained the most common language employed, companies in a few non-English nations witnessed a higher volume of attacks in their own languages, including organizations in the Netherlands and Sweden, which reported a 92% jump in such attacks; in Spain, with a 92% jump; Germany, with an 86% increase; and France, with an 80% increase.

Advances in technology have made it easier for hackers to phish. They can use readily available digital graphics, apply social engineering data, and a vast array of phishing tools, including some automated by machine learning. Phishing is often accompanied by ransomware and a tactic for hackers is to target leadership at companies or organizations (spear-phishing) because they usually have better access to valuable data and make ready targets because of lack of training.

Because social engineering plays an outsized role in phishing and bypasses MFA, training remains the best way to mitigate the threat. Check email domains, confirm with other points of contact at the organization if an email looks suspicious and never, never open or load an attachment unless absolutely necessary.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced last year that it had created a list of free cybers ecurity tools and services . Notably, the Cyber Hygiene Vulnerability Scanning Service is a free service manufacturers can request wh ere CISA can scan your network for malicious activity.

Other federal agency initiatives with cybersecurity resources include:

Climastry© 2021. All rights reserved.