Manufacturers should prepare for different types of cyberattacks
INSIGHT ARTICLE |
Among manufacturers in the middle market, there is a small cohort (about 11 percent) of company leaders who are unaware whether or not their system has ever been hacked. The 2017 RSM Manufacturing Monitor noted this trend, adding that the majority usually say that they have not been hacked to date and that they have taken steps to prevent system breaches in the future. Yet the security procedures taken by most survey participants are primarily the minimum required to maintain a semblance of data security.
Several misconceptions exist when it comes to cybersecurity, including that a company may be too small to suffer a breach or that it may not have valuable data. The reality is that all information has value, even on a small scale. Regardless of size, organizations usually have something of value to hackers, even if it is harvesting email addresses or commandeering bandwidth. In fact, because midsize and small organizations use more “off the shelf,” noncustomized software, attackers typically find these companies easier to breach than highly customized organizations.
Types of attacks
What are the weaknesses that are allowing attackers to compromise the data of manufacturing companies and, just as important, what are some of the missteps organizations are making post-breach that increase the duration of and expenses associated with the incident?
Some of the more common data breach methods occurring in manufacturing companies include:
- Client-side attacks: Since it has become standard practice to set up an internet-facing firewall to prevent hackers from conducting direct external attacks on an organization, attackers seek ways to invade an organization’s systems from the inside. In these cases, the attack starts on an employee’s PC and then, through multiple methods, spreads to other systems and breaches the internal servers where the desired information is stored. Attackers often target out-of-date web browsers, browser plug-ins such as Java or Adobe, and office software with malicious web pages or documents.
- Custom malware: This method uses malicious software (i.e., malware) to alter, damage or disable systems. Standard malware can easily be mitigated with anti-virus products. However, the wide-spread availability of malware kits allows even unsophisticated attackers to create customized and elite versions of this invasive software that can evade detection for months.
- Social engineering: A fancy name for what really amounts to a traditional con game. While it is a nuanced point, this type of attack compromises the organization via the manipulation of people rather than technology, even though the attack is delivered using mediums such as email and phone calls. In a common version using web pages, the attacker constructs a website that contains malicious code, then entices visitors to the page.
- Ransomware: These are attacks that do not steal sensitive data, but rather make it unavailable. The current method of choice is to infect a target system, encrypt all the material on that system and force the user to pay a ransom in order to get the attacker to provide the decryption key. The ransom demands had been relatively cheap, averaging a few hundred dollars, as recently as two years ago. However, ransoms have quickly escalated and are now averaging in the tens of thousands of dollars.
Specific examples of intellectual property theft rarely make their way into the media. Because the loss of IP does not require disclosure, public companies that have been victimized usually do not want the public to know about the loss for fear of lawsuits or a loss of investor confidence. However, a 2013 report published on behalf of the Commission on the Theft of American Intellectual Property and updated in 2017, notes that IP theft, pirated software and counterfeit goods may cost the U.S. economy as much as $600 billion annually.2
Perhaps the best-known example involved American Superconductor Corp (AMSC) and Sinovel, a corporation based in China. Together, they were making wind turbines—AMSC made the controller or “brain” that was used in the turbine manufactured by Sinovel. In June 2011, AMSC discovered that one of the turbines was malfunctioning in the Gobi Desert. Technicians could not determine the nature of the problem and a copy of the malfunctioning device was retrieved and investigated. The company found that the turbine was using a stolen and modified copy of AMSC software put in place by Sinovel. This explained why, earlier that year, Sinovel began refusing all shipments of the controller from AMSC. By the following spring, AMSC had to disclose to shareholders the loss of its biggest customer. In a single day, AMSC stock lost 40 percent of its value. By that September, AMSC stock had deprecated 85 percent.3
In the automotive sector, Ford Motor Company had one of its engineers sentenced to six years in prison for sending more than 4,000 documents—including trade secrets and design specs—to China.4 When these types of thefts occur, they are often undiscovered until competing counterfeits surface, leaving the company with inventory that now must contend with a much cheaper alternative product in the market.
Three types of controls
Security controls can be preventive, detective or corrective by nature; however, the three distinct disciplines each require their own focus.
Preventive controls are designed to keep incidents from occurring and serve as a deterrent against unauthorized access. Unfortunately, organizations are typically too focused on preventive controls and too trusting of their perceived effectiveness.
Many preventive controls focus on securing the perimeter, but with emerging features, such as cloud adoption, remote access and mobility, the concept of the perimeter is outdated. Attacks can occur in many ways, and preventive controls must expand beyond the typical network boundary. In fact, preventive controls can be deployed throughout an environment to impede attackers as they attempt to work through the process.
Company management cannot count on preventive controls alone and must implement measures to stop an attack in progress once they fail.
Detective controls help to monitor and alert an organization of any malicious or unauthorized activity. They provide support for post-incident corrective controls by allowing management to understand the method by which the attackers gained access and any data they may have accessed or stolen. To be successful, detective controls must be applied with the value of the asset or data in mind.
Infiltration has typically been the primary focus of detective controls, focusing on what is outside the network, rather than what is inside. However, detective controls can be implemented at any stage in the attack life cycle to increase data security. System log data and alerts can help stop the hacker at each stage.
Corrective controls are designed to limit the scope of an incident and mitigate unauthorized activity. These measures provide support for post-incident activities and help you understand how to improve your preventive and corrective controls moving forward. Many organizations view corrective controls as technical, but they can also be physical, procedural, and legal or regulatory in nature.
Organizations often focus corrective controls during a full breach, but they should be implemented earlier to reduce the risk of harm. For example, management can identify and block attackers during the initial exploitation. Hackers can be deterred from gaining the full access they need to progress to later stages and cause more damage.
Organizations can implement several initiatives to mitigate costs and risks. From an administrative perspective, companies can develop a written information security program, vendor management protocols, and business continuity and disaster recovery plans. Specific preparation tasks include performing an information technology risk assessment and implementing an incident response plan, mock incident response drills and security awareness training. Incident response documentation is also valuable, and can include how an incident was discovered, what actions were performed, when the event occurred and the ultimate results.
There are no silver bullets to protect against incidents and there is no one-size-fits-all approach to developing and implementing security controls. The reality is that a company likely will suffer a breach, but implementing the right preventive, detective and corrective controls makes an organization more difficult for hackers to exploit and limits the potential damage.
1 “FBI’s Advice on Ransomware? Just Pay The Ransom.” (Oct. 22, 2015) The Security Ledger
2 Update to the IP Commission Report (Feb. 2017), The National Bureau of Asian Research
3 Riley, M. and Vance, A. “China Corporate Espionage Boom Knocks Wind Out of U.S. Companies” (March 15, 2012) Bloomberg Business
4 Delevingne, L. “Chinese Man Steals Ford Car Secrets” (Oct. 16, 2009) Business Insider
You may also be interested in
Understand the rising threat of data breaches and how the vast majority of cyber incidents occur within small and middle market companies.