Rapid technological advancements in the manufacturing industry have allowed companies to supercharge their production lines, reduce unplanned downtime and manage their IT assets with increasing precision. The ongoing automation boom (widely referred to as Industry 4.0 or SMART manufacturing) has only accelerated this transformation, helping manufacturers consolidate their legacy systems and analog processes into one intelligent, centralized IT management framework. And while this push toward modernization has had a positive impact on the industry as a whole, it also comes with more than a few risks.
Like most commercial industries, manufacturers of all sizes have had to invest in a range of cybersecurity software, tools and services to protect their production equipment and data from digital exploitation. One 2018 study from Gartner estimated that global spending on information security would exceed $124 billion by the end of 2019, in part due to the growing number of high-profile data breaches. To help mitigate these and other types of cybercrime, manufacturers are investing in a host of defensive capabilities, from identity and access management to data loss prevention. But there are some threats that automated cybersecurity systems aren’t able to completely negate, such as ransomware attacks. To get a clearer picture of how ransomware infections can impact manufacturing operations, let’s dive a bit deeper into the details.
A Brief Overview of Ransomware
Ransomware is a specialized form of malware that infects computers and data stores, encrypts important files and locks down computer terminals until a ransom is paid, according to the U.S. Department of Homeland Security. While there are many different types of ransomware circulating the web, nearly all are able to quickly spread across connected systems, shared storage drives and private networks.
Once the ransomware has identified key drives on an infected computer, the malicious code starts encrypting every file it can access. In most cases, users are completely locked out of their devices until the ransom is paid or the malware is wiped from their data stores. Research from the cybersecurity firm Coveware found that the average amount paid per ransomware incident in the first quarter of 2019 stood around $12,762, which is nearly double the average from the end of 2018, ZDNet reported. However, law enforcement agencies like the DHS and FBI advise against paying the ransom, as it only encourages cybercriminals to continue developing new ransomware families with enhanced capabilities. In terms of specific ransomware variants, the popular anti-virus developer Malwarebytes sorts strains into three categories based on severity:
- Scareware: As the least severe type of ransomware, scareware is often relatively easy to detect and remove. This form of ransomware infection typically creates persistent pop-up messages that claim malware was discovered on a user’s computer, and that a “support fee” must be paid to remove it. These sort of tech support scams often target less tech-savvy users and rarely have a lasting impact on files and data stores.
- Screen lockers: Unlike scareware, this mid-tier category of ransomware is able to completely freeze users out of their workstations, even after a reboot has been performed. Once infected, a computer terminal will permanently display a locked window until the ransom is paid, preventing users from accessing files and performing even basic administrative tasks. While screen lockers can be extremely disruptive in the short term, they can usually be cleared out without fear of data loss.
- Encrypting ransomware: This form of ransomware is undoubtedly the most severe, as even with advanced cybersecurity software it can be impossible to fully restore the encrypted data without paying the ransom. However, giving in to a cybercriminals’ demands is no guarantee that the hijacked data and files will be returned. Recovering from this type of ransomware infection often requires a complete wipe of all drives and a complete reinstallation from safe backups.
Although the total number of users who encountered ransomware decreased by almost 30% between 2017 and 2018, according to research from Kaspersky Lab, manufacturers have seen a notable uptick in cyberattack over the past year. A recent study by Deloitte discovered that close to 40% of manufacturing companies encountered at least one cyberattack between 2018 and 2019, suggesting there is a real need for continued improvement. But how can manufacturers protect their data and workstations from ransomware before and after an attack has occurred?
Ransomware Protection and Response
Generally speaking, manufacturing firms are highly susceptible to ransomware due to the large volume of mission-critical production data involved in their day-to-day operations. A single encrypting ransomware attack can lockdown everything from production schedules and work orders to component schematics and more. Manufacturing environments that heavily rely on automation and internet of things technologies, in particular, can suffer major outages and prolonged downtime while the ransomware is being removed, leading to costly operational delays and missed business opportunities. That’s where ransomware protection can help, but only if the right cybersecurity tools and IT policies are in place.
“40% of manufacturing companies encountered at least one cyberattack between 2018 and 2019.”
First, it’s important to note that the vast majority of ransomware attacks are orchestrated through phishing emails or drive-by downloads, according to the DHS. Generally speaking, end users are the most vulnerable access point that cybercriminals can exploit, which is why cybersecurity training and IT governance policies are crucial to any ransomware protection plan. While there are plenty of anti-ransomware applications on the market, few are able to decrypt all the different ransomware families, making prevention the most effective approach. To that end, a robust anti-ransomware training program should teach employees how to spot phishing emails and cover the do’s and don’ts of on-the-job internet use.
Vulnerability assessment is another key practice in ransomware protection, as new delivery methods are constantly under development. Cybercriminals favor ransomware because it offers an immediate return on their activities, as opposed to identity theft which typically requires a buyer. However, in both scenarios hackers are capitalizing on the sensitive nature of an organization’s data, which makes proactive backup operations essential to long-term security. Backing up business-critical systems and files to an offsite location can significantly reduce the leverage ransomware attackers have, while also ensuring IT administrators can restore important data stores without paying the ransom.
Even under the most favorable conditions, ransomware attacks can still penetrate a manufacturer’s network perimeter as a result of user error, poor controls, an/or negligence. In these scenarios, it’s crucial to contact law enforcement as soon as possible and resist the urge to pay the attacker. If the malware or ransomware cannot be removed, the next best option is to completely wipe all drives and data stores and reinstall from clean backups. Keep in mind, some ransomware variants seek to infect your backups to render them useless. This point of leverage means a simple re-imaging of systems followed by backup restores may not be enough to recover your operation.