Manufacturers should prepare for different types of cyberattacks
Several misconceptions exist when it comes to cybersecurity, including that a company may be too small to suffer a breach or that it may not have valuable data. The reality is that all information has value, even on a small scale. Regardless of size, organizations usually have something of value to hackers, even if it is harvesting email addresses or commandeering bandwidth. In fact, because midsize and small organizations use more “off the shelf” software, attackers typically find these companies easier to breach than highly customized organizations.
Types of attacks
What are the weaknesses that are allowing attackers to compromise the data of manufacturing companies and, just as important, what are some of the missteps organizations are making post-breach that increase the duration and expense of the incident?
Some of the more common data breach methods occurring in manufacturing companies include:
- Client-side attacks: These breaches are the most recent example of the ongoing IT security arms race, where defenses are put in place that force attackers to find new methods of unauthorized access. Since it has become standard practice to set up an Internet-facing firewall to prevent hackers from conducting direct external attacks on an organization, attackers seek ways to invade an organization’s systems from the inside. In these cases, the attack starts on an employee’s PC and then, through multiple methods, spreads to other systems and breaches the internal servers where the desired information is stored.
- Custom malware: This method uses malicious software (i.e., malware) to alter, damage or disable systems. Standard malware can easily be mitigated with anti-virus products. However, the wide-spread availability of malware kits allows even unsophisticated attackers to create customized and elite versions of this invasive software that can evade detection for months.
- Social engineering: A fancy name for what really amounts to a traditional con game. While it is a nuanced point, this type of attack compromises the organization via the manipulation of people rather than technology, even though the attack is delivered using mediums such as email and phone calls. In a common version using Web pages, the attacker constructs a website that contains malicious code, then entices visitors to the page.
- Ransomware: These are attacks that do not steal sensitive data, but rather make it unavailable. The current method of choice is to infect a target system, encrypt all the material on that system and force the user to pay a ransom in order to get the attacker to provide the decryption key. These random attacks have been so successful and are so hard to combat that the FBI has encouraged victims to pay the ransom if they want their data back.1
Specific examples of intellectual property theft rarely make their way into the media. Because the loss of IP does not require disclosure, public companies that have been victimized usually do not want the public to know about the loss for fear of lawsuits or a loss of investor confidence. However, in a report published on behalf of the Commission on the Theft of American Intellectual Property, 20 documented IP theft cases went to court in 2013. These cases spanned a wide range of industries, from automotive to industrial software to pharmaceuticals.2
Perhaps the best-known example involved American Superconductor Corp (AMSC) and Sinovel, a corporation based in China. Together, they were making wind turbines—AMSC made the controller or “brain” that was used in the turbine manufactured by Sinovel. In June 2011, AMSC discovered that one of the turbines was malfunctioning in the Gobi dessert. Technicians could not determine nature of the problem and a copy of the malfunctioning device was retrieved and investigated. The company found that the turbine was using a stolen and modified copy of AMSC software put in place by Sinovel. This explained why, earlier that year, Sinovel began refusing all shipments of the controller from AMSC. By the following spring, AMSC had to disclose to shareholders the loss of its biggest customer. In a single day, AMSC stock lost 40 percent of its value. By that September, AMSC stock deprecated 85 percent.3
In the automotive sector, Ford Motor Company had one of its engineers sentenced to six years in prison for sending more than 4,000 documents—including trade secrets and design specs—to China. When these types of thefts occur, they are often undiscovered until competing counterfeits surface, leaving the company with inventory that now must contend with a much cheaper alternative product in the market.
Three types of controls
Security controls can be preventive, detective or corrective by nature; however, the three distinct disciplines each require their own focus.
Preventive controls are designed to keep incidents from occurring and serve as a deterrent against unauthorized access. Unfortunately, organizations are typically too focused on preventive controls and too trusting of their perceived effectiveness.
Many preventive controls focus on securing the perimeter, but with emerging features, such as cloud adoption, remote access and mobility, the concept of the perimeter is outdated. Attacks can occur in many ways, and preventive controls must expand beyond the typical network boundary. In fact, preventive controls can be deployed throughout an environment to impede attackers as they attempt to work through the process.
Company management cannot count on preventive controls alone and must implement measures to stop an attack in progress once they fail.
Detective controls help to monitor and alert an organization of any malicious or unauthorized activity. They provide support for post-incident corrective controls by allowing management to understand the method by which the attackers gained access and any data they may have accessed or stolen. To be successful, detective controls must be applied with the value of the asset or data in mind.
Infiltration has typically been the primary focus of detective controls, focusing on what is outside the network, rather than what is inside. However, detective controls can be implemented at any stage in the attack life cycle to increase data security. System log data and alerts can help stop the hacker at each stage.
Corrective controls are designed to limit the scope of an incident and mitigate unauthorized activity. These measures provide support for post-incident activities and help you understand how to improve your preventive and corrective controls moving forward. Many organizations view corrective controls as technical, but they can also be physical, procedural and legal or regulatory in nature.
Organizations often focus corrective controls during a full breach, but they should be implemented earlier to reduce the risk of harm. For example, management can identify and block attackers during the initial exploitation. Hackers can be deterred from gaining the full access they need to progress to later stages and cause more damage.
Organizations can implement several initiatives to mitigate costs and risks. From an administrative perspective, companies can develop a written information security program, vendor management protocols and business continuity and disaster recovery plans. Specific preparation tasks include performing an information technology risk assessment and implementing an incident response plan, mock incident response drills and security awareness training. Incident response documentation is also valuable, and can include how an incident was discovered, what actions were performed, when the event occurred and the ultimate results.
There are no silver bullets to protect against incidents and there is no one-size-fits-all approach to developing and implementing security controls. The reality is that a company likely will suffer a breach, but implementing the right preventive, detective and corrective controls makes an organization more difficult for hackers to exploit and limits the potential damage.
1 “FBI’s Advice on Ransomware? Just Pay The Ransom.” (Oct. 22, 2015) The Security Ledger.
2 The IP Commission Report (May 2013) The National Bureau of Asian Research.
3 Riley, M. and Vance, A. “China Corporate Espionage Boom Knocks Wind Out of U.S. Companies” (March 15, 2012) Bloomberg Business.