By Michael Degan, Fluid Power Journal Editor
On May 7, a criminal gang believed to be based in Eastern Europe launched a ransomware attack on the computer systems of Colonial Pipeline, forcing the company to shut down operations for several days.
The shutdown of the pipeline, which supplies roughly 45% of the fuel consumed on the East Coast, caused gas shortages, panic buying, and price hikes at gas stations mostly in the southeastern U.S. Colonial paid the hackers a $4.4 million ransom to decrypt the company’s systems so it could resume operations.
A few weeks later, Brazil-based JBS SA, a meatpacker with facilities in the U.S., reported that it was hit by a cyber attack that forced it to shut down operations in numerous countries. The attack is believed to have originated in Russia. As of June 2, the company had only restored some of its operations.
While entities of any kind anywhere in the world can be victimized, manufacturing companies, including fluid power companies, face unique vulnerabilities that increase their risk of attack, according to cybersecurity experts.
Experts say that the number of ransomware attacks in the U.S. is growing, reportedly up 150% last year over 2019. Cyber criminals target not only commercial enterprises but also government and infrastructure. The FBI warned last year that the U.S. health care system is increasingly threatened.
Among the challenges that can make manufacturing companies more likely to be attacked is the reluctance of some manufacturers to upgrade their computer systems. Because the industry relies heavily on production schedules that need to avoid downtime, some companies continue using older software that may be obsolete and no longer updated by the software’s creator.
That raises security risks, cyber security expert Jennifer Kurtz told Fluid Power Journal. Kurtz is cyber program director for Manufacturer’s Edge, a part of the Manufacturing Extension Partnership network, which works with the U.S. Commerce Department’s National Institute of Standards and Technology.
Some manufacturing companies hesitate to upgrade computers because of the disruption of learning a new system. Their existing systems work well, and employees are used to them. To make changes disrupts production, so a company may continue using software that is obsolete, like Microsoft’s Windows XP, or even NT, which was released in 1993. Microsoft stopped supporting it in 2004. Kurtz said she’s know of companies still using NT.
“The software is reliable for a given manufacturing process, and there’s concern about shifting to another software platform because it might not be as reliable,” she said. “There’s uncertainty involved there.”
“But they know it works,” she said. “People are accustomed, so the training dollars are going more toward better use of those [older] systems rather than to manufacturing equipment because that training time is more directly related to revenue than cybersecurity awareness training would be.”
Size doesn’t matter
Cybersecurity technology implementation can have high costs, and manufacturing companies, especially smaller ones, must weigh carefully where they spend their limited resources. Decision makers at small to midsize companies may skimp on cyber security practices because they think their size, or lack of it, makes them unlikely to be hit by a ransomware attack.
Kurtz said some smaller companies hold “a lingering belief that, ‘We’re small. Why would anybody look at us?’”
That misperception can lead to cutting corners on cybersecurity.
“I see a lot of companies that, for wireless networks, they’re using consumer-grade routers instead of commercial-grade routers, which have more built-in firewall-type capabilities,” Kurtz said.
“The payoff for security is difficult to calculate,” she said. “It’s a big budget trade-off and balancing act.”
The size of the company provides little protection against the likelihood of an attack. Companies of as few as 10 employees have been attacked. Attacking smaller companies is easier in some ways, Kurtz said, because they have fewer defenses and more potential openings.
Often small and midsize manufacturing companies don’t have a dedicated IT team that is looking at the company’s network, and the company misses anomalies in its network traffic.
“People are knowledgeable at keeping it running but don’t necessarily have a cybersecurity lens over what they’re doing,” Kurtz said.
There can be a split between operational systems and IT systems used elsewhere in the company, like for administration and payroll. In their production processes, the company may excel at quality control and safety, Kurtz said. But in the company’s offices, there can be lax practices, such as leaving physical media and hard copies of documents like design specs or customer pricing lists, for example, out in the open.
The COVID shutdowns that led many companies to permit employees to work from home also created cyber risks, Kurtz said.
“Employees aren’t necessarily coached on how to work safely from a remote location.”
Hackers can also have small operations. Someone interested in launching an attack can purchase a “ransomware how-to kit” for as little as $1,200, Kurtz said. Attacks on smaller companies can sometimes be practice for hitting a larger firm to “work out the kinks.”
