CyberWire Daily - Manufacturing sector is increasingly a target for adversaries. [Research Saturday]
Episode Date: January 16, 2021Guest Selena Larson, senior cyber threat analyst at Dragos, Inc., joins us to discuss their research into recent observations of ICS-targeting threats to manufacturing organizations. Cyber risk to t...he manufacturing sector is increasing, led by disruptive cyberattacks impacting industrial processes, intrusions enabling information gathering and process information theft, and new activity from Industrial Control Systems (ICS)-targeting adversaries. Dragos currently publicly tracks five ICS-focused activity groups targeting manufacturing: CHRYSENE, PARISITE, MAGNALLIUM, WASSONITE, and XENOTIME in addition to various ransomware activities capable of disrupting operations. Manufacturing relies on ICS to scale, function, and ensure consistent quality control and product safety. It provides crucial materials, products, and medicine and is classified as critical infrastructure. Due to the interconnected nature of facilities and operations, an attack on a manufacturing entity can have ripple effects across the supply chain that relies on timely and precise production to support product fulfillment, health and safety, and national security objectives. Ransomware adversaries are adopting ICS-aware functionality with the ability to stop industrial related processes and cause disruptive – and potentially destructive – impacts. Dragos has not observed ICS-specific malware targeting manufacturing operations on the same scale or sophistication as that used in the disruptive TRISIS and CRASHOVERRIDE malware attacks that targeted energy operations in Saudi Arabia and Ukraine, respectively. However, known and ongoing threats to manufacturing can have direct and indirect impact to operations. This report provides a snapshot of the threat landscape as of October 2020 and is expected to change in the future as adversaries and their behaviors evolve. The research can be found here: ICS Threat Activity on the Rise in Manufacturing Sector Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting
ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Manufacturing in general is an interesting target for adversaries, and certainly,
you know, ransomware being a big one.
That's Selena Larson.
She's a senior cyber threat analyst at Dragos.
Dragos recently released their first cyber threat perspective
on the manufacturing industry.
And that's the research we're discussing today.
Thank you. year-over-year increase in ransomware attacks, and a $75 million record payout in 2024,
these traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com security.
There is increasing interest from a variety of different adversaries targeting this sector. And so what we found is the cyber risks to the manufacturing sector is increasing.
You have cyber attacks that are impacting industrial processes,
intrusions that are enabling sort of information gathering, IP theft,
as well as new activity from ICS targeting adversaries.
Can you give us a little bit of a lay of the land in terms of when we're talking about
manufacturing, what's the spectrum of things that that term covers?
So that's a great question, right? So manufacturing on its own is a pretty large umbrella. And for me,
personally, it's very interesting because when we think of industrial control systems and critical
infrastructure, a lot of us kind of think of the lights, right? Electricity, the lights are on,
driving our cars, oil and gas, that type of thing. But manufacturing is kind of the underpinning
of all of the global supply chains.
And everything that we touch and interact with
and work with, et cetera,
has been touched in some way by a manufacturing process.
So that can be anything from food and beverage
to pharmaceutical, to the defense industrial base, for instance, right?
You have a lot of different types of manufacturing under this sort of umbrella.
you know, the cyber risk or cyber threats to the manufacturing sector as a whole,
because there are different sort of requirements in place when it comes to cybersecurity or information security in these different, these sort of different subsectors. However, as a whole,
you know, a lot of the processes are very similar, right? They very much rely on just-in-time
manufacturing. They rely on process automation.
So the databases where information is stored will interact with the enterprise side for keeping track of manufacturing is across the board very similar, despite the industries being very different.
So what makes them a target?
What are the things that are attractive to the folks who are out there looking to do them harm or penetrate their defenses?
Sure, so ransomware is definitely something that is very, very heavily targeting manufacturing.
We actually identified that throughout 2020,
the number of publicly reported ransomware attacks
on manufacturing entities has more than tripled
compared to last year.
And I do want to point out here,
that's confirmed.
Oftentimes you'll see on leak sites
that there are companies that are named,
but unable to sort of confirm them.
But this number is increasing.
It's very interesting to ransomware adversaries
because they're conducting this sort of
big game hunting operations
and have learned that uptime,
especially when it comes to manufacturing,
maintaining that sort of just-in-time processes, that automation is very important for
manufacturing companies. And even if it doesn't necessarily impact the OT or ICS side of that
house, you do have disruptions to potentially sales, order fulfillment, logistics.
These kind of very important sort of supply chain management applications that enable and sort of support the OT ICS functions.
And so we're also seeing that ICS adversaries are adopting
the sort of ICS-aware, ICS-specific mechanisms in their code
where they are targeting industrial processes
and are able to sort of kill
or otherwise stop ICS-specific processes,
much like they do in more sort of IT side of the house.
So it is very interesting
that we are seeing more ransomware adversaries
kind of adopting this more targeted approach to industrial
control systems.
And certainly manufacturing is a part of that.
Now, in the report, you're tracking five of the active groups who are targeting manufacturing.
