A lot of money, people “silly”, come quickly?

Editor’s note: This article is from the micro-channel public number “machine that it can” (ID: almosthuman2017), Author: Wu Xin. Original title: “”Blackmail” Manufacturing”

Cybercriminals have shifted their attention from consumers to the bigger and fatter fish—manufacturing companies that are rich, lack people, and are under tremendous pressure to quickly restore production capacity. However, many manufacturers are not ready to fight the world’s deadliest malware, even if they are attacked, they are either understated or kept secret.

Although ransomware usually brings huge costs, wastes time and resources, brings huge risks to the company’s reputation and brand, and affects the perception of the entire industry, as manufacturers transition to Industry 4.0, Faced with cyber threats, they are less prepared than other industries.

For example, less than two-thirds of manufacturers have a cybersecurity plan, but the plan is at the bottom of the department’s response plan. More and more manufacturing companies have no plans to invest in improving network security measures or data protection, although the implementation of automation and IoT devices in industrial environments is bringing new risks to management and more to hackers. Attack opportunity.

For a long time, manufacturing has been a fundamental part of the global economy and a leader in technological innovation. In a world dominated by Industry 4.0, manufacturers are increasingly adopting robotics, artificial intelligence, machine learning and advanced analytics. When considering the current and future perspectives of Industry 4.0, people’s attention needs to gradually turn to what it means to “connect everything” in the future.

In the planning process of Industry 4.0, solving safety issues is not a follow-up task, but the first priority.

Two years ago, on a clear night in Oslo, the capital of Norway, Halvor Molland was asleep and the phone rang around 3 in the morning. Moran is the senior vice president of communications at Norsk Hydro, one of the world’s largest aluminum manufacturers.

Two hours ago, the company’s computers suddenly started encrypting files and went offline collectively. A staff member of the Hungarian branch realized that something was wrong. He shut down the entire company network, including the company website, email system, payroll system, etc., in accordance with the preset security procedures, but it was too late.

Hydru’s 500 servers and 2,700 personal computers are no longer functioning normally, and ransom messages flashed on the screens of employees’ computers, indicating that the victims emailed the price of the decryption tool.

“My feeling is: you really don’t believe it,” Moran recalled in a recent interview. “At that time, it was decided toThe network is closed because there is nothing to isolate to some extent. “

The attack began at Hydro’s factory in the United States. In Kentucky and Texas, the company has aluminum remelting facilities, but the largest aluminum plant in Cresona, Pennsylvania suffered the most losses. This factory was built by the US government during World War II to produce aluminum for weapons.

The supply disruption of this giant with a market value of US$12 billion and approximately 200 factories worldwide may trigger panic in the global aluminum industry, because there are only a few companies in the world that can provide products that meet the requirements of Daimler and Ford Motor Company. Customers also include Tesla.

Hydro is located in Cresona, Pennsylvania, USA.

Hydro did not pay the ransom. They shut down several automated production lines and changed the operating mode of factories in countries such as Norway, Qatar, and Brazil to “manual” mode. Since most of the files encrypted by ransomware cannot be decrypted, one of the arduous tasks that Hydro faces is to manually find specific orders and complete them.

Cresona’s makeshift war room used faxes, sticky notes and old computers to defeat cybercriminals.

Production returned to normal in about a month. Due to the shutdown of some factories for several weeks, the ransomware attack forced the company to hire 35,000 employees and lose between 90 million and 110 million U.S. dollars. This figure far exceeds the 3.6 million U.S. dollars covered by the insurance policy.

This is the worst cyber attack in Norwegian historyevent. Ironically, no one knows who attacked Hydro. Although all signs point to an organized Eastern European cybercrime group, they are still at large.

An undercurrent surging

However, Moran and his team did something extraordinary: They told the public in detail what happened and released a video of the interview.

But this is only an isolated case. Many manufacturers are not ready to fight the world’s deadliest malware, even if they are attacked, they are either understated or kept secret.

