Dragos’ Executive Guide to Manufacturing provides strategies to secure Operational Technology environments, protect assets, and implement cybersecurity.
Manufacturing environments are increasingly becoming targets for cyber adversaries.
The digitalisation of manufacturing processes has blurred the lines between IT (Information Technology) and OT (Operational Technology), making it easier for threats to proliferate from enterprise IT into OT environments.
This convergence has introduced several trends:
• Proliferation from IT to OT – compromises originating in enterprise IT are increasingly affecting OT environments due to business and process dependencies.
• Removable media as a threat vector – the use of removable media such as USB drives and CDs has re-emerged as a threat vector, often serving as the initial infection point.
• Ransomware – ransomware continues to plague the manufacturing sector, with adversaries realising that disrupting production is an effective way to force victims to pay ransoms.
Key adversaries targeting manufacturing environments
Dragos OT Cyber Threat Intelligence identifies and tracks adversaries that are relevant to the manufacturing sector. These adversaries are categorised based on their observed behaviours rather than their intent.
• Gananite, Laurionite, and Wassonite – these threat groups focus on espionage, initial access, and data exfiltration. They have been observed targeting critical manufacturing across various geographies and sectors.
• Chernovite – this threat group stands out due to its development of a modular industrial control systems (ICS) malware framework known as PIPEDREAM. This framework includes several distinct modules designed to interact with and disrupt various ICS components.
Chernovite’s PIPEDREAM framework
Chernovite’s PIPEDREAM framework is concerning because of its modular nature and the sophistication of its components. The ICS malware framework includes:
• Evil Scholar, which targets Schneider Electric programmable logic controller (PLCs).
• Bad Omen, which interacts with Omron software and PLCs.
• Mousehole, which interacts with OPCUA servers.
• Dust Tunnel, which performs host reconnaissance and command and control.
• Lazy Cargo, which exploits vulnerabilities to load unsigned drivers in enterprise IT environments.
The modularity of PIPEDREAM means that it can be adapted and expanded, posing a threat to both enterprise IT and OT manufacturing environments.
Ultimately, malware targeting ICS or PLCs can disrupt manufacturing operations by halting production lines, damaging equipment, manipulating process controls, and compromising safety systems, leading to financial losses, operational downtime, and safety hazards for employees and the facility.
Manufacturing threat scenarios to consider
Real-world scenarios for manufacturers to consider include:
• Ransomware propagation – iIn a typical ransomware event, the initial infection occurs in the IT enterprise. Once the ransomware gains privileges, it propagates through the network, encrypting data and disrupting operations.
• Transient devices – transient devices like USB drives can introduce malware into control systems during maintenance operations. Without strong removable media policies, these devices can bypass network segmentation and spread malware.
The rapid adoption of smart technologies in manufacturing introduces new cybersecurity challenges. These technologies expand the attack surface and require a skilled cybersecurity workforce to manage them. Additionally, manufacturing organisations involved in wartime efforts are at greater risk of sabotage, as seen in the recent Ukraine-Russia conflict.
By understanding the behaviours and capabilities of key adversaries, organisations can better prepare and defend against these threats. Manufacturers need a robust cybersecurity strategy that includes strong policies, continuous monitoring of IT and OT environments, and ongoing investment in cybersecurity skills and technologies.
As the digital transformation of manufacturing continues, staying informed and vigilant is crucial to safeguarding operations and maintaining resilience against cyber threats.
Don’t wait for a cyber incident to disrupt your manufacturing operations. Download the Manufacturing Executive Guide for OT Cybersecurity and take the first step towards a more secure future for your manufacturing enterprise.