Who's our rogues gallery here?
Who's our rogues gallery here?
So, yeah.
So we have five publicly reported groups,
Crycine, Magnolium, Parasite, Wassonite, and Xenotime.
But Xenotime is arguably,
we consider them to be the most dangerous and most capable.
Xenotime has targeted original equipment manufacturers, for instance, but they've also targeted electric and oil and
gas companies. And what's unique about this group is that actually has demonstrated the ability to
develop malware specifically targeting ICS processes. So that's with Trisys, right?
It specifically targeted a safety instrumented system and an oil and gas facility. That's
concerning because, you know, when you're talking from a manufacturing perspective,
That's concerning because, you know, when you're talking from a manufacturing perspective, you know, Stuxnet actually targeted uranium enrichment, right?
Like, okay, drink, Stuxnet. But, you know, this is probably the most well-known.
And it targeted these sort of PLCs that were controlling the centrifuges used in uranium enrichment.
centrifuges used in uranium enrichment. And so, you know, we do have examples of adversaries being capable of interacting with and potentially disrupting manufacturing. But what we've seen more
recently is that, you know, the safety instrumented system and then crash override, which was electric
focused. But, you know, so we haven't observed, you know, either tricess or crash override
disrupting manufacturing operations,
but it is possible that adversaries that are working on developing ICS-specific malware
might target manufacturing companies in the process of developing this malware,
even if they're not necessarily the ultimate target.
Are they showing restraint?
In other words, there's a difference between shutting down an assembly line and
affecting something that could possibly lead to loss of life. Is there any nuance there?
There's certainly nuance. I would say that the activity that we are seeing when it comes to
manufacturing is largely focused on things like ransomware,
IP theft,
not necessarily targeting the equipment
that is used for maintaining safe,
reliable, healthy processes,
both for people and the environment.
I don't know if it's necessarily,
I don't want to ascribe goals or objectives or desires to adversaries, right?
But what we've seen so far, you know, based on the threat data, we're seeing adversaries that are interested in potentially disrupting process for ransomware opportunities, but also potentially targeting manufacturing for data theft, reconnaissance.
targeting manufacturing for data theft, reconnaissance. Largely, we've seen evidence of them targeting pharmaceutical companies, for instance, research and development organizations
that are involved in COVID, coronavirus vaccine. So these are kind of the big threats, I would say,
right now, currently, to this sector. And to be clear too, there are very serious consequences to ransomware that is
able to disrupt processes. Whether or not the safety system is going to be impacted,
we're not seeing that, right? But we are seeing people's lives disrupted in other ways.
We've seen ransomware cause layoffs in steel manufacturing, for instance.
Employees had to go home for days and sometimes weeks as a result of ransomware that disrupted
operations. So, you know, they're losing their livelihoods because of this. Although we didn't
specifically focus on this in our research, either in manufacturing or some of my research I've been
doing in ransomware, healthcare is another huge one. This is something that is impacting
people in ways that we haven't necessarily seen before, right? These adversaries coming at
very, very vital, critical infrastructure and causing disruptive effects. So there are a lot of consequences
for this type of activity,
whether it's economic, whether it's personal,
whether it's emotional, frankly,
that I think oftentimes we don't really think
about these sort of domino-like repercussions,
whether it's ransomware, for instance, or IP theft,
these types of things that have impacted the supply chain beyond just the target.
Do we see organizations sort of firing shots across the bow, demonstrating their capabilities, saying, you know, this is,
we could do this if we chose to. It's an awfully nice factory you've got there. Be ashamed if
anything were to happen to it. Not that I have observed. That isn't necessarily something
that we have visibility into. Gotcha. Now, you talk about how so many manufacturing facilities,
they're relying on just-in-time processes.
Is that by its very nature,
does that make them a little more fragile,
that it's easy for things to sort of cascade through the system
if one particular system goes down?
Oh yeah, definitely. And you know, it's kind of funny to think about, right? So a lot of times
we'll think about disruption to the sort of just-in-time process or the process automation on
a production floor, right? The factory floor and the sort of robot arm getting a little bit broken. And then,
you know, like in that I Love Lucy clip where, you know, she's working on the chocolate line
and she just has to shove all the chocolate into her shirt. It's like, oh no, the process is
disrupted. But beyond that, you have, for instance, the trucks and the drivers that are relying on picking up and driving whatever it is that is being manufactured, right?
So they go to the plant, they're waiting there, they have a set And then they're going to be driving it to their destination
that has a set time of receipt.
And that destination is going to be planning their own distribution
or sales or their own manufacturing based off of this
timetable that the driver is operating on.
But if something is disrupted early in that whole manufacturing line,
if the trucks can't get their deliveries on time, then you're going to have a huge traffic jam of
trucks. So it's not just going to be this one individual that's impacted. It's going to be
every person that is on shift that day that is going to have to have disruption to their
timetables. And then the
customers down the line is going to be disrupted. So there's actually an interesting story that I
like to cite. Earlier this year, there was a software provider of auction software for the
wool industry in Australia and New Zealand. It was essentially a platform that was used
for doing business for the farmers and textile
and wool vendors.
