Verizon’s 2015 Data Breach Investigations Report (DBIR) has found that four out of five security incidents in the manufacturing sector involved denial of service (DoS) attacks, cyber-espionage and crimeware.
Such attacks have the potential to bring down critical systems while bringing productivity to a standstill, damaging customer and partner relationships, and ultimately compromising a company’s reputation and bottom line.
PACE magazine spoke to Jason Whyte, Chief Security Architect, Verizon Enterprise Solutions to try and get to the bottom of the issue.
PACE: Why are manufacturers so prone to DoS attacks in your
Jason Whyte: What makes the manufacturing industry attractive to DoS attackers is the immediate and quantifiable impact of security attacks to a company’s business operations. Due to their specific use case, the nature of Industrial Control Systems (ICS) is notably different to that of the enterprise network. For example, an ICS typical real-time or near real-time transaction process means high latency or extended service unavailability is not acceptable, security controls and solutions must be tested in an offline non-production environment, and in most cases, component lifespan exceeds 10-15 years. It’s these specificities that create unique challenges when it comes to the ongoing security and availability of these systems.
Attacks on manufacturers tend to be financially motivated or carried out by activists that have an axe to grind with certain manufacturing organisations. This may be due to the perceived environmental impact of the organisation or industry’s operations, the types of products manufactured, and the manner in which the end products are used. For instance, a leading manufacturer of farming and earthmoving equipment became a target due to its role in providing weaponised equipment to be used in highly volatile regions.
As mentioned, manufacturers hold unique assets that are comparatively easy to target. As such, while cyber security is a relatively new issue for manufacturing organisations when compared with financial services or government agencies its impact is no less significant in the event of an attack.
PACE: What part of the manufacturing industry is most at risk?
Jason Whyte: No segment of the manufacturing industry is immune from risk with the key motivating factors behind most attacks being political and financial. We would hesitate in saying that one part of the industry is at higher risk than another as it lends organisations into a ‘we are not a target’ mindset that is in itself a greater threat. That said, it’s clear that manufacturers involved with anything deemed critical national infrastructure have more to lose in the event of a breach including the loss of ability to generate, distribute and deliver power and water.
PACE: Where are these attacks mainly coming from?
Jason Whyte: Statistics show that a large number of attacks are generated in Asia and Europe.
PACE: Have there been attacks that have been serious enough to risk a company’s bottom line recently?
Jason Whyte: Over the last 18 months, there have been a number of high profile cases that have discussed, in detail, the significant financial impacts to a breached organisation. One such case in particular saw company profits fall 46 per cent in the quarter following this security breach. There is no doubt that a 46 per cent drop in profit, even if for one quarter, would have had a significant impact on the company’s bottom line.
At Verizon, we have analysed almost 200 cyber-liability insurance claims involving a data breach. This has enabled us to provide a much clearer picture of the true financial risk behind a data breach covering a wide range of incidents. Despite what other models may suggest, the cost of breach does not follow a linear model. In fact, the cost per record falls as the number of lost records increase.
When averaged out, the variance grows greater as the number of records grows. As such, the longer it takes an organisation to discover a security breach, the greater the loss in data and the costs associated with the “clean up”. Below is a graphic by Verizon that has been generated from real world cyber forensic investigations. It shows that organisations are taking longer to discover a breach than it is taking for the attack to take place.
PACE: What are some practical things manufacturers can do to prevent cyberattacks?
Jason Whyte: There is no way of stopping a cyberattack in the same way that there is no way of stopping an attempted burglary. However, there are ways to mitigate the threat and impact of a security breach while increasing the likelihood of success. A cyber-criminal is more often than not going to take the path of least resistance. This means that organisations with stronger cybersecurity programs are less likely to attract cybercriminals in the first stance, and in the second are better placed in the event of an attack.
There are a few recommendations to significantly increase any manufacturing organisation’s security posture:
Develop mitigation plans: Ensure your policies include comprehensive strategies on dealing with large-scale security attacks and brief key operations staff on the best course of action should an incident occur and anti-DoS service fail
Make sure it works: Don’t wait for a breach to occur before discovering gaps or potential failures in your organisation’s action. Test and update the strategy regularly, as your infrastructure and processes change, and as new and improved DoS techniques emerge
Separate key systems: Don’t allow less important systems to act as a gateway to more important ones. Segregate critical systems on different network circuits
Patch promptly: Attackers often seek to exploit software vulnerabilities. Timely patching limits their opportunity
Enable two-factor authentication: Both phishing and malware attacks lead to lost credentials. Two-factor-authentication can break the chain of attack
Train users: By training employees you can create a “human sensor network” that reduce the number of people falling victim to phishing
PACE: What are companies currently doing wrong that is making online security worse?
Jason Whyte: Just ten well known and documented Common Vulnerabilities and Exposures (CVE) accounted for 97 per cent of attacks last year, one of which dates back to 1999. What this shows is that companies are not patching their systems adequately. The most common yet underrated vulnerabilities include;
- The belief among manufacturing organisations that ’we’re not a target’
- The lack of quality ingress and egress data filtering
- Lack of security log monitoring and management in organisations don’t allow for a strong and streamlined process of alerts, logs and events that may potential security incidents
- Identity and credential management – the vast majority of data breaches involve a compromised credential or identity. Despite this, organisations still do not employ sound identity and access policies