“If you’re a newbie attacker, you might want to start with a smaller company and see what goes from there.”
‘Honor among thieves’
Curiously, threat actors appear to have a business model that relies on a certain amount of good faith. Some attackers try to cultivate a reputation of living up to their ransom demands and doing what they say they will do when they extort payment.
In a recent article in Harvard Business Review, attorney Brenda R. Sharton, a litigation partner and cochair of Dechert LLP’s privacy and cybersecurity practice, noted what she called “honor among thieves.”
“These extortionists depend upon companies believing that if they pay, all copies of the stolen files will be destroyed and/or the decryption keys provided,” Sharton wrote. “And the attackers do keep their word. In fact, some of these organizations are downright customer-service oriented, for example, accommodating the preferred cryptocurrency of the extortionee (with a small percentage upcharge to do so).”
Ransomware attackers demand payment in cryptocurrency, a virtual currency protected by cryptography that is impossible to counterfeit or double spend. Its prevalence in cyber extortion has led to calls for a U.S. ban on cryptocurrency, which would make ransomware crimes impossible.
“Ransomware can’t succeed without cryptocurrency,” Lee Reiners, executive director of the Global Financial Markets Center at Duke Law, wrote in a recent Wall Street Journal commentary.
“Before cryptocurrency, attackers had to set up shell companies to receive credit-card payments or request ransom payment in prepaid cash cards, leaving a trail in either case. It is no coincidence that ransomware attacks exploded with the emergence of cryptocurrency.”
Guarding against attack
Such a ban is unlikely, as the U.S. government has been reluctant to regulate cybercurrency. That leaves it to companies to protect themselves as best they can.
Most of the fluid power companies we spoke to declined to discuss how they are guarding against ransomware risks.
Through a public relations representative, Emerson told Fluid Power Journal: “We are continuously reviewing our controls and practices to include scenario-driven thought toward risk mitigation approaches for ourselves and for our served markets and customers through our products, services, and solutions,” Denise Clark, senior consultant with FleishmanHillard, said in an email. “Like many companies, prioritizing the appropriate cybersecurity skills and resources (as cybersecurity is everyone’s responsibility) is a continuous process that requires training appropriately, creating organizational culture to better guard against cyberattacks, and recognizing the need for planning and acting proportionally.”
Experts outline a number of steps companies can take to guard against an attack. One is to use multifactor authentication for access to critical data and computer systems. This is done by requiring at least two steps to allow access. Consumers are seeing this more and more. For example, when filling up at a gas station, customers using credit cards at the pump may need to also enter their ZIP code. The gas station’s computer system requires both steps – a valid credit card and a matching ZIP code – before it allows access to the pump.
Another step that many companies already take is to encrypt and back up their sensitive and “mission-critical” data. But companies should also test the backups and encryption to make sure they work properly. Finding a backup or encryption failure after an attack can be disastrous.
Experts also recommend that companies have an incident response plan and keep a paper copy of it in easy reach. The plan should outline the steps the company will take after an attack or other type of incident. Part of planning for a cyberattack should be establishing a relationship with a forensics firm that would step in after a data breach. Companies should also have a cybersecurity insurance broker who would also participate in responding to an attack.
Employee education is also critical. Employees should be thoroughly coached on steps they can take to guard against an attack.
Another helpful step for companies is to become a member of an ISAC or ISAO – an information-sharing analysis center or organization. These industry-specific groups gather intelligence about cyber threats and share best practices.
As manufacturing relies more and more on Industrial Internet of Things processes, companies heavily dependent on sensors and other embedded systems need rigorous cybersecurity guidelines to protect their operations. Risks can increase for companies that practice “lights-out” manufacturing, which operates remotely 24 hours a day with few or no humans on site, Kurtz said.
For companies without cybersecurity protocols in place, “Get started,” she said. “It’s only going to get more complicated.”
But look carefully for the right kind of help, she warned.
“Don’t try to search out the easy route when somebody says, ‘Throw me a bunch of money, and your problems will go away.’ They’re lying to you. Would that it were that easy.”
For companies that want to begin or increase cybersecurity measures, there’s lots of help available. One place to start is with the National Institute of Standards and Technology, an agency of the U.S. Commerce Department. NIST offers resources and guidelines to help companies manage risks to their data and computer systems. To investigate, visit www.nist.gov/cyberframework.