Snakes in the Greenfield - Ransomware Attacks Escalate in Industrial and Manufacturing

It’s been over one year since Honda was targeted by the perilous Snake ransomware attackers in June of 2020, severely disrupting operations, and forcing the company to shut down its automotive manufacturing facilities across Japan and Europe. During the last four years the number of (known) cyberattacks on industrial and manufacturing infrastructure has risen considerably—including ransomware with quite precise extortion objectives for specific types of data (emails, servers, customers, etc.). What are the motivations behind this shift and how ready are the mid and high-tier organizations to tackle cyber-threats? Is a greenfield industrial environment inherently more or less susceptible than the brownfield one?

Cyberattacks are evolving, finding their way into numerous novel markets and applications, especially those that were traditionally under a closed-loop system and jumped onto the digital bandwagon over the last decade. Cybersecurity organizations like the US Cybersecurity and Infrastructure Security Agency (CISA) and the European Union Agency for Cybersecurity (ENISA), as well as leading private sector security players like Cisco, Palo Alto, Sophos, and Kaspersky, all agree that commercial, government, healthcare and finance will (usually) top the charts of cyberattacks almost every quarter. The plot thickens, however, when we look at the data spikes for a specific type of attack: the dreaded ransomware.

Across security reports, quarterly updates, and research interviews, security vendors pointed out that while cyberattacks target applications in all aforementioned markets (commercial, government, healthcare, and finance), when looking into the ransomware category there is one astonishing data spike across the market cluster of engineering, industrial, and manufacturing applications. More specifically, Crowdstrike’s 2021 Global Threat Report indicates that the highest number of ransomware-associated data extortion operations across all markets is in the industrial and engineering sector with a total of 229 known incidents, closely followed by the manufacturing sector with 228 incidents (out of a total of 1,377 incidents), with the technology and retail markets taking the third and fourth places with approximately 140 incidents each, followed by healthcare and financial services at 97 and 85, respectively.

Kaspersky’s threat intelligence reports also note that while ransomware attacks decreased slightly on a global scale, they actually increased considerably across the US and Western Europe. Further, cyberattacks on Industrial Control Systems (ICS) increased by 168% between 2019 and 2020, climbing from 5644 to 9484 incidents worldwide with oil and gas, engineering, and ICS integration displaying the largest increase, followed by energy, building automation, and automotive manufacturing—a relatively novel, yet unsurprising, addition to the target roster.

Prevailing ransomware archetypes include attacks to vulnerable systems and humans via social engineering (gaining access to endpoint devices through phishing emails and malicious attachments), hastily making their way onto systems and databases, encrypting files, and locking users out, usually followed by the payment unlock instructions for the organization. Ransomware attacks have made an astounding rise over the past years and have considerably exacerbated in the wake of the COVID-19 pandemic. Most ransomware attacks target vulnerable systems through network and human manipulation, encrypt valuable information, and are primarily opportunistic, preferring short-term financial gain. However, this surge of ransomware attacks on industrial and manufacturing will, inevitably, have serious ramifications on operational and supply chain disruption, not to mention both stakeholder and customer effects on the reliability of the organization.

This is not unique to commercial enterprises but also effected end-users who were targeted by COVID-specific malware apps and malicious emails as cyber attackers ride the wave of global insecurity and utilize the psychological effect of mortality salience over citizens attempting to get a better grasp of the encroaching biological threat. According to some security vendors, this tactic was also successful during the “home-working period”, when the boundaries between corporate servers and home networks decreased by the largest percentage ever recorded, increasing the operational threat surface across organizations.

Regarding cyber-threats in manufacturing, certain vendors posit that greenfield connections will have more security tools available for them to brave the digital storm compared to devices in brownfield environments, who mostly depend on legacy equipment. However, others mention that the enhanced level of applications available for greenfield deployments will ultimately make them more vulnerable to zero-days threats and even exacerbate the threat themselves (through upcoming tech migration towards 5G connected devices).

However, with regards to ransomware, some organizations place the blame (perhaps indirectly) on personnel, others on poor filtering, or encryption. As examined in the ABI Research report on cybersecurity in ICS (AN-2484), the lack of encryption usage within the Internet of Things (IoT) is staggering. According to interviewees of leading industrial and security companies, the penetration rate of encryption technologies in the IoT in general ranged between 2% and 10% of connected IoT devices. Based on the evidence presented by industrial frameworks urging for security technologies that Information Technology takes for granted, it’s suffice to say that IoT devices in industrial and manufacturing environments will “aim” be on the higher side of that statistic but, in reality, might fail to do so. This effect is expected to be somewhat lessened for automotive manufacturing facilities. The use of encryption protocols and related cryptographic technologies to protect the integrity of transmitted information, as well as data protection (both at rest and in transit), are highly advised, but, unfortunately, this is not always obtained for ICS. The problem cannot be addressed by one single area like encryption, email protection, personnel training, network, VPNs, AV, or endpoint protection, but rather by a practical concoction of some of the above based on the most vulnerable system feature of the application in question.