With the number of large scale cyber-attacks on the rise around the world, Australia could be next and the manufacturing sector is at risk. Tim Wellsmore, director of threat intelligence and consulting for Mandiant at FireEye, shares his thoughts on this issue.
It is no secret that Australia’s cyber-security environment is seriously wanting. The recent 2016 Threat Report from the Australian Cyber Security Centre shone the light on critical gaps in Australia’s cyber defences – the breach of the Bureau of Meteorology highlighting just one prominent example – and it may surprise you to learn that manufacturing is not immune to these vulnerabilities.
Manufacturers across the globe are at constant risk of hackers attempting to steal their valuable intellectual property. This is not to mention the level of weaknesses in critical infrastructure that have nothing to do with manufacturing per se, but which the industry cannot survive without: electricity grids, water supplies, technology infrastructure and even the ability to attack production lines has been increasing alarmingly over the past six years.
To their credit, manufacturers don’t necessarily have their heads in the sand regarding the threats to the industry. Per the IDC Worldwide Semiannual Security Spending Guide, IDC expects banking to make the most investment in security technology this year at US$8.6 billion (A$11.4 billion) – with discrete manufacturing, federal and central government and process manufacturing next in line. In total, these four verticals will represented 37 per cent of global security revenue for 2016 and will also be the top-spending verticals until 2020, the analyst firm predicts.
The expected investments are much needed, because the consequences of not investing in cyber defences are immense. Take out an electrical grid and industry grinds to a halt. Take out the internet and you cripple the information transfer of most organisations. Hack a manufacturer, and years of R&D investment and IP can be stolen, potentially causing an entire industry to be replaced by those in countries with much cheaper cost bases.
Recently, Chinese and Russian hackers reportedly attempted to access details about Australia’s next generation submarines. The attempts were reportedly aimed at the submarine builders in Germany, France and Japan bidding for the $20 billion contract to build the new fleet. The bidders were holding highly sensitive information about the Royal Australian Navy’s technical requirements for its next-generation submarines.
Perhaps even closer to home, Donald McGurk, chief executive of Adelaide-based communications, metal detection and mining technology firm Codan, said he watched sales and prices of his firm’s metal detectors collapse after Chinese hackers stole the company’s designs and began selling cheap knock-offs into Africa. How did they come by the designs? An employee’s laptop was reportedly compromised on a trip to China.
These are just two prominent examples, and we know these are just the surface of the real events impacting business and manufacturers across Australia. Now, an awareness is emerging of the real risk of Industrial Control System (ICS) vulnerabilities that has been observed since 2010 – the year the Stuxnet virus that took down an Iranian uranium enrichment plant was disclosed.
Ninety per cent of the known vulnerabilities to these systems are from after 2010, and that’s a number we only expect to grow: we’re seeing strong demand by the active cyber threat groups for ICS systems across the globe. Further, more than half of the vulnerabilities since 2013 deal with “Level 2” compromises—the systems that allow operators to supervise and control physical processes, such as opening valves or modifying machines.
Meanwhile, the patching of vulnerabilities is a still substantial problem in ICS environments. Of the nearly 1,600 total vulnerability disclosures that has been examined, one-third are zero-days – a hole in software that is unknown to the vendor – and which have no vendor fixes, which present significant opportunities for adversaries to get into systems. And at least five ICS-specific vulnerabilities have been exploited in the wild, a rate we anticipate will increase in the future.
This is not to mention the rise of ransomware attacks on companies and individuals – wherein attackers will lock up infrastructure assets and only release them once the company pays a ransom. Additionally, the threat from massive denial of service attacks – such as the one seen recently which slowed or knocked out sites such as Twitter and Reddit – is increasing at a scale never seen before, powered by the rise of the Internet of Things (IoT).
Unfortunately, security personnel from manufacturing, energy, water and other industries are all too frequently unaware of their own control system assets, let alone of the vulnerabilities that affect them. Organisations operating these systems are simply missing the warnings and leaving their industrial environments exposed – the hacking of Ukraine’s power grid is the most famous example of this.
This may sound bleak. But with the right approach, there are ways to combat the growing threat of cyber-attacks in the manufacturing space.
For one, the expected investments into cyber defence highlighted earlier will help by shoring up the defences for security teams in the ICS space. It shows not only an acknowledgement of the issue but a proactive approach to countering it.
Additionally, it’s important for business owners and executives to understand the realities of the threat from credible sources of threat intelligence, translated into understandable and actionable business risks. Also, manufacturers that have ICS assets should prepare their security teams with an accurate understanding of control system assets, locations and functions. They should be aware of the changing threat environment, what that means for their day to day operations, and continue to maintain vigilance. This involves:
Obtaining structured vulnerability and patch feeds that cover a wide variety of sources;
Match reported and confirmed vulnerability disclosures and patch announcements against their asset inventory in their industrial environments; and
Prioritise vulnerability remediation efforts by considering ICS architecture location, the simplicity of exploitation, and the possible impact on the controlled industrial process.
Make no mistake: cyber-attacks are going to happen, and happen frequently. It is the age we’re in now and there is still too much benefit to hackers to want, or need, to stop. It will be relentless and the methods of attack will evolve to counter most of the defences we create to halt them.
It’s imperative that investment is forthcoming from industry and government alike to ensure Australia’s interests, and its IP, are protected. But more importantly, recognising that cyber-attacks aren’t just reserved for acts of cyberwarfare or opposing governments is paramount for manufacturers and businesses to truly understand the level of vigilance required. Manufacturing is the beating heart of any modern nation, and it should be protected accordingly.