The Security Detail Download: Cyber Threats to the Manufacturing Sector

—OPENER—

Welcome to The Security Detail - a podcast by Splunk SURGe where we examine the cyber threat landscape across different industries.

I’m Audra Streetman.

And I’m Kirsty Paine.

Today we’re taking a look at the manufacturing sector, which encompasses a wide range of companies and products… everything from nail varnish to military weapons systems.

Despite the different materials that they produce… these companies still face similar cybersecurity challenges… like geographic distribution of sites (remit and mandate), hiring and retaining talent… along with supply chain risk, the obvious link to the physical impact of their security, and ransomware attacks.

To better understand the threats facing the manufacturing industry, I spoke with Tim Chase, who is a program director with the Global Resilience Federation - or GRF.

In March of 2022, GRF launched the manufacturing ISAC to help facilitate threat information sharing for the sector.

Tim now leads up the MFG-ISAC, and shared with me some of the top cyber threats that members are seeing.I also asked about his career journey and how he ended up in his current role.

Here’s his interview.

—Dissolve to Interview—-

My kind of start into information sharing actually started at FS-ISAC, kind of the 2014/2015 timeframe. I actually started at the FS-ISAC SOC, but then quickly moved into this internal business unit that they called Sector Services. Sector Services is the precursor to what GRF is, because it just kept growing. Eventually the FS-ISAC board, it's a nonprofit organization, said, this thing is amazing, but it’s growing too fast, and it doesn't actually neatly fit within our charter to help financial services. And so they kind of spun that out and that's what GRF is and we continue to support many different information sharing organizations, the newest of which is Manufacturing ISAC.

Audra Streetman:

The manufacturing ISAC has been around for about a year now. What was that launch like and how does it help facilitate threat information sharing?

Tim Chase:

Because of our background, we've got like a strong kind of analytical and product development ability with people processing technology coming from FS-ISAC that we maintain at GRF. So the organization actually stood up pretty quickly. It was actually helped by another organization called SIMANI, the Cybersecurity Manufacturing Innovation Institute. It's a mouthful. They just call it SIMANI. But SIMANI is money from the national labs from INL to kind of promote cybersecurity for manufacturing. And so we kind of partnered together to launch that, leveraging GRF's ability to kind of quickly start and create both the products and services with analytics support very quickly. So we started that in March of last year, we started onboarding members almost immediately, and we continue to grow right now.

Audra Streetman:

Recorded Future lists manufacturing as the industry most affected by ransomware based on their data in 2022. And of course, it can be difficult to measure the true number of ransomware attacks due to a lack of reporting. But from your vantage point, do attacks on manufacturing companies seem to be becoming more prevalent or is it too hard to say?

Tim Chase:

It's an exponential growth year over year, and everyone has a slightly different number. GRF, actually our analysts spend a lot of time every single week. It's one of the most desired products that we create. We've got about two years of data where the analysts actually go out to all the Tor leak sites and scrape all of the operators’ data. And so we're able to categorize both which operators up or down each month, where geographically those attacks are being focused, what industry verticals are being most affected. And obviously, all of that tracks with Record of Future, Dragos Year in Review, everyone, you know, Verizon DBIR report. Everyone's reports say the same thing. Our numbers are slightly different, depending on, there's certain companies that you might put in this category or might put in that category, but the trend lines are all the same, which is that manufacturing is the most targeted. I think there's some clear reasons why. If you look at the companies that are most targeted, they're large enough to pay a ransom, but they’re small enough not to have really exquisite enterprise-level IT and security solutions. Right? So that's kind of the sweet spot. Also, manufacturing as opposed to equally sized non-OT function, like, companies, like if it was an insurance company right? With that OT component, if they are hit, even if it only affects, theoretically the infection is contained inside of the enterprise IT network, we oftentimes see OT effects. Right? Because manufacturing with just-in-time deliveries and the like, they're very, very constrained on their ability to withstand downtime. And so their likelihood of paying out a ransom is even higher than many other industry verticals. Some estimates are that 70% of all ransomware is targeted at manufacturing. I would say that at GRF, we have insights into broader trends as well as others. And we're seeing that there may be a shift away from actually encryption to just the doxing aspect of it for coercion. I'm not necessarily seeing that in the manufacturing sector. I think that that’s because in the manufacturing sector, that operational component that may have effects from an IT infection are still quite coercive, and they'll probably still continue with that.

Audra Streetman:

Are small to mid-sized businesses coming forward within the ISAC to share their experiences with ransomware or is there a hesitation to share that they’ve fallen victim to an attack in case it becomes publicly known or end up in the news?

Tim Chase:

It's a mixed bag. Some are quite willing to come forward. Most of them that we're getting in touch with are quite eager to sort of participate, to get best practices and to be able to really engage with some of their larger peers for that kind of mentoring opportunity. I think it's not so much disclosing vulnerabilities. It's actually just kind of, they're overwhelmed with where they need to start. That’s just kind of one of the first conversations, is just placing them somewhere along that security maturity journey and then figuring out the right resources to connect them with.