The ransomware LockerGoga that hit Hydro is a new virus that appeared in January 2019. Just a few days after causing Hydro to shut down the network, it was discovered to be suspected of invading two other American chemical companies, Hexion Inc. and Momentive Performance Materials Inc.. Although Momentive admitted that it was under a blackmail attack and the company had to urgently replace hundreds of computers, Hexion did not disclose any details of the attack.

Almost at the same time, the Belgian aircraft parts manufacturing giant ASCO, which was attacked by ransomware, has stopped production for more than a week, and there is no sign of ending. While the company was working to restore critical systems that were frozen by malware attacks, nearly 1,000 employees were sent home on paid leave.

ASCO is one of the most important suppliers of aircraft parts and parts design in the world. The company’s customers include Airbus, Boeing, Bombardier and Lockheed Martin. Unlike Hydro, ASCO has remained silent about this incident.

Unlike Hydro, ASCO has remained silent about this incident.

The manufacturer continues to appear in the list of ransomware victims. The internal documents of the German bicycle manufacturer Canyon were encrypted by ransomware, and the order placement and delivery were forced to be delayed; the US nuclear weapon contractor was attacked by Maze ransomware and sensitive data was leaked; Tesla, Boeing, and SpaceX supplier Visser Precision refused to pay the ransom and were classified as confidential Give way.

The most sensational thing was that the Honda Group was attacked by the SNAKE blackmail gang, which caused the production of factories in many countries outside the Japanese headquarters to stop. Unlike the understatement of official statements, the situation under foreign media reports can be described as tragic:

“The ransomware has spread to Honda’s entire network, affectingIn addition to Honda’s computer server, e-mail and other intranet functions, Honda is currently working to minimize the impact and restore all functions of production, sales and development activities. “

The threat intelligence released by IBM in 2020 stated that in the first quarter, ransomware attacks increased by 25% in all industries, but attacks against manufacturing increased by 156%, making it the most risky industry. According to data from Trend Micro Incorporated, a global cybersecurity software company, 150 manufacturing companies were involved in ransomware in the third quarter of 2020, more than any other industry.

A report from the consulting firm Kivu Consulting in 2019 shows that although in 2019 ransom payments, manufacturing accounted for 18%. However, the amount of ransom is very substantial. In 2019, a ransomware payment of US$6.8 million was paid, accounting for 62% of the total ransom amount, higher than any other industry.

In March 2021, the manufacturer Honeywell became the latest manufacturing giant to be victimized in a cyber attack. This incident has once again reminded the world of the threats facing the manufacturing industry.

Scott Sayres, a Honeywell spokesperson, stated in an email on March 25 that the “malware intrusion” had “a minimal impact on our production.” He declined to elaborate, and refused to answer questions about whether ransomware was involved.

According to two Honeywell employees who did not want to be named, even though Honeywell issued a statement on March 23 that the company has “restored service,” a few days later, the company still has lingering IT difficult. These technical problems have been gradually resolved, including the difficulty of connecting to the company’s virtual private network and internal data sharing drives.

In March of this year, Trend Micro commissioned independent research expert Vanson Bourne to conduct a survey of 500 IT and OT professionals in the United States, Germany, and Japan. The results showed that 61% of manufacturers have experienced cybersecurity incidents in their smart factories. 75% of manufacturers suffered system outages, of which 43% lasted more than 4 days.

Foreign media CyberScoop has asked to interview more than a dozen European and American manufacturers. According to reports, these manufacturers have interrupted production due to ransomware incidents in the past two and a half years. a fewAlmost all companies either declined to comment, did not respond, or stated that they could not reach an executive at the time of press time.

The story continues, and there are new victims every day. The well-known industrial network security company Dragos predicts that the threats facing the manufacturing industry will continue to increase next year.

2 Why favor manufacturing?

Manufacturing has become a popular target for ransomware gangs. A very important reason is the huge contrast between costs and benefits. After all, it is also a business.

Part of the continued success of ransomware as a ransomware is that it is easy to use. Criminals can buy and rent various ransomware products on the dark web, and then use phishing emails and other means to quickly and cheaply spread these products.