And essentially, they just used a software called Talman.
So Talman suffered a ransomware attack
and essentially disrupted wool buying and selling across the entire continent of
Australia and throughout New Zealand as well. And there was actually some local reports that said
it essentially prevented 44,000 bales of wool worth up to $70 million from entering the marketplace.
So this attack in February disrupted the know, disrupted the auction process,
which in turn had impacts on, you know, the farmers themselves, as well as the buyers and
sellers of the wool, but also, you know, the textile mills that are going to be receiving
that wool, that are expecting to get it and, you know, work it into their own manufacturing,
whether, you know, making sweaters or whatnot. And, you know, and that's in different countries,
whether that's China or Italy or, you know, the other recipients of Australian wool.
So you have this sort of domino effect that's like, even in the IT software that supports
auctioning of this product, you have this ripple effect through industrial processes that are
reliant on the, you know,
manufacturing and distribution and, you know, farming and agriculture that surrounds this
entire industry. So one disruption can have these sort of huge ripple effects.
Yeah. And I suppose, I mean, you know, wool is interesting in itself, but imagine if it's
something perishable, like, you know, bananas or, like bananas or tomatoes or something that can't,
has a limited amount of time that it can sit around.
Well, we actually have seen that, right?
We've seen ransomware impact meat.
The manufacturer of meat in New Zealand,
AFCO, I believe it was.
Also, that's another example of a ransomware attack
kind of disrupting the manufacturing processes.
And certainly meat is something that's very perishable.
That's also something that, you know,
people are, you know, go to the grocery store
and expect to see it.
And if it's not there, you know,
it again has a sort of human impacts.
Granted, meat isn't something that's, you know,
life or death, but it is kind
of annoying. Yeah, but I mean, I think that's an important point that's often overlooked,
as you point out. You know, if you go to your local market and there's no meat there,
there's an emotional component to that where you think, okay, what's going on here?
Yeah, there's that sort of frustration.
And from the perspective of a company too,
if something impacts your company or your brand,
there's a mistrust or frustration with the company.
So customers will feel frustrated.
And so that's something also too to take into consideration from an asset owner operator perspective is that, you know, we are protecting the integrity of our manufacturing, but as well as our business and our reputation.
you know, the cyber risk to manufacturing,
you kind of include all of these additional factors and the sort of impacts to, like we kind of said earlier,
impacts across the board from economics to personal frustrations.
So what are your recommendations?
I mean, in terms of that risk analysis,
in terms of planning for these things that, I mean, I don't know if it's fair to say they're eventualities, but, you know, the stories keep coming every day.
What sort of things should organizations be doing to better protect themselves?
So conducting crown jewel analysis is very, very important. Essentially having asset owners and operators identify what are the crown jewels in my operations environment and what are the consequences
that could occur if they were compromised, disrupted, et cetera. So, you know, safety
systems are very, very important and that might be considered a crown jewel in many cases.
And that might be considered a crown jewel in many cases.
A crown jewel might be a very specific pharmaceutical component or something like this, like a trade secret that you need to protect.
So to kind of identify what these crown jewels are, conducting this sort of crown jewel analysis and then establishing your security operations to kind of build around that assessment.
Another thing that we often see in manufacturing specifically is very flat networks. You might see OT and IT being on the same network, for instance, or not having jump box, pretty weak firewall rules, very sort of flat networks.
firewall rules, very, you know, sort of flat networks, certainly restricting access and,
you know, conducting those architecture reviews to sort of identify the assets,
connections, and communications between IT and OT. And not just, you know, we're talking asset identification. That's something, you know, that I think asset owners can do a much better
job of, but we're not just talking about like,
okay, this X number of HMIs, PLCs, et cetera, but what ports are open? What are restricted?
What are they talking to? Who are they talking to? What devices and communications are going
outbound from OT and what are going inbound?
Our ERP software, do we have, you know,
is that, you know, talking to only the required assets or is that something that, you know,
has additional access to different workstations
in this environment?
Who has access to the workstations
or the PLCs, the controllers, et cetera?
So knowing not just what's on your network,
but who and what it's talking to and who and what has access to it is very,
very important. And then certainly too, you know,
like supply chain and identifying the sort of third party operators,
identifying sort of reliance on the software and services that are in directly in your environment.
And again, the connections to and from the type of access these, this, this equipment or the
people monitoring it has, again, that is super important. So we provided a bunch of defensive
recommendations in the threat perspective that we, you know, strongly encourage folks to read
because it is, you know, it is very difficult
to kind of give a one-size-fits-all answer.
So we really did try to come up with, you know,
some that are across the board, you know,
gut advice specifically for manufacturing
and to sort of lower the cyber threats to your organization.
or the cyber threats to your organization.
Our thanks to Selena Larson from Dragos for joining us.
The research is Dragos' cyber threat perspective on the manufacturing industry.
You can find more on their website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick, Jennifer Iben, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.