All across the U.S., manufacturers are silently struggling with an invisible force that threatens the livelihood of their businesses. This dark entity slips into an organization—often undetected—to steal passwords and intellectual property. Sometimes it demands money in exchange for unlocking enterprise servers. Sometimes it maliciously shuts down industrial machines in an attempt to cause physical harm, like an explosion. Other times, it’s not interested in the immediate prey, but has its sights set on a bigger victim, and therefore uses a company as a gateway into their partner networks.
It is the hackers of the world wreaking havoc on unsuspecting organizations. And it is not just large multinational manufacturers that are targets, but everyone in the supply chain.
Bad words like “Stuxnet,” “Triton,” “WannaCry,” and “NotPetya” have been headline news over the last few years indicating that we’ve entered the era of cyberwarfare, and data is the weapon. In this new threat landscape, we’ve seen nation states, criminal gangs and “hactivists” navigate cyber channels to manipulate enterprise databases, critical infrastructure and industrial control environments. And, it’s difficult to stop, despite the decades of IT experience a company—or government—may have.
“Security in a digital world is still so hard,” says General Michael Hayden, a retired U.S. Air Force four-star general and the former Director of the National Security Agency (NSA) and the Central Intelligence Agency (CIA). Hayden was addressing attendees in the oil and gas industry during a keynote presentation at the 2018 PAS OptICS security conference earlier this year. But cybersecurity impacts every segment of the manufacturing industry. “We have a lot of bright people working on this problem, but the faster we go, the more behind we get. We don’t seem to be getting ahead of it.”
In order to protect our country and our companies, General Hayden says government and corporate America have to work together, and that means taking personal responsibility for protecting your business. It starts, he says, just like any other military exercise, by mitigating risk.
Combatting cyberwarfare
Hayden, who once held the role of the Commander of the Air Intelligence Agency and Director of the Joint Command and Control Warfare Center, uses a classic risk equation used in combat: Risk = threat x vulnerability x consequence.
First, you identify the most likely threats to the organization. Then, you assess your vulnerability and do your best to defend the perimeter—don’t let the bad guys in. But they are getting in, he says, so you have to manage the consequences. “Now it is all about the time between penetration and discovery,” he says.
The ability to discover a bad actor after a break-in is the hard part. That’s why many manufacturers are oblivious to the fact that they’ve already been hacked.
According to Rebecca Taylor, Senior Vice President, strategic partnerships for the National Center for Manufacturing Sciences, 47% of manufacturers they polled said they weren’t experiencing any cybersecurity attacks. But that number is inaccurate, she says. In fact, most manufacturers don’t know they’ve had a security breach, or, they keep it a secret.
“Depending on the nature of an incident, reporting requirements for manufacturers vary but can be far less stringent than some other industries,” adds Brendan Rooney, Director at The Crypsis Group, a digital forensics and incident response firm, noting that, despite handling just under 500 incidents that required forensics in the past year, these events are often not made public. The top three intrusions include ransomware, phishing and IP theft. But you don’t hear about it. “There are a lot of reasons you don’t see mid-market manufacturers popping up in the news or admitting to a compromise,” he says, “mostly, because they would incur a significant level of reputational harm.”
Many times, the investigations show that these cybersecurity incidents could have easily been prevented. But many don’t take it seriously, because they don’t think they’re a target.
Hackers get in through open ports or they gain access to user credentials or software programs with known vulnerabilities. So, most often, the best first line of defense—like General Hayden says—is to understand and identify the threat. For that, you may need a team of external experts.
How to hijack the hackers
Rooney and the Crypsis team are called in after a cyber incident. It often starts with a call from an attorney who has determined that an investigation is required. Crypsis runs proprietary programs and deploys their team of expert consultants to see how a hacker gained access to the network and where the IP address originated. They also determine how long the hacker retained access to the system and what information they had access to. That report is passed back to the attorney to work on remediation of the issues to stop a future attack.
“Once we have the findings we determine what the disclosure obligations are and we work with law enforcement to assist in the investigation process and any public relations or disclosure concerns,” says Jennifer Coughlin, a Partner at the law firm of Mullen Coughlin, which specializes in data privacy and cybersecurity.
Having a response plan in the event of a security breach is essential, Coughlin says. But knowing what the vulnerabilities are before something happens is a better option, which is why Crypsis also has a suite of “pre-breach” risk management capabilities. “This can be very eye-opening in the sense that you don’t know what you don’t know,” Rooney says.
Once that is conducted, an attorney can counsel the OEM to understand what the vulnerabilities are and what the obligations they have in terms of notifying partners if something happens.
As for managing the consequences. “Get cybersecurity insurance,” Coughlin says. “It is something many organizations don’t appreciate, but you can shift this risk.”
Stay tuned for Part 2.>>>
Once that is conducted, an attorney can counsel the OEM to understand what the vulnerabilities are and what the obligations they have in terms of notifying partners if something happens.