The features of these ransomware-as-a-services include 24/7 online chat, help to obtain bitcoin for ransom payments, access to payment services, and a console that helps criminal dealers monitor their operational progress and profits.

The other side of low cost is that the benefits are very substantial. Most attacks on manufacturing are motivated by economic motives, including money and intellectual property. Manufacturers are most taboo against production line shutdowns. Faced with business interruptions, production losses, difficulty in delivering products, and invoicing, companies often need to spend a lot of money to get back on track. High costs force companies to pay ransoms quickly to resume business.

But this does not include invisible losses that are difficult to calculate. Moran said that he does not regret publicly elaborating how much pain the ransomware has caused Hydro and his company because, “It is too big, and we can’t cover it up anyway.”

In December 2020, McAfee’s latest investigation report, The Hidden Costs of Cybercrime, pointed out that for most organizations, after a blackmail attack, an average of 8 people need to be arranged and it takes 19 hours to restore and remediate IT systems or services. . This not only increases the cost of the attacked party’s risk processing, but also generates new cost growth points due to the surge in demand for external assistance and risk insurance.

For example, the so-called new blue-collar problem. The Swiss manufacturer Meier Tobler (Meier Tobler) was attacked by ransomware, resulting in the company’s direct costs of more than 5 million U.S. dollars and production losses of more than 10.6 million U.S. dollars. For some employees (especially the logistics department), only paid leave can be arranged; during the suspension of ASCO, nearly 1,000 employees were sent home on paid leave; Hydro even hired a large amount of new labor.

In the long run, business interruption will usually affect customer experience to varying degrees, affecting the brand trust and reputation of companies and institutions.

A data breach may cause a manufacturer to lose years of proprietary information value and cause a permanent loss of customer trust. This is why the vast majority of manufacturing “meat tickets” will be maliciously soft.The invasion was tight-lipped. They worry about losing customers, or admit that they paid criminals to recover their data.

In June 2020, the latest survey by Veritas Technologies, an international data management company in the United States, showed that 44% of consumers said they would stop buying products from companies that have been attacked by ransomware.

In addition, the activities of some manufacturing companies extend to multiple vertical industries, which also makes them a springboard for opponents to attack industries such as electric utilities or pharmaceuticals; as part of the global supply chain, manufacturers are increasingly exposed to geopolitical conflicts The nature of cyber risk challenges.

It can be expected that cybercriminals will continue to use ransomware attacks, including manufacturing, in these sectors, downtime will bring high costs to profits, stock prices, human lives or political reputation. Attention has shifted from consumers to bigger and fatter fish: companies that have money on hand and are under tremendous pressure to recover quickly.

3 Why is the “meat ticket” full of flaws?

The paradox is, “In terms of network security, manufacturers are sloppy.” Thomas Siebel, CEO of artificial intelligence platform C3.ai, once said bluntly.

As manufacturers transition to Industry 4.0, they are less prepared than other industries in the face of cyber threats. A report by the Wall Street Journal last year pointed out that less than two-thirds of manufacturers have cybersecurity projects, ranking bottom.

In addition, a larger percentage of manufacturing companies stated that they do not plan to implement improvements in important areas at any time in the next 12 months. For example, 63% of manufacturers currently do not have online insurance, and 37% of manufacturers have no plans to purchase online insurance in the next 12 months.

Network security training is also not part of the manufacturer’s plans for the coming year: 22% of companies do not plan to implement employee training, and 26% of companies say they will not conduct executive training. Another 15% have no plans to identify critical data worth protecting in the next year.

The Cyber ​​Security Online Research Center of The Wall Street Journal conducted a survey of 389 corporate respondents from December 2019 to March 2020.

The survey results show that the manufacturing industry’s safety precaution score is basically the lowest.

In fact, it is also very difficult to modernize large-scale manufacturing plants. The legacy equipment or industrial Internet of Things (IoT) equipment used in many facilities was initially designed with efficiency and compliance issues in mind, without considering network security and data privacy risks. Production lines and industrial processes usually run on operating systems or industrial control systems. Due to the age of the software, these systems no longer accept security updates.

