Protect productivity through cybersecurity

Photo: © AndSus / Adobe Stock

Back in May, two cyberattacks caught global media attention; a brazen ransomware and extortion attack took down the biggest pipeline in the U.S. and a cyberattack forced the largest meat producer to shutter globally.

What stood out about these incidents was that they happened within days of each other, and, in each case, the knock-on effects rippled across global supply chains.

The first attack affected Colonial Pipeline, the largest pipeline system that can carry three million barrels of fuel per day between Texas and New York. The ransomware attack carried out by ransomware gang DarkSide was characterized as a digital extortion attempt and disrupted fuel supply to much of the U.S. East Coast for several days.

The attack affected only IT systems, including the billing system, but Colonial made the call to shut down its operations as a precautionary measure. All told, Colonial paid the $4.4 million ransom in exchange for restoring its billing system’s function, in spite of having backups. The damage had been done; the incident triggered a spike in gasoline prices and set off panic across North America.

The second was a cyberattack on JBS S.A., the largest meat processing company (by sales) in the world. The Brazilian company was forced to suspend U.S., Canadian and Australian computer systems. Its fed-beef and regional beef plants were shuttered, with all other meatpacking facilities experiencing some level of disruption to operations. JBS reported in a media statement that the company paid the equivalent of $11 million in ransom to Russian cybercriminal group REvil in response to the criminal hack. Meanwhile, shutdowns upended agricultural markets worldwide and raised concerns about food security.

From ransomware, phishing, data leakages, to hacking and insider threats, cybercrime is intensifying globally and can lead to catastrophic events. Locally, the numbers paint a sobering picture: The average total cost of a data breach for Canadian companies was US$4.50 million, according to a 2020 IBM report. It took an average of 212 days to detect a data breach in 2021 and 75 days to catch the attackers. In other words, 287 days would pass before the problem is addressed.

In the past 12 months, almost one in five (17 per cent) organizations have been the victim of a successful ransomware attack, according to the 2021 CIRA Cybersecurity Survey. Of that group, a majority (69 per cent) said their organization paid the ransom demands, while 59 per cent reported that data was exfiltrated.

As hackers increasingly target critical infrastructure, Canadian manufacturers find need to prioritizing cybersecurity to protect not only their own data but also their customers’ data across supply chains.

Industrial Critical Infrastructure
The Canadian landscape has seen a proliferation in both the amount of money sought and the number of ransomware attacks, said Cara Wolf, Founder and CEO of Calgary-based Ammolite Analytx, which builds customized next-generation AI-powered
cybersecurity tools.

“We’ve seen a major increase in supply chain attacks, we’ve seen an increase in attacks on sensors, attacks on plants and industrial critical infrastructure,” said Wolf. “It is anticipated that we will continue to see the rise as nation-state sponsored attacks are funded by hostile nations, and state-sponsored attacks are financed by criminal gangs and hostile nations as well.”

As money continues to flow into this area, it becomes critically important to look at the manufacturing sector and industrial sector in particular, where people’s lives are the palpable vulnerability, said Wolf.

Consider a methane plant. “If the plant has automation [and sensor technologies] that show methane levels are safe and you have humans in that environment saying that methane levels are safe, when in fact the sensors can be hacked and tricked into giving false readings, people will get sick and die,” said Wolf. “Without automation that is secure by design, plants will face an uphill battle with cyber threats. There are trillions and trillions of sensors out there, and they come from all kinds of countries with all kinds of backgrounds and they could have spyware installed or they could have backdoors installed.”

Wolf further explained that threat actors can exploit vulnerable connected equipment by injecting malicious code that can sit atop communications that move back and forth between equipment in the field and headquarters. “Changing just one pixel can turn the output from one thing to another,” said Wolf. “AI can be tricked.”

The methane plant example is extreme, but it highlights specific cyber struggles that manufacturers face, and raises critical questions they should ask now: How do manufacturers know that their infrastructure is secure? How do they know that sensors embedded in their equipment don’t have spyware installed or backdoors to the plant’s network capabilities? How do they know that they can trust their hardware and software? How do they know that the equipment displays “honest” readings?

