What Any Manufacturer Should Know (And Do) About Ransomware in 2021

Gus Carrington

Gus Carrington About The Author

Aug 26, 2021

Ransomware attacks in manufacturing have made cybersecurity a concern amongst controls system professionals, especially as automating and digitization becomes more prevalent in the industry. It is becoming increasingly advantageous to build some sort of understanding about the subject. While there are a number of reasons to stay current in your manufacturing controls system (from outdated hardware running efficiency risks to missing out on key advantages that current systems provide), cybersecurity is somewhat unique in that it can affect both IT (information technology) and OT (operation technology) devices. 

Cybersecurity, and more specifically the threat of ransomware, found its way into bulk material handling news in a big way as of late. In a couple of our monthly news recaps, we chronicled some key updates, but have now asked our automation and manufacturing technology partners to help us take a deeper dive into what the average manufacturer can do when faced with this overwhelming concern. 

As Industrial Equipment News has explained, headlines have been filled with news related to ransomware attacks (as well as articles about how to protect yourself against the threat and think pieces centered around the increasingly important role that cybersecurity offers to manufacturers). Below we’ll explain the ins and outs of how this threat has affected the bulk material handling industry. Then, with help from BCI, we’ll explain what you can do about the threat of ransomware moving forward in 2021. 

2020 was the worst year on record for ransomware in the U.S.

Not only will 2020 go down in history as a year that changed everything for everyone (for obvious reasons), 2020 also represented the most costly year in ransomware attacks for American manufacturers to date. There were more than three times the total number of attacks than in 2019 and experts speculated that there was certainly a correlation between the pandemic and the increased threat of cybersecurity

A U.S. pipeline was shut down for two days after an attack

One of the most prominent victims of a ransomware hack was a U.S. natural gas compression facility. Colonial Pipeline was shut down for two entire days, and their supply chain was disrupted during these two days of downtime as a result. 

Technically, the OT infrastructure was not actually compromised, but since the IT infrastructure was (and there was a lack of confidence that the risks at the OT level could be sufficiently managed while running), Colonial had to shut down the operation until it was safe to come up again. The OT wasn’t shut down by the ransomware directly, but it caused a need to do so due to potential risks.

In the end, 5,500 miles of pipeline triggered widespread fuel shortages in the Southeast United States before Colonial Pipeline returned its system to normal operations. With such a high-profile hack chronicled over the course of the last few months, many notable news sources like Bloomberg shared opinion pieces related to safeguarding and connectivity. 

Big and small companies alike should be aware of ransomware

Even though you might not operate a U.S. pipeline (or even operate in the U.S.), hackers could still decide to look into your facility and control system. The manufacturing sector as a whole became increasingly targeted for ransomware attacks worldwide throughout the course of last year, according to a report by Dragos. Big and small companies are both at risk. 

Another unfortunate truth is that 80% of organizations that suffer a ransomware attack also find themselves suffering a second attack, according to Industrial Equipment News and security provider Cybereason. All too often those who attack are repeat offenders for the same companies, and 29% of businesses surveyed said that they wound up laying off employees due to financial pressures after a ransomware attack.

The U.S. has compiled a task force and an executive order

Amid the growing concern in 2020, The Justice Department has compiled a unique task force to work against the threat of future ransomware attacks. 

Though Acting Deputy Attorney General John Carlin wrote to department heads in a statement that some significant steps have already to address cybercrime as a whole, he called it “imperative” that they now use “the full authorities and resources of the Department” to confront the “many dimensions and root causes of this threat." In addition to those in the bulk material handling world, CNN reported that ransomware attackers have also increasingly targeted schools, hospitals and city governments.

After it was reported that a criminal group of hackers known as “DarkSide” was behind the shutdown of Colonial pipeline, an executive order was signed by President Joe Biden in May aiming to require all federal agencies to use commonplace cybersecurity measures. Still, the threat remains. 