For example, in many food factories, most of the hardware and software used to run machines were developed and implemented in the 1990s and 2000s, especially the older industrial control systems (ICS) commonly used in food processing and manufacturing. The problem with these old systems is that they are not compatible with current network security best practices, making them extremely vulnerable to attacks.

If the manufacturer does not let the device offline to update the security, then it may be attacked by ransomware and paralyze the production line, but the offline maintenance of the system may cause high costs or cause damage to the operation.

Moreover, because each manufacturer’s facility has a different IT infrastructure, the systems used and the data to be protected, it is very complicated. There is also no uniform method to ensure the safety of every manufacturing plant overnight.

From a cognitive perspective, many manufacturing managers currently have insufficient awareness of network security and are unwilling to use resources to upgrade the old system. Of course, in addition to the responsibility and technicalization of the problem itself, the demand for talent is greater than the supply, which also leads to expensive solutions. It is estimated that by 2020, the global security professional gap will be as high as 2 million. Because industrial companies usually pay much lower salaries, high-end talents are unlikely to seek career development in OT companies.

It is particularly worth noting that, from the perspective of enterprise scale, although media reports mainly focus on cyber attacks by large manufacturers, the most common source of threats is small and medium-sized enterprises. Since small companies usually do not have the financial or human resources to conduct a powerful network assessment and risk quantification process, security precautions often lag behind large companies.

The above-mentioned “Wall Street Journal” report shows that only 63% of companies with revenues less than US$50 million have cybersecurity plans, while 81% of companies with revenues of more than US$1 billion have Internet Safety plan. Worryingly, 15% of small companies have not implemented a cybersecurity plan.

The problem is that small and medium-sized companies that lack cyber security may transmit risks to other companies through complex supply chains. They themselves first became the shortest cask board, which may be used as a springboard to disrupt the customer’s network, just like the attack on the target company in 2013 (TaLike the rget Corp. incident, hackers entered the company’s network through an HVAC supplier.

In early 2020, when security experts investigated a series of attacks against the European and British space and defense industries, they found that attacking organizations directly used legitimate remote connections or collaboration schemes between suppliers and partners to bypass tightly protected borders. Protection, successfully enter the attack target’s network.

Four Portraits of “Kidnappers”

In the ransomware attacks suffered by manufacturing companies, one trend is clear: the manufacturing industry relies on industrial control systems (ICS) to achieve large-scale, functional, and to ensure consistent quality control and product safety, but for industrial control systems The attack is getting more and more serious.

Dragos found that industrial control systems have become an important target of attackers in the past two years, and ransomware that uses industrial control system perception functions has increased significantly.

Ekans/Snake ransomware and the “strongest” industrial control malware Trisis are two prominent representatives of “kidnappers”.

In June 2020, the Ekans ransomware’s attack on Honda caused it to suspend the production of automobile factories in the United States and Turkey, and motorcycle factories in India and South America. This ransomware is designed to terminate 64 different software processes on the victim computer, including many software processes specific to industrial control systems.

Among them, the “target movement” for organizations with industrial control and SCADA systems is unprecedented. It can destroy software used to monitor infrastructure, such as oil company pipelines or factory robots. This may bring potentially dangerous consequences, such as preventing employees from remotely monitoring or controlling the operation of equipment.

In addition to Honda Motors, Ekans targets have covered energy (Bahrain Petroleum, ENEL Energy), medical equipment distribution and other industrial industries, and combating industrial control systems has become an important goal.

As for the “strongest” industrial control malware, Trisis is the first malware specifically targeted at the Safety Instrumented System (SIS), and the first malware that can remotely cause civilian infrastructure to enter an insecure state.

As a hardware and software control system, the safety instrumented system is mainly used to protect industrial processes and equipment in nuclear, oil and gas, or manufacturing plants. SIS is an important part of the automatic control of factories and enterprises. At present, a few companies around the world are developing and managing SIS systems, including but not limited to Emerson, Honeywell and Yokogawa of Japan.

