By Richard Massey, VP EMEA North at Arcserve.
Cybercriminals are constantly evolving their tactics to avoid detection in their pursuit of new and lucrative avenues of attack. These tactics are often specifically tailored to certain industries, meaning no sector is safe from cybercrime.
Recently, a malware, named EKANS, was discovered by FortiGuard Labs; it seeks to deliberately target the industrial control systems (ICS) of manufacturers. This variant was implicated in the attack which hit Honda’s UK operations earlier in the year, leading to closures at their Sunderland manufacturing hub.
This ransomware variant can be extremely costly for manufacturers. The complexity of modern manufacturing, and the sheer number of intricate moving parts involved, mean that just one hour of production downtime can cause tens of thousands of pounds of damages - without even mentioning the costs of data loss. This threat can all too often be enough to make manufacturers give in to cybercriminals ransom demands. Norwegian Aluminum manufacturer Norsk Hydro had to close several European factories in 2019 due to a ransomware attack that was reported to have cost over 45M in total, despite a response that was described as “gold standard” by industry commentators.
The stark realities revealed in the analysis by FortiGuard showed that EKANS intentionally selects each of its victims and, like most strains of ransomware, encrypts files and demands a payment be made in return for a decryption key after it compromises a machine. What makes the EKANS ransomware strain so dangerous is that it brings down firewalls, which is particularly troublesome in an industrial environment. This is all the more reason to implement a two-pronged approach to ransomware readiness. In order to reduce the severe and sometimes irreversible damages ransomware attacks cause, IT teams need to fully implement and integrate their business continuity, disaster recovery (BCDR) and cybersecurity protocols.
Common cyber hygiene problems to avoid
Preparing IT infrastructures in the manufacturing industry for ransomware threats such as EKANS needs internal reflection from an organisation about their IT processes. These organisations would be best to conduct an internal audit to understand what cyber hygiene pitfalls might be in hiding in their current operations.
Employees and human error represent a major risk when it comes to ransomware, and often represent the weakest link in a company’s armor. They’re the front line in the fight against ransomware, and as such, employee education is a powerful tool in an organisation’s arsenal when it comes to ransomware prevention. Offering workforces regular cybersecurity training, no matter their role or seniority, will give everyone the ability to identify phishing attempts disguised as legitimate emails. This is a key step to stopping criminals from gaining access to an organisation’s network in the first place.
Companies should also ensure they’re not being overly lenient about granting admin privileges to employees unnecessarily. It is imperative to limit access to admin permissions so that if a breach does take place, cybercriminals only gain limited access to business-critical data and applications. Prioritizing system patches will also reduce the potential of an avoidable breach occurring. This is a necessary process that can be automated to save time and ensures that no issues are created by missing patches.
Legacy IT systems can also represent a common pain point for organisations. These should be retired to reduce the chance that an organisation suffers a cyberattack against a system not designed to face modern cyber threats. It’s important to evaluate legacy backup technology because older systems simply aren’t as capable at handling the vast volumes of data used in modern IT. Taking stock of the IT environment and understanding where investments need to be made can go a long way in mitigating the chance of cybercrime.
Ransomware readiness best practices
While making sure cyber hygiene is adequate is important, it’s no silver bullet. IT teams need to consider and implement policies and procedures so they’re ready if an attack does strike also carefully. They can begin by analysing what data is business-critical so that they can develop a strong understanding about where this data is being stored and which workloads and applications would need to recovered urgently after a period of extended downtime. By doing this, IT teams will be able to identify if more redundancy is required in their backups. Manufacturers should follow the 3-2-1 rule, creating three-fold copies of their data, stored in two separate locations, ensuring one is offsite. This airgap will reduce the chance an organisation will lose critical data.
Good data backup and recovery practices are just one part of to ensuring an organisation’s readiness against ransomware. Some groups have also started to target backups, so IT teams are now tasked with securing backups themselves and fortifying them in the same manner that they would protect production data. This requires integration for both cybersecurity and data protection throughout multiple different environments, including software-as-a-service, on-premise or in the cloud. Using protection tools that can detect of both known and unknown malware threats across backups will stop cybercriminals from compromising them and holding stored data for ransom.
The threat landscape for manufacturers is constantly changing and evolving, cybercriminals will always seek to find new ways to infiltrate corporate networks to make money. With the UK manufacturing industry already experiencing a slow and tentative recovery from the pandemic, it is imperative that manufacturers don’t give themselves more issues to deal with. It’s critical that they remain vigilant and proactively review their technologies, policies, processes and train their people to keep up with cybercrime.