Since cyberthreats evolve constantly, there are no bulletproof solutions. New guidance and best practices unfold as consistently as new technologies – and cyberthreats – come online. What follows are a few sage takeaways and insights that, according to Wolf, will help blunt cyberattacks:

Build or buy local: Sourcing from countries that are known to have bad surveillance practices place manufacturers at risk, warned Wolf. Instead, she recommended Canadians buy locally whenever possible, or from countries that are allies, such as the U.S., U.K., Australia, New Zealand and Israel. Alternately, Wolf suggested manufacturers look at an investment program to create and build their own tools.

“The cost of design and development has come way, way down, so take a look at that versus buying off the shelf, cheap from another country that may have spyware and surveillance tools installed in their technology,” she said.

Photo: © AndSus / Adobe Stock

Go beyond the traditional wheelhouse: The COVID-19 pandemic will go down as the top story of 2020, but will also be marked by residual effects. Among these ramifications is the “cyber pandemic,” which include negative security impacts such as unemployment fraud and election security, as well as such trends as new work arrangements triggered by remote capabilities for nonessential workers and the process of automating routine tasks to free up time for work that adds more value.

A positive side effect from the onslaught of remote work was the push to ensure organizations remained secure. Manufacturers were incentivised to secure their networks, make sure that devices were secure and that employees were not downloading work to their personal devices.

“Unless workers are on a manufacturing floor or in a hospital or giving personal services where they need to be face-to-face, a digital worker can successfully work remotely,” said Wolf.

In addition, a great deal of security awareness training was needed to educate employees on how and when to detect phishing attacks, said Wolf.

“The pandemic brought security to the forefront where it should have always been, and it forced investment where it should have always happened,” she said.

Check your security posture: Invest in cybersecurity policies, cybersecurity awareness training and proper vendor tools, recommended Wolf. Having a good security posture requires manufacturers to know where they are, to ask what’s working or not working and where they need to go.

“COVID really pushed that forward and said, ‘It’s not a matter of if you’re going to be hacked, it’s a matter of when.’ We’ve seen 171 per cent increase in the amount of ransomware attacks… If we don’t mobilize and train and upskill, we’re just sitting ducks. Our manufacturing facilities can be putting lives at risk. It’s not just digital assets of our databases of personal and employee information but it’s actually the risk of securing physical assets in the field and abroad.” she said.

Separate security from the IT function: IT and security don’t belong together, so separate these functions, advised Wolf. In addition, security needs to have its own governance and its own authority.

“Whether you have it internally or externally, companies should hire third party experts; these experts are your trusted advisors. Bring them in to take a good, hard, objective look at your security program and to provide insights on your vulnerabilities and ways to mitigate risk,” she said.

Stop looking at security as a cost centre: Cyber insurance is a smart precaution. Cyber security will not pay out when proper investment and steps have not been taken in the first place, warned Wolf.

“Yes, it does cost money, yes manufacturers do need to invest, but they need to mitigate their risk and they need to balance that against the cost of lives, the cost of data breaches and the cost of the damage of a ransomware attack,” Wolf said. “And, further, if their supply chain becomes a victim of a supply chain attack, what kind of damage will it do to customers and their clients that are often larger enterprises? So, it’s about risk mitigation, more than cost.”

Hire a CISO: As cyberthreats become more sophisticated, having a CISO (chief information security officer) or CSO (chief security officer) in the C-suite is an emerging priority, noted Wolf. These roles report directly to the CEO, but have governing authority to keep the organization safe, are able to make change and give directions. In addition, having third party experts perform an external analysis will add another level of security.

Security Advice in a Nutshell
Wolf said an important first step is to get security awareness training. Then, bring in outside experts to develop a plan that will bring the plant up to standard and to help implement it. Finally, use the most efficient and effective tools available. Above all else, Wolf emphasized that plant managers should rest assured that it’s not their job – either as a plant manager, foreman, millwright or anyone working on the floor – to be the security expert.

“It’s their job to become security aware, to fall into compliance and to mitigate the risk in the job, but it’s not their job to become a security expert,” she said. PLT
____________________
Rehana Begg is a Toronto-based freelance writer and editor. Reach her at rehanabegg@rogers.com.