In Q2 of this year, we observed that 70% of 177 alleged ransomware attacks that impacted industrial organizations were in the manufacturing sector. It’s really nothing new – in 2021 manufacturing became the industry most targeted by ransomware, and that trend continued throughout 2022 and 2023.
Many large companies began their manufacturing cybersecurity journey in 2017 following the WannaCry and NotPetya incidents. But many jumped right into technical solutions and neglected basic foundational elements of an operational technology (OT) security program.
Other small and medium-sized companies have not yet started their manufacturing security journey. Here we outline a step-by-step process for manufacturers that have not yet developed a manufacturing cybersecurity resilience program, and we also offer a double-check for large manufacturers to ensure that they haven’t overlooked some of the basics.
Step 1: Take care of the basics
Manufacturers need to start with an asset management program. If the organization does not have one, it has two choices: if it can afford to buy technology specifically for OT asset management, buy it. If not, grab a spreadsheet and start an inventory of everything in the plant. At the same time, train employees in the plant on what they should do if a ransomware message appears. And have top leadership work with the legal team to determine if the company would pay the ransom – don’t wait until a crisis to research the details behind this complex decision.
Step 2: Put in fundamental protective measures
While working on Step 1 also start putting some protective measures in place. Get the IT team involved (even if it’s outsourced) – they are an important partner in these activities. First, determine if there are any assets in the plants that are exposed to the internet, and if so, remediate. Second, vendors can spread malware from customer to customer, so put a process in place for vendors to securely access and transfer files to the plants. Finally, implement a secure remote access solution, including multi-factor authentication.
Step 3: Prepare for the worst
While putting the fundamentals in place as well as some basic protective measures it’s possible the team might get a false sense of security. Manufacturing cybersecurity is quite complex, and with the significant ransomware threats everyone faces, it’s important to prepare in case an attack succeeds. So start on Step 3 while others are finishing up with Steps 1 and 2. Think about the worst thing possible happening in the plants. What plants/lines/assets would be involved in that scenario? Start working through the assets/lines/plants in priority order and make sure that each asset is backed up (including an offline copy in case an online version is impacted), that there’s logging on the asset, and that the team sends alerts on and investigates suspicious activity in the logs. This way, there’s a chance to proactively investigate suspicious activity before the actual incident occurs, and worst case if there’s a cyberattack the team can perform forensics to determine what happened (so it doesn’t happen again) and recover the most critical capabilities as quickly as possible.
Step 4: Step back and look at the big picture
Implementing a comprehensive OT backup and recovery program as well as a logging program requires a lengthy process, so while working on Step 3 create an OT cybersecurity incident response plan. Then test that plan by holding a tabletop exercise specifically focused on ransomware in the manufacturing environment. Use the tabletop to identify gaps in all of the controls implemented in Steps 1-3 and remediate.
Step 5: Apply technical controls
Technical controls in manufacturing include defensible architecture, network segmentation, visibility and monitoring tools, separating IT and OT credentials, and risk-based vulnerability management. Large companies with sufficient resources often focus on these technical controls at the outset of their manufacturing cybersecurity journey. Some of these controls, like defensible architecture, separate IT and OT credentials, and network segmentation, are often complicated and time-consuming, especially in large, complex environments, and therefore getting a head start makes sense. Others can deliver immediate benefits, like visibility and monitoring tools. Therefore, if the company can afford to start here it’s beneficial, but go back and perform Steps 1-4 as soon as possible.
Step 6: Build an ecosystem
The company can have a robust manufacturing cybersecurity program that offers optimal resiliency for ransomware and other cyberthreats, but if the distribution ecosystem breaks down, the organization will be stuck with products in warehouses that they cannot ship. If a supplier gets taken down by ransomware it could impact the ability to produce products. So once the team gets its house in order, pay attention to the status of the surrounding ecosystem.
Applying all these measures takes significant time and effort, but that’s the point. The risk of a cyberattack impacting a manufacturing environment continues to increase, so it’s important to get started as soon as possible – the controls the team has in place and the way it responds makes all the difference in how the company emerges from an attack.
Dawn Cappelli, director, operational technology, Cyber Emergency Readiness Team (OT-CERT), Dragos