The instructions contained in Trisis may cause production interruptions or cause SIS-controlled machines to work in unsafe conditions that may cause explosions, posing a huge threat to the lives of human operators. In December 2017, TrisXENOTIME, the hacker organization behind is, used a zero-day vulnerability in Schneider’s Triconex safety instrument control system to attack an oil and gas plant in the Middle East, almost causing the plant to explode.

Dragos currently publicly tracks five organizations that target manufacturing: CHRYSENE, PARISITE, MAGNALLIUM, WASSONITE, and XENOTIME. They have previously or currently tried to use remote access technology or log in infrastructure. It is not difficult to find that energy networks are particularly vulnerable to cyber attacks.

As one of the first industries to integrate robots into assembly lines, the manufacturing industry has also incorporated advanced automation into the industry. Especially in the metals and mining industries, technology and automation are key points. Hydro invested in an automated ultrasonic inspection system in 2015 to accurately scan product impurities to meet the strict requirements of customers in the transportation industry. Without automatic certification, automakers will not be able to use these parts.

However, whether it is connected robots, mobile robots, supervisory control and data acquisition (SCADA) systems or even AI integration, although it has brought great efficiency improvements, if network security is not embedded in the front end, these may increase the manufacturing industry’s Advanced cyber risk.

Many new types of connected devices have been introduced into corporate networks, but the embedded operating systems of IoT devices are not designed for easy patching, which can cause widespread network risks.

Driven by the COVID-19 pandemic and the acceleration of global digitalization, the rapid increase of millions of remote office scenes is partly due to the increase in network openness and the increase in interfaces, invisibly, creating a ransomware virus A new attack surface.

The digital transformation of manufacturing companies has made industrial control systems an important target for attackers. According to a report from Kaspersky in 2019, the area with the largest number of vulnerable products is industrial control systems. For thoseHighly dependent on computer systems for production, automation, quality assurance, monitoring and safety manufacturing activities, ransomware is extremely destructive.

Five, the first priority of Industry 4.0 is safety

For a long time, manufacturing has been a fundamental part of the global economy and a leader in technological innovation. In a world dominated by Industry 4.0, manufacturers are increasingly adopting robotics, artificial intelligence, machine learning and advanced analytics.

When considering the current and future perspectives of Industry 4.0, people’s attention needs to gradually turn to what it means to “connect everything” in the future.

In addition to vigorous data discussions, security is also an important issue that lingers in the industry 4.0 process. The application of new Industry 4.0 to the old system may increase security risks, and the old system is not suitable for this type of connection.

At the same time, while highly interconnected systems and supply chains generate huge benefits, companies cannot fully understand their risk exposure and attack surfaces, especially when it involves other interconnected systems, networks, and supply chains. .

In the planning process of Industry 4.0, solving safety issues is not a follow-up task, but the first priority.

Now, Norsk Hydro is developing an AI tool to detect the process of hackers trying to access its industrial equipment. The tool looks for unusual activities that may suggest hacking, such as frequent password changes on the device. It will then trigger an alert to Norsk Hydro’s cyber security team.

It turns out that machine learning and artificial intelligence are useful new technologies in this particular area, making endpoint defenses more agile and adaptive in identifying and responding to new ransomware variants.

Since 2015, manufacturing has been one of the five industries most severely attacked by cybersecurity. In the future, manufacturing will only become more and more important. In the face of lost ransoms, lost data, and even intellectual property rights, and various huge risks, even “turtle-feathered” manufacturers have to push for the implementation of the first priority in a compromise.

Reference link:

https://www.wsj.com/articles/the-industries-most-vulnerable-to-cyberattacksand-why-11592786160?mod=searchresults&page=1&pos=15https://www.mimecast.com/blog/why -manufacturers-are-under-prepared-for-cyber-resilience/

https://www.cyberscoop.com/honeywell-hack-ransomware-manufacturing-norsk-hydro/https://resources.trendmicro.com/Industrial-Cybersecurity-WP.html