By Christopher Morales, Head of Security Analytics, Vectra
On August 3, Taiwan Semiconductor Manufacturing Co. Ltd. (TSMC), the largest chip fabricator globally introduced a WannaCry Ransomware cryptowormvariant onto its information technology/operational technology (IT/OT) networks. A TSMC supplier installed infected software on a new fabrication tool and connected it to the network, facilitating the malware infestation.
The infection spread quickly, taking out 10,000+ unpatched Windows 7 machines that run the chip fab company’s tool automation interface. The crypto worm crashed and rebooted systems endlessly, forcing several plants in Taichung, Hsinchu andTainan to shut down through much of the weekend.
The infection crippled materials handling systems and production equipment as well as Windows 7 computers. Some of the plants were producing SoC chips for the AppleiPhone 8 and X models. The incident’s connection to Apple and the iPhone heightened its visibility in the news media.
According to TSMC CEO C.C. Wei, patching for the Windows 7 machines requires computer downtime and collaboration with equipment suppliers. The absence of currentpatches created an environment where WannaCry could easily propagate.
Smart manufacturer cybersecurity risks are increasing
According to the TSMC website, the company had “introduced new applications such as IoT, intelligent mobile devices and mobile robots to consolidate data collection, yield traceability, workflow efficiency, and material transportation to continuously enhance fab operation efficiency.” Further, TSMC had “integrated automatic manufacturing systems,” according to its website.
These innovations are typical in the evolution of Industry 4.0, which has increased the risk of cyber attacks against manufacturers.
But as manufacturers moved from air-gapped industrial systems to cloud-connectedsystems as part of the IT/OT convergence – using unpartitioned networks and insufficient access controls for proliferating IIoT devices – they created a massive, vulnerable attack surface, according to the Vectra report.
While air-gapped systems such as industrial controls have no connections by design to guard against malicious tampering, IT/OT convergence has connected these systems to information technologynetworks with little accounting for security vulnerabilities.
Many factories connect IIoT devices to flat, unpartitioned networks that rely on communication with general computing devices and enterprise applications. Since IIoT devices support few if any native cybersecurity measures, connecting them to easily infected applications, computers and unsegregated IP networks only invites trouble.
In the past, manufacturers relied on more customized, proprietary protocols, which made mounting an attack more difficult for cybercriminals. The conversion from proprietary protocols to standard protocols makes it easier to infiltrate networks to spy, spread and steal.
Few if any cyberattackers know and understand the proprietary protocols those closed legacy systems used. But it’s easy for most criminal hackers and their exploits to access standard IP network protocols just as WannaCry abuses the SMB protocol where there is no patch.
Real-time network visibility is crucial
Industry 4.0 brings with it a new operational risk for connected, smart manufacturers and digital supply networks. The interconnected nature of Industry 4.0-driven operations and the pace of digital transformation mean that cyber attacks can have far more damaging effects than ever before, and manufacturers and their supply networks may not be preparedfor the risks.
Wherever cyber attacks interfere business continuity for business and information processes, they can also disrupt operational technologies that render products and get them out the door.
For cyber-risk to be adequately addressedin the age of Industry 4.0, manufacturing organizations need to ensure that proper visibility and response capabilities are in place to detect and respond to events as they occur. As in the case of the TSMC ransomware debacle, anything less than real-time detection and response is too little, too late to avoid production downtime.
There is no visibility into these systems to enable real-time detection before cyber attacks spread. Visibility into these internal connected systems is necessary to curtail the extent of damage from a cyberattack.
Manufacturing security operations now require automated, real-time analysis of entire networks to proactively detect and respond to in-progress threats before they do damage.
The Vectra 2018 Spotlight Report on Manufacturing
The 2018 Spotlight Report on Manufacturing delineates the many attack types and behaviors that the Cognito platform captured. The Cognito threat-detection and hunting platform monitored traffic and collected rich metadata from more than 4million devices and workloads from customer cloud, data center, and enterprise environmentsto reveal the cyberattacker behaviors.
Cyber attacks on manufacturers increased in severity from January to June 2018 based on data that the Vectra Cognito platform collected. The Vectra report confirms that all manufacturing industries are at equal risk of cyberattacks.
To learn about other findings pertinent to your Industry 4.0 cybersecurity risk, download the 2018 Spotlight Report on Manufacturing.
Christopher Morales is the head of security analytics at Vectra, a San Jose, Calif. cybersecurity firm that detects hidden cyberattacks and helps threat hunters improve the efficiency of incident investigations.