Vectra finds manufacturers have increased risk of cyber attacks over other industries
August 13, 2018 – Vectra, an artificial intelligence solutions provider that detects and responds to cyber attacks in real time, has released a new report citing the increased risk of cyber attacks against manufacturing organizations.
Many manufacturing companies rely on the Industrial Internet of Things (IIoT) and cloud-based systems, which create an expansive “attack surface” that cyber criminals can gain access to in the absence of rigid security controls.
Who is accessing the data, and how?
Vectra’s study cites the 2018 Verizon Data Breach Industry Report, which found that 53 per cent of breaches in the manufacturing industry are state-sponsored – i.e., sanctioned by a foreign government – in an effort to boost a nation’s economy by stealing personal information and/or secrets.
The Verizon report also showed that attackers target servers in 58 per cent of manufacturing data breaches. This indicates that a majority of attackers are after intellectual property and mapping out critical assets, rather than easier points of entry at endpoints and IoT devices.
The report findings
In compiling its Attacker Behaviour Industry Report, Vectra monitored more than four million devices and workloads from customer cloud, data centre and enterprise environments in over 250 opt-in customers across manufacturing and other industries over a period of six months in 2018.
Using its Cognito platform, which detects cyber attacks and threats, Vectra discovered a high rate of malicious internal reconnaissance in the manufacturing sector. For example, in March 2018, there were 717 attacker detections per 10,000 host devices in the manufacturing sector, compared to 488 across all industries.
There was also a 2:1 ratio of lateral movement instances over command-and-control. Lateral movement refers to the way unauthorized users move through a network to search for the key data and access privileges they need to orchestrate an attack. Command-and-control, or C&C, is a method that attackers use to disseminate directives via a server to digital devices that have been infected with malware.
Most of the lateral movement behaviours were considered instances of SMB brute-force, which is when an internal host uses SMB (Server Message Block) protocol to make multiple login attempts for the same user account. Vectra reported that much of this activity was automated, meaning that an internal host was likely trying to access multiple target accounts at once.
There was also a high incidence of data smuggling in manufacturing, meaning an outside attacker accessed a large amount of data on an internal server and then sent it to an external system.
What to do about it
Vectra’s report points out that many manufacturers do not make enough investments in security access controls because they can interrupt the systems necessary for lean production lines and the digital supply chain. There has also been a trend toward manufacturers using more standard protocols or out-of-the-box solutions rather than the customized (and more expensive) proprietary protocols they may have used in the past, which would have been more difficult for an attacker to infiltrate.
Without proper security and real-time analysis in place, IIoT technology may be ultimately detrimental to a manufacturer, because it provides a “flat” attack surface for cyber attackers to get in, and it can be difficult for standard security systems to detect the malicious activity.
Vectra recommends that manufacturers employ real-time analysis of their networks to monitor threats. The company also calls for more automation and artificial intelligence in attacker detection so that companies can respond as quickly as possible and not have to rely solely on cybersecurity professionals, who are in short supply.
Download the full report here.