Internal networks pose threat to manufacturing industry
According to this 2018 Spotlight Report on Manufacturing by Vectra, a leader in AI-powered cyberattack detection and threat hunting, the manufacturing industry is particularly vulnerable to cyberattacks because of its internal networks, which are easy to infiltrate and spread throughout. These networks have increased as manufacturing processes become automated and remotely controlled via wireless connections. Manufacturing thrives with automation and IT/OT convergence because it relies on tedious, rote tasks, which machines perform better than humans, that manufacturers can remotely manipulate through wireless, cloud-based systems.
The problem arises when malicious outsiders get a hold of these Internet-based controls. Once past weak perimeter security, these cyberattackers can easily spread throughout the interconnected system to spy and steal. This is dangerous because even messing up one part of the system can disrupt the whole manufacturing process. In the study, Vectra AI uncovered attacker behaviors including command and control (for external remote access), internal reconnaissance (to map networks), lateral movement (communication between devices), and exfiltration (exporting data).
When analyzed from a networks perspective, these behaviors are suspicious, even though some look similar to approved actions. A manufacturing system consists of devices (nodes) with connections that send and receive information (edges) at various frequencies of communication (strong and weak ties). In a simplified example of a manufacturing system, one group of devices for cutting shapes has a node A that usually sends information to node B in another group of devices for sorting the shapes. All edges within a group (cluster) are strong, but the strengths of edges between clusters vary; in this case, node A sends information regularly to node B, creating a strong A-B edge. Node A also usually receives commands from its manufacturer, node X, with whom it has another strong tie. However, all of node A’s other connections are weak. Node A is similar to all of the other nodes in its shape-cutting group. Now, assume a new node Y starts sending messages to node A, forming a new edge. From that moment, node A starts sending or receiving more information from nodes in other groups, such as for gluing, folding, or packaging, that it usually has no ties or weak ties with, now suddenly creating new and stronger ties. And, over time, the A-Y edge also grows stronger with more communication.
In this example, node Y is a cyberattacker who has gotten external remote access into the network with a foothold in node A. Node A’s new behavior is abnormal compared to other similar nodes in its shape-cutting cluster, because it now has strong ties to random nodes in other clusters and to an isolated node Y (in addition to manufacturer node X). Cyberattacker Y seems to have gained access to other devices and parts of the network through device A, thus spying, sending new commands, and stealing information to and from outside the normal network. Cyberattacker Y exhibits all the behaviors found in modern manufacturing industries by Vectra, but even without advanced cybersecurity platforms, the threat’s behavior can be identified as suspect just by analyzing its abnormal network connections and patterns.
References:
The Vectra 2018 Spotlight Report on Manufacturing: https://info.vectra.ai/spotlight-report-manufacturing-2018
A recent article summarizing findings within the larger Attacker Behavior Industry Report 2018 Black Hat Edition: https://www.automationworld.com/article/industry-type/all/industrial-cyber-threats-assessed
The Vectra 2018 Black Hat Edition Attacker Behavior Industry Report: https://info.vectra.ai/abir-2018-blackhat-edition