Audra Streetman:

I'm curious if you're seeing any other trends in terms of attack vectors or vulnerabilities that ransomware groups are leveraging?

Tim Chase:

It depends on the actor. So there are some old and enduring vulnerabilities that are always tested first, because if you haven't patched it, it's just an instant win. Those are typically small and sort of unmanaged IT system, uh, operators, the organizations, companies, manufacturers. Um, so vulnerabilities have limited utility. We typically see the larger operators when there's a vulnerability, a CVE that's reserved, or they've made an announcement, but they haven't talked about what the actual vulnerability is, or provided a POC. Some of the most advanced actors will jump on that pretty quickly and will figure out a POC and will start attacking with that. But other than that, it's really just normal fishing and basic hygiene.

Audra Streetman:

Are you seeing fishing campaigns that are more targeted toward executives and CISOs? Or are they more broadly targeting employees?

Tim Chase:

It used to be that it was sort of a spray and pray, you know everyone would see the campaign that was ongoing and you'd get like 800, your organization would get 800, but now they tend to be a little bit more targeted. And yes, they're going after people in the organization that would have better access for whatever purpose that criminal gang is looking for, whether that's someone in the accounting department, if it's BEC, or you know executive, someone potentially in an engineering role that may have access from the enterprise IT side to an operational environment. Whatever their purpose, they are becoming more targeted over time.

Audra Streetman:

What are your recommendations for organizations that are struggling with patch management while also maintaining their operations?

Tim Chase:

Patch management is difficult at any time in any enterprise IT environment. It becomes more difficult when you now have an operational component to it. I will say, though, the manufacturing industry is quite varied in terms of what protocols they're running. So on one hand, you might have industries that are extraordinarily high industry that are running full SCADA systems. But oftentimes, a lot of the manufacturers are kind of like OT-light. It's kind of like industrial IoT or IoT. And the networks in there really don't look anything different than enterprise IT networks. And unfortunately, oftentimes there's very little segmentation between the front office and the shop floor.

Audra Streetman:

Are manufacturers increasingly employing IoT technology? How does that impact their attack surface?

Tim Chase:

By and large, that is manufacturing now. So industry 4.0 and sort of the digitization is really coming with this, you know, industrial IoT or even just IoT. And as in many cases, the capabilities are fast outpacing any way to secure them. And as compared to previous manufacturing models and infrastructure and architectures, they’re inherently less secure, only because older models use quite bespoke communications types and everything. So if an adversary got into an industrial network, he didn't really know what he was looking for. And like he's going between CAN buses and like serial networks and maybe he's got a SCADA system. So now it's just normal networking. If he knows anything about networking, he can see everything on the network and can manipulate things on the network. Additionally, as we move down in size and technology into small, compute devices they don't necessarily update and they're not necessarily designed to be updated. So we'll have intrinsically vulnerable devices on networks, indefinitely. That's not to say that current OT systems are somehow beautifully secure. They're also intrinsically insecure, most of them like PLCs and the like. But it looks a little bit different and how you would actually go about compromising them is a lot easier in an OT world. So I think we’re all struggling with that, and this goes back to just the basics of network segmentation and like network enumeration. So what do you have on your network? How are you walling that off? And basic hygiene.

Audra Streetman:

I wanted to talk a bit about artificial intelligence and large language models like ChatGPT. How do you think LLMs could be used by adversaries in malicious ways or by blue teams to better defend networks?

Tim Chase:

It's a tool, right? Like all tools, it can help and it can hurt. I think we’re trying right now to figure out all the ways that it can. Our members right now are already using AI to advance their manufacturing capabilities in terms of just-in-time deliveries and advanced ways to figure out where there might be critical failures in manufacturing systems, you know, kind of predictive maintenance and the like. In many, many areas, it's already being deployed. I think the concern is, not necessarily like the sort of AI code being written for malicious purposes, but one of the things that, at least right now, even in how we're using it in our daily lives, is we just don't know how the data is actually being stored and used. So what do you trust in your daily life or professional life or personal life to use and run through a ChatGPT or something else? So it's kind of a black box in that sense. Another thing that's concerning is, especially as it pertains to critical systems, you can have an AI system that works flawlessly 99.99% of the time, but then 0.01% of the time, it fails. The only problem with that is that still might be a safety factor, you know, a lot higher than humans. The only problem with a lot of the, you know, ML and AI models is we don't know why it failed. And so testing for some of those models, especially for critical infrastructure, I think is a little bit lagging.

Audra Streetman:

Switching gears a little bit to APT, are there any notable advanced persistent threats that you're seeing target manufacturers?

