Attacks on critical suppliers in the gas and food industries have illustrated how hackers attack easy targets, inflict serious pain, and extract easy money from pressured executives. Using what we’ve learned from recent attacks here are 10 steps manufacturers can take to prevent a ransomware attack.
The details of attacks on Colonial Pipeline and JBS
In the case of the Colonial Pipeline, hackers from Russia entered through the company’s virtual private network (VPN). The perpetrator, DarkSide, acquire a user account password to the VPN that was no longer in use yet remained active. This single-factor authentication was all that stood between the attackers and access to Colonial’s IT network and, in turn, its sensitive data. The cost: $4.4 million in ransom and 5 days of lost production. The breach is a clear example of how an IT compromise can shut down operational technology environments.
JBS, the world’s largest meat processor paid an $11 million ransom to cybercriminals after it was forced to halt cattle-slaughtering operations at 13 of its meat processing plants. REvil, also known as Sodonikibi, is credited with the attack that shut down production for only one day but sent reverberations throughout the supply chain. The U.S. Department of Agriculture was unable to offer wholesale beef and pork prices on June 1 due to predicted shortfalls in meat production and price increases. It’s troubling to note that the REvil gang runs as a ransomware as a service (RaaS) business, selling its encryption software to other criminal groups.
Here are the steps manufacturers can take to prevent a ransomware attack
1. Replace or isolate older equipment running on older computers
You probably have an older piece of equipment that is critical to some part of your production that you cannot seem to upgrade or get rid of. Unfortunately, it needs an older computer and software combination to make it run. The old software is no longer maintained or updated and exposes not just this important piece of equipment to a host of security vulnerabilities but your ENTIRE network. Do everything you can to help minimize the vulnerability like removing the equipment from the network and internet. If this is not an option, you need to have several additional layers of security like EDR or SIEM. If you do not take these precautions, you leave a big open door that welcomes hackers into your systems and your business.
2. Address poor vendor support for equipment
Sadly, vendor support can suffer from tunnel vision and expediency. Vendors may be quite capable and concerned about fixing a specific issue on their piece of equipment. However, they may not be as concerned or knowledgeable about your broader security. It’s really important that you have processes to monitor their approaches to make sure that they are not mistakenly creating security risks. For example, an equipment tech may open up ports on your firewall to access a machine for troubleshooting and, then, not close them. It’s a simple error that can lead to a disastrous outcome. Well-structured protocols can prevent it.
3. Secure and monitor vendor remote access to equipment
Sometimes a vendor will use a solution to remotely access your equipment for support. That’s not a major issue if your vendor uses a good enterprise platform that is secure. If they don’t and instead use some free, open-source system that is not kept up to date and combined with lax security best practices, their systems expose your systems.
4. Concentrate on points where operational technology/equipment connects to other network systems
The reality is that nearly everything on your shop floor connects to your network or the internet. The piece of equipment itself may be “safe and secure” but the computers and other software connected to it may not be. All it takes is one minor peripheral with a security vulnerability to wreak havoc on your entire enterprise. Newer industrial air conditioning systems, for example, are controlled through the business network and also connect to the internet for vendor support and monitoring. Cybersecurity firm ForeScout Technologies has discovered that thousands of vulnerable IoT devices in heating, ventilation, and air conditioning (HVAC) systems are vulnerable to cyberattacks. Its research showed that nearly 8,000 connected devices, mostly located in hospitals and schools, offered unauthorized access and were highly vulnerable to cyberattacks. (asmag.com) Do a Google search and you’ll be shocked how often these systems are hacked and the client pays the price.
5. Eliminate shared log-ins to any equipment
Admit it. You probably have shop employees using the same login to a critical piece of equipment. It’s human nature AND hackers are experts at exploiting human nature. We have long lists of clients and prospects that did not practice basic IT hygiene all “allowed” that one login to leak through human foible, texts, emails, or Post-its into the hands of a hacker. The hackers promptly used it to gain access to all of their systems. If you do nothing else, kill this bad habit today and mandate user-specific logins for all of your equipment. There are 3rd party systems that can help with this.
DOWNLOAD our Basic IT Hygiene Guidelines
6. Develop, document, and execute a process to manage/update login passwords when someone leaves your company
This is really an IT basic best practice. If someone leaves your company, ensure that their access is shut off. When you hire someone, grant them access only to the systems REQUIRED to do their job. Rinse and repeat.
7. Relentlessly install firmware, software, and new versions on ALL IT and OpTech software
You MUST have a process to manage and control all of your manufacturing equipment updates. It is critical to know and understand when, why, and how your systems are regularly updated. A few years ago you might get away with being a version or two behind, but today it means you’re vulnerable. Every day hackers develop new tools and approaches to exploit once secure systems. System updates are vendors’ responses to hackers’ efforts. You cannot secure your business without the updates. Go update your stuff!
8. Get IT on the same page with vendor schedules and processes for updating machines
Often, an equipment vendor will use a random support call from the shop floor to do an update or make a change to a piece of equipment. This is not ideal (see above), but is better than nothing. Normally this is nothing to worry about UNLESS your IT is in the dark about it. Our Helpdesk sees too many situations when a vendor makes a simple change to a piece of equipment and causes a problem elsewhere. For example, users open helpdesk tickets because all of a sudden they can no longer access and print ERP data. The equipment may have gotten fixed by a vendor update, but now there is a completely “unrelated” problem elsewhere. IT wastes precious time trying to figure out how the ERP could suddenly stop working. It’s an avoidable problem.
9. Eliminate situations where users need Administrator-level access on the system or computer to work properly
Administrators have POWER! User management, writing permissions, access to key files, deleting, and creating, just to name a few. Be honest and thoughtful about whether or not a user needs administrator access on a computer for your systems and manufacturing processes to work. Don’t just grant Admin access because it is expedient or you “trust” a user. If you never ask the question or push back on the vendor, you could end up with a company full of employees with administrator power. Does anyone think that is a good idea? Anyone? Yeah, I didn’t think so.
Conclusion
As a manufacturer, you know that if your line is down you’re losing money. No company can make itself 100% safe from hackers, but these simple stems can make life a helluva a lot harder on hackers and a lot easier on you
Dig deeper
Additional Reading:
Ransomware Best Practice Checklist
How to Protect Small Businesses with the NIST Cyber Security Framework