How To Be Prepared For Digital Attacks?

Digital World Threats

Connectivity in industry, for better and for worse, is here to stay. Manufacturers and critical infrastructure companies across the world are joining the digital revolution. The IIoT is ushering in a new era of innovation. Emerging technologies, such as cloud computing, big data analytics, artificial intelligence, and more, are enabling industrial companies to grow and transform in ways never imagined even just a few years ago.
Along the way, these open platforms and widely interconnected systems have opened new doors for cybercriminals, as many of the legacy systems used to control manufacturing operations weren’t built to account for today’s security threats. This has led to a rise in the frequency and severity of cybersecurity attacks on some of the world’s most critical and volatile manufacturing processes. Almost every cyber-incursion can disrupt industrial operations. The result can be loss of money, privacy, equipment, intellectual property and reputation. Increasingly, with the rise of malicious nation-state actors with geopolitical vendettas, some attacks have the potential for catastrophic consequences, impacting a country’s economy, triggering environmental calamities and even costing human lives.
Hackers follow a process to launch an attack, and there’s a concurrent process for manufacturers to defend themselves from these attacks. By describing both of them, organizations can ensure they’ve addressed every element of their cyber risk strategy.

How an Attack is Executed

No two attacks are the same, but there is a general process for how they’re committed, whether they last for a few minutes or several months. Let’s examine.
Scouting the target. An attacker can usually recon the attack target using such non-invasive techniques as Dorking, which means looking for information released in documents and presentations. Social media is also an avenue for attackers to monitor and engage in targeted social engineering before they make their move.
Mapping and probing. After the initial recon, the first invasive step can include mapping and intruding the environment. An attacker might probe the network to better understand the landscape of operators and cyber assets onsite and which ones might be particularly vulnerable.
Insertion of malware and lateral movement. After the initial two phases, the intruder is ready to attack. With multiple successful exploits to gain a foothold, raise privileges and land with necessary permissions on the target, they can execute their mission.
Exfiltration, malicious action. This next stage depends on the goal of the attack. The attacker might either move targeted data out of the attack site (exfiltrate), or actually execute the attack if the purpose is something else, e.g., distributed denial of service (DDoS), data change, Remote Access Trojan (RAT), etc.
Cleanup, backdoor. Once the attack is complete, the actor works quickly to remove all evidence of the attack, such as logs, login attempts, etc. They will often leave backdoor malware to make reentry easy.
In a perfect world, a manufacturer will never have to worry about a malicious actor taking these steps to inflict some type of damage on their site. But failing to be prepared could leave them flat-footed, which is an unacceptable situation in today’s hyperconnected world

Preparation For An Attack

To ensure the integrity and security of plant technology and processes, people are the first and best line of defense. Because the gap between IT and OT continues to close, everyone across the organization-whether in the plant, the field, the office, the boardroom or anywhere else in the enterprise-plays an essential role in mitigating cyber threats.

Swift To safe Effective Reaction to an Attack

No manufacturer is inherently safe from attack, so they must be prepared to react if and when an attack happens. They should be prepared to take the following steps:
Isolate the attack/malware. The end-user needs to be well-informed enough to take this action, which goes back to ensuring you hire the right people, then continually train them. Isolation could include disconnecting network and internet connections and switches.
Alert and incorporate the experts. If the organization has a solid risk management plan, an incident response team will have been identified. This team needs to be contacted immediately after an incident. They can help capture logs, lock credentials, and close remote access. In some cases, reporting an incident to government officials is mandatory.
Assess the mode and scope of the attack. The incident response team and end-user should collaborate to determine how the attack occurred and its full impact. It’s worth examining if and how human error contributed.
Ensure business continuity. This plan should include a system restore from a secure backup. Only then should the plant go back online. Communicate as appropriate. Whether it’s to plant executives, software suppliers, regulatory bodies, etc., it’s essential to determine who must be contacted and do so quickly.
Identify room for improvement, enact remediation. Any attack should serve as a wake-up call to the affected user. To reduce the likelihood of another attack, the user should conduct a full-fledged analysis and remediation plan.
Share information. As part of the attack postmortem, the organization should look for ways to share information about the attack so the industry as a whole can benefit from lessons learned. Think about sharing vertically with government agencies. Seek out opportunities to share horizontally across the industry. Collaboration among the various stakeholders connected to industry and cybersecurity can only strengthen preparedness for increasingly complex attacks.
There is no way to eliminate cyber threats, but industrial organizations can do plenty to beef up their cybersecurity hygiene and protect their critical infrastructure.

---