There are commonplace measures that can increase security 

Chemical Engineering reports that “basic cyber hygiene” can ensure that control systems are not particularly vulnerable. Though there is a healthy debate about what exactly constitutes as a “hygiene” matter, the magazine quotes cybersecurity strategist Donovan Tondill listing examples such as: 

  • Strong remote access
  • Electronic security perimeter
  • Patching
  • Monitoring
  • Incident response 

Other simple safeguards include blocked imports, endpoint protection and putting a firewall in between the office and the plant floor. This can also be known as a DMZ (demilitarized zone).  Even the U.S. pipeline that was shut down for two days suffered from “a lack of network segmentation between the IT and the OT portions of the infrastructure,” according to The Cybersecurity and Infrastructure Security Agency (CISA).

Another helpful tool in “cyber hygiene” is to, of course, create strong passwords and use different passwords for separate accounts. LastPass is a service that can help with that endeavor. Implementing employee training to avoid phishing and a strong culture around not allowing vendors to bring in unchecked thumb drives is also a big step towards building a protective culture. Companies like Symantec or Crowd-Strike deal with “Endpoint Protection,” which, although helpful, only surveys the “endpoint” device itself. It doesn’t watch all assets, messaging and behaviors on the network or coming from outside the network. To do that, you’ll need something else.

‘Continuous Threat Detection’ offers additional protection 

In addition to the commonplace and administrative methods a manufacturer can use to cover their bases, technologies like Continuous Monitoring and Secure Remote Access (SRA) offer pertinent protection. 

Claroty CTD is a software tool that listens continuously to all messaging and events involving both systems and personnel behaviors that occur on any asset on the network for both IT and OT assets, including accessing many legacy control network protocols. Alerts can be added to expose abnormalities. Alerts may be acceptable, and can be resolved as such, but also may be a legitimate threat.  

Claroty CTD provides an audit trail of alerts and what they were, including code changes. This provides the opportunity for a manufacturer to respond in days, hours or even minutes rather than weeks, months or years in some cases. As a result, disaster recovery could essentially last minutes or hours without paying a ransom, rather than days or weeks. Operational downtime can be minimized and may often be eliminated altogether.

One more good commonplace measure to use in conjunction with CTD or SRA is keeping effective backups available. It is a good risk management practice is to also have an Incident Response and Cyber Disaster Recovery Plan that is prepared to be executed quickly in the event of a threat that gets through. Essentially, planning to stop damage quickly and have a method of recovering is much better than planning to be “bullet-proof.”  CTD will help you see what, when, and where an attack has occurred, enable you to take effective action quickly and enable you to know that you are working with clean, pre-attack backups if needed.

BCI, our automation and manufacturing technology partner, stays plugged into vendor software options for CTDs and SRAs for those interested in learning more. In the end, the combination of these technologies and an effective user-culture around cybersecurity proves the best protection, says NordVPN Teams’ CTO Juta Gurinaviciute (as quoted by Silicon Republic):

“I think it’s essential to think about security from the user’s perspective, instead of solely relying on technological advancements. Sure, with the advent of AI and its implementation, both threats and remedies will reach new heights, but human psychology adapts gradually. Even today, social engineering attacks are among the most common cyber threats, and there’s no other protection but awareness. To better protect data, companies have to nurture their cybersecurity culture.

Employees’ awareness strengthens the weakest links in the cybersecurity perimeter, as the technological side of the matter is constantly overseen by IT professionals.”

If you’re interested in specific recommendations for what else you can do to curb the threat of ransomware (and what you can install for yourself), feel free to contact BCI. Our automation and manufacturing technology partners have over 25 years of experience designing, building and installing integrated control systems in AZO automated material conveying systems. To learn more about how you can expect the highest level of quality and reliability for ingredient automation solutions from AZO and BCI, contact our dedicated sales associates today. Read more of our blog to find information on pneumatic conveying, ingredient automation and the reliably accurate equipment that AZO manufactures. 

Get the pneumatic conveying guide