Tim Chase:

Yes, although this gets pretty niche pretty quickly. APTs, I have conversations with manufacturers and they're worried about APTs as a threat just in general, but specifically about intellectual property theft and the like, and that is a threat. I mean, I don't think it's the biggest threat to them, but it is a threat, but it really boils down to sort of like what industry vertical, like what industry theyL're supporting as a manufacturer, right? are they in the dib space, a defense space as a manufacturer? You know, that will start to narrow down what APTs are going to be interested in them and why. Obviously, during COVID, we saw early attempts to kind of spy by APT groups on companies that were involved in, you know, vaccine research and the like. So, you know, whether it's IP theft or just maybe offensive capabilities for future use. There's definitely APT activity in manufacturers, but that's not really the most active threat against manufacturing. I think it's still more commodity malware and ransomware. And I think even with some of the APTs involved, Russian APTs being one of them, it's actually one of the best tools they have as a state, is their criminal organizations kind of do their work for them to kind of to manufacturers, particularly in the United States.

Audra Streetman:

Yeah, and with third party risk and supply chain vulnerabilities, from a manufacturing perspective, are companies looking at that in terms of the software and suppliers to their organization and then also the risk that they might then extend to the organizations that they supply?

Tim Chase:

Yes. Yeah, so you're pointing out an important fact that in reality, most manufacturers are both consumers of manufactured goods and suppliers to other manufacturers, right? They're one link in a longer chain. And that is something that they all recognize. And I would point out if you go to GRF's website or our manufacturing.org website, we have two different products together in cooperation with manufacturing ISAC, KPMG, and some of those large consumer packaged goods on specifically the supply chain issue, a variety of issues related to that, but all those are covered in there. And they're quite useful. There's a CISO's guide and a practitioner's guide. The practitioner's guide is very granular and actually allows you to put data in and manipulate some things. So those were products that came out of a broader eight-month discussion where we were to best practices that could be used, not just for CPG, because when you read the documents, the value extends far beyond CPG in terms of just general supply chain security issues.

Audra Streetman:

And my last question - We talk a lot about a skills gap in security. Is that something that a lot of manufacturing hiring managers are struggling with in terms of retaining talent and filling open positions?

Tim Chase:

It's a massive concern because most of the manufacturing is not kind of done on the coasts, right. It's sort of the heartland of America in the middle of nowhere where real estate is cheaper and you can build hundreds of thousands of square foot facilities. Well, this makes it even worse because you're trying to hire people predominantly from coast jobs with those high salaries and asking them to move to Paducah, Kentucky or something. And that makes it even more challenging. So yeah, the skills gap and the cost is definitely a problem.

—MUSIC—

[I’m the CISO, and I say so segment]

Welcome to “I’m the CISO, and I say so” segment! This is where we ask interview guests what they would recommend, or even mandate, if they were a CISO of an organization in the industry they’re speaking about.

We asked Tim what he would say if he was the CISO of a manufacturing organization. Here’s his observation about what’s top of mind for CISOs in the manufacturing sector.

Tim Chase:

Well, I think that they're definitely going to be looking for budget increases for some of the programs that have been left kind of unfinished. I think also they're looking at ways to extend the longevity of current assets they have, but at the same time bring additional security around them. So, yeah, I think there's a number of things that they would love to do that they have not been able to enable because of board concerns or something else, that's probably one of the things that they would push.

Audra Streetman:

And would you say CISOs have a tough job in that respect of trying to communicate these technological problems to other leaders at the company?

Tim Chase:

Yeah, CISOs always have a hard job. But, you know, like one of the things that we had mentioned earlier is that oftentimes the executive leadership, boards, executive, don't necessarily see the cyber risk always as business risk and trying to make that case over and over again, where it's just one of the things that they're constantly considering is important. And it can be hard. Obviously the checkbooks, you know, open up after an event, but that's too late. And for a lot of manufacturers, SMBs, that may not be a sustainable event for them. They just might close their doors.

[takeaways segment]

What an interesting perspective on the evolving state of manufacturing security. What to pick up on? Well, I like the point about OT - it’s classic but it goes back to just the basics; of network segmentation, of remit and mandate, of understanding the security. And always a clash with the physical world, meeting IT networks. And then more recently, we see geopolitics play an ever-increasing role, with the rise of intellectual property theft, and supply chain pressures. JIT lowers cost but increases risk of supply chain issues - it’s a trade off. What was your main takeaway?

My takeaway from this interview is that manufacturers are uniquely positioned with regard to supply chain risk. They not only *have* a number of vendors and suppliers but they also *serve* as a vendor to a variety of customers. The overall volume of vendor and supplier assessments present their own challenges. How do you ensure that you have an accurate inventory of vendors that your company does business with, and have you assessed how each supplier is integrated with the company and the impact in the event of a supply chain attack?I imagine that can be quite complicated.

It’s worth pointing out that the manufacturing ISAC has two supply chain security guides for the consumer packaged goods sector.

You can download them at MFGISAC.ORG.

We’ll also link to more resources in the show notes and in our ongoing blog series, which you can find at splunk.com slash surge.

—OUTRO (slowly fade music up)—

That’s all the time we have for this episode of The Security Detail.

And if you like what we’re doing, please share The Security Detail with your friends. You can look for us on Podbean, Apple, Spotify, or wherever you find your podcasts.

Thank you for listening!