H Insider Threat 63fe3197d4074

The cyber-threat that every manufacturing company needs to prepare for: insiders

Feb. 28, 2023
Amateurs attack IT and professionals attack OT.

By Moty Kanias, vice president of cyber-strategy & alliances, NanoLock Security

Factories present unique cybersecurity challenges that are often overlooked by InfoSec vendors. For many companies, the information-security program thrives in the front office, but it doesn’t always make it out to the shop floor. That doesn’t mean that your factory hasn’t experienced an insider incident, or that it is impervious to the incidents that occur.

Insider threats are more common than most know

Great businesses understand that their people are their most important assets. But there is another side to that coin. Employees and contractors may also threaten your company by virtue of their access and expertise. Most experts consider three categories of insider threats:

●     Understandable (and preventable) mistakes by well-meaning employees or simple, common human-error

●      Stolen credentials (frequent)

●      Criminal/malicious actors (relatively rare)

Insider threats are almost always higher impact than non-insider threats. And insider threat incidents are more common than most appreciate. According to the Ponemon Institute, every single company that they surveyed had an insider incident last year. And that stark statistic understates the problem. That’s because of the 278 organizations that they surveyed, all but one had multiple insider incidents.

This isn’t an exotic threat; this is happening right now…to everybody.

The insight here is that these incidents weren’t all found on the computers resident on factory floors. They were almost entirely found in the usual places, i.e., corporate networks. A non-critical eye might look at this and conclude that factory floors are insider-threat-free zones. The reality is that manufacturing systems often go unmonitored, but never go unnoticed after a hack.

Your adversaries know that your production line is valuable (and vulnerable)

Most manufacturing lines have two things in common. First, they are incredibly expensive and productive, so downtime must be minimized. Second, they aren’t necessarily IT, they’re OT. They need a specialized approach to keeping them secure because they don’t always run on regular operating systems. Usually, they lack sufficient security tooling and are programmed differently than personal computers.

These systems tend to be older and are more likely to be out of date. Updating the software driving a conveyor system might be lower on the list of maintenance priorities than other things, and if the security program isn’t especially active on the shop floor, it is understandable. They can also be brittle, meaning that the entire line might need to be stood down to patch just a handful of the numerous components in production.

Losing an OT component is much worse than losing an IT component. For the most part, losing an IT component means that you have to re-image a server or restore a backup. An IT attack can mean data loss and cause damage. Restoring an OT component means you lose a production line even if the attack only hit an extruder, a press, or a lathe. One compromised machine can shut down all of your machines. They could be shut down for weeks, or even months, or these incidents can also endanger the lives of your workforces. It is more than inconvenient. It can mean millions of dollars in lost revenue, increased expense, and damaged equipment. When it comes to causing damage, amateurs attack IT and professionals attack OT. OT components are usually harder for outsiders to access, but stolen credentials create an opening and insider-access privileges.

An insider incident against OT can be devastating. Manufacturing workforces, once unskilled and accustomed to labor-intensive processes, are still adapting to technology-intensive processes. This makes them more susceptible to malicious attempts at stealing credentials.

Managers can make a huge difference here by focusing on the problem of stolen credentials. Supervision and training can bring about vast improvement in the struggle to secure OT.

Technology investments are also critical. The answer to threats presented by trusted insiders is to build security that goes beyond trust to protect OT systems. Zero-trust, multi-factor authentication (MFA), device-level solutions for OT systems will dramatically lower your attack surface.

You don’t have to take our word for it

Attacks in the manufacturing industry are happening at an increasing rate, though most are resolved without publicity. There are some that were too big for the press, the government, or the public to ignore. The malware hack on Petro Rabigh’s safety equipment is one example. Petro Rabigh is the first stop for petrochemicals before they become household products like detergent or plastic. They operate $20 billion in infrastructure assets and are critical in middleeastern supply chains. They are rigorously regulated and have been praised for the maturity of their security during the incident.

Despite this, Petro Rabigh lost control of a Triconex unit. The ensuing events led to a ten-day shutdown of the plant, costing hundreds of millions of dollars in productivity losses. Illustrating the challenges faced by OT security, the breached unit was investigated by the vendor prior to the breach’s discovery and was brought back online after having received a clean bill of health.

This is a great illustration of the idea that insider threats are often high impact. A critical aspect of this case is that the safety system was breached. While the economic costs associated with bringing the plant offline were huge, it could have been much worse. The plant processes countless toxic chemicals and a release would have likely resulted in injury or death of plant operators or even spread to the local community.

Are you sure you haven’t had an insider incident on your factory floor?

The magnitude, scope and nature of the manufacturing-insider attacks over the past year clearly indicate that current industry security approaches are insufficient. Intrusion-detection techniques at the network level may identify breaches, however the intruder is already inside. Intrusion-prevention systems may wrongly stop critical control-system software or network commands and disrupt operations.

 So how can you prevent an intruder from messing up your production line?

Industrial companies must anticipate attacks this year to be varied in style and source, and it won’t always be clear who is ultimately behind them. We recommend these companies implement multi-layer security protection from the IT network to the device level, design programs to drive employee awareness of cyber-hygiene best practices, and build an attack/response protocol. With intense threats on the horizon, hacks into industrial companies are not a matter of if, but when.