Rising attacks on the manufacturing sector: Why multi-layer cyber defence systems are now becoming indispensable!

The manufacturing sector worldwide is in the midst of the fourth industrial revolution. The digital transformation in the course of Industry 4.0 is networking machines and plants with each other, making production processes leaner and enabling new options such as predictive maintenance or location-independent monitoring of production machines. While manufacturing companies invest extensively in the necessary digital infrastructure for the IIOT (Industrial Internet of Things), IT security usually falls by the wayside. IT security measures against cyber threats and a wide variety of cyber attacks are far too often still based on outdated security concepts. This vulnerability is of course also known to cyber criminals - manufacturing companies have been victims of cyber attacks correspondingly often in the recent past. This article explains why multi-layered cyber defence systems are now indispensable and how threat hunting and active cyber defence can significantly increase IT security in a manufacturing company.

2020: The year of complex cyber threats and large-scale cyber attacks

The Falcon-Overwatch 2020 Threat Hunting Report has taken on the topic of cyber threats. The findings of the study are startling. Almost simultaneously with the onset of the global Corona pandemic, cyber attacks on manufacturing companies increased dramatically. It is striking that not only the sheer number of cyberattacks has increased, but also their complexity. In addition to the manufacturing industry, the food industry and the healthcare sector were also "hit" in 2020 - a clear indication that cyber attackers have adapted to the pandemic and the changing conditions as a result. Telecommunications companies have also been under constant attack since 2020. Here, it is not so much cybercrime around ransomware and co. that carries out the attacks. Rather, it is nation-state attackers from China who carry out espionage attacks and data thefts. Critical infrastructure thus seems to be becoming the preferred target of hacker groups and individual perpetrators. Why is this?

Outdated technology meets the human factor

Every technological leap brings new challenges. Industry 4.0 is no exception: in the course of the digital transformation, not only are machines and plants networked with each other, but they are also connected with systems from the administrative sector. For the first time in the industrial age, information technology is merging with operational technology. As a result, production data, for example quantities, downtimes or set-up times, can be processed and analysed in real time and independent of location. Artificial intelligence turns big data into a powerful "tool" for streamlining processes and optimising quality. Without detours, production orders, drawings and machine programmes can be transferred from the office to the production halls, while thanks to "predictive maintenance" a machine detects defects before they happen. Without a doubt, digital networking has advantages over the previous way of working. Unfortunately, not only for production companies, but also for cyber criminals of all kinds.

Low tech in the workshop

A common office workstation is equipped with a PC whose life cycle is about 5 years. In the control systems of production machines, on the other hand, hardware and software products work with a life cycle of 10, 20 or more years. What has been relevant here up to now is not the security of the network, but high availability and reliability. Both are ensured by tried and tested systems. The operating systems are correspondingly outdated here - and in combination with a lack of updates or patches, the result is a highly functional technology environment that is also rich in vulnerabilities. A changeover to modern systems would be possible in principle, but is rejected by many companies. While a PC can be upgraded from Windows 7 to Windows 10 with a few simple steps, a modern IT system on a lathe or milling machine, on injection moulding machines or extruders almost always means extensive retrofitting, a high investment and incalculable downtimes.

The human gateway

Even though blackmailing with ransomware also affects production companies, cyber attacks are more about sabotage, espionage or paralysing production operations. A popular strategy of cyber attackers is to gain access to the company's internal IT infrastructure via insufficiently trained or all too inexperienced employees. Social engineering in particular is used as a gateway, but phishing or mail attachments contaminated with Trojans are also very popular with cyber criminals. But even if a company secures access to the cloud and/or production systems at great expense and thus supposedly reliably, there is still an access point that IT security can hardly monitor: Shadow IT. This term refers, for example, to private smartphones, tablets or the apps installed on them, whose use is neither approved nor secured by the IT department. The operator who bridges the time when his machine is working automatically with video or audio streams and accesses the company's WLAN for this purpose unknowingly opens "door and gate" for hackers - and thus makes cyber attacks extra easy.

Cyber attackers adapt - companies must react!

The study mentioned at the beginning shows one thing very clearly: Cyber attacks adapt quickly and flexibly to current economic and geopolitical circumstances. With the utmost agility, hacker groups are identifying new targets worldwide, aligning their attack strategies with their "target groups" and taking advantage of every opportunity that presents itself for a tailor-made cyber attack. In doing so, the cybercriminals need to demonstrate less and less expertise. Ransomware-as-a-service, a kind of rental model for malware, allows anyone (and everyone) with enough criminal energy to unleash malware on companies, organisations or governments for less than $50 in some cases.

In 2020, the special feature of the pandemic situation was added. Cyber-attackers targeted industries that were particularly vulnerable to the completely new, unpredictable changes in supply chains or demand. For example, manufacturing companies - which not only had to deal with a lack of raw materials and falling orders, but were also in the middle of the digital transformation. And as if this were not enough of a challenge, more companies than ever before had to send their employees to the home office. The consequence: even more security gaps in IT, thinned-out IT security, even more opportunities for social engineering - and a found meal for cyber criminals.

Even if the pandemic has lost some of its intensity (for now): Manufacturing companies are urgently called upon to adapt their IT security to the new requirements. For this to succeed, not only firewalls and anti-virus software need to be installed. Rather, manufacturing companies must rethink their entire IT security: holistic, multi-layered and proactive.

SOC and SIEM: With price-intensive strategies against cyber threats

Implementing a Security Information and Event Management (SIEM) solution is an effective approach to meet the challenges posed by modern cyber threats. The security management system enables real-time response to cyber threats by continuously collecting, automatically categorising and analysing data. SIEM is able to capture huge volumes of data in a fraction of a second - which is particularly relevant for manufacturing companies. After all, even a single machine tool can generate 1 terabyte of data - per hour! This enables real-time insights into the IT infrastructure, which serve as a basis for further defence measures. SIEM is often supplemented with Security Information Management (SIM) and/or Security Event Management (SEM). SEM provides real-time analysis and reporting, while SIM captures security-related data and manages logs. As effective as the three approaches mentioned are - without human IT security experts, the most comprehensive data collection is of no use. Therefore, in addition to the methods and tools, companies need specialised experts who draw insights from the data and use them for defensive measures. These experts are bundled in the SOC, the Security Operations Centre. Ideally, this creates a multi-layered protective shield that defends against internal and external cyber attacks, while at the same time minimising risks and ensuring increased security intelligence. The full implementation of a SOC in a company - and its continuous maintenance - requires investments and produces ongoing costs that are not inconsiderable. Costs that small and medium-sized enterprises in particular cannot afford, or can only afford with difficulty.