Learning from the recent TOMRA cyberattack: How can manufacturers increase resilience?
The recent cyberattack on TOMRA, a leading recycling entity and crucial cog in the wider manufacturing supply chain, underscores the escalating threat of cybercrime in the manufacturing sector. On July 16, TOMRA's data systems were extensively compromised, leading to significant operational disruptions. The attack's impact varied across the company's infrastructure, with systems taken offline and machines of different generations affected differently.
Manufacturers are at the heart of our global economy. If they are unable to build, ship, or invoice their goods due to a cyberattack, the potential losses can be catastrophic. At the same time, manufacturers are grappling with two distinct cybersecurity issues: updating security for legacy equipment that is vulnerable to lateral movement and securing the migration to Industrial IoT or Industry 4.0.
As cyberattacks grow more sophisticated, traditional network-based security approaches are proving insufficient. The focus needs to shift towards a more agile approach, protecting individual assets and containing attacks while remediation and restoration take place.
Understanding the challenges facing manufacturers
According to IBM's 2023 Threat Intelligence Index, manufacturing had the highest number of extortion-based attacks in 2022. These attacks typically fall into three distinct categories: data theft of critical customer or business information, generic ransomware that targets information systems or operational technology (OT), and targeted cyber-physical attacks on specific systems to cause maximum disruption.
A large majority of attacks initiate as phishing attempts before attackers quickly propagate to their intended target. So, reducing attackers’ ability to move throughout the network can significantly mitigate the impact of a breach.
For instance, in the TOMRA attack, threat actors escalated privileges after initially gaining access to a system and used Windows built-in tools to traverse laterally and perform several malicious operations throughout the network. They used malicious PowerShell payloads and malicious binaries to exploit systems, change passwords, and create backdoors and control channels. If the organization had effective measures to restrict lateral movement, the breach wouldn’t have transpired into a large scale cyberattack.
The EU also recently extended the NIS2 directive to encompass an increased number of manufacturers of critical infrastructure, requiring businesses to implement specific security measures in the areas of risk management, supply chain security, and secure authentication. However, manufacturers face several high-profile challenges when trying to effectively implement proactive security strategies. Identifying legacy and unknown IT and OT devices is a significant hurdle. Mapping communications between applications, systems, IT, and OT devices is another complex task.
Containing ransomware attacks and mitigating the risk of known and unknown vulnerabilities are further challenges that security teams in manufacturing need to address. For instance, earlier this year, ransomware attackers targeted MKS Instruments, a leading semiconductor manufacturer. The attackers exploited the vulnerabilities in the company’s order-processing system, encrypting critical files, exfiltrating personal data and leaving the firm unable to process or ship orders. The disruption caused MK Instruments $200 million in lost revenue, and some of its service operations were unable to fully function for over a month.
These challenges underscore the need for a robust and proactive approach to cybersecurity in manufacturing. The key to surviving any attack is to reduce the impact and ensure it doesn't reach the most critical parts of the network.
Adopt an assume breach mindset
In today’s threat landscape, manufacturers must accept that breaches will happen. This acceptance is the first step towards minimizing risk. Not every breach needs to be catastrophic; the goal should be to mitigate and minimize the impact of an incident. This shift in mindset requires a proactive approach to security, focusing on robust incident response plans and continuous monitoring for potential threats.
However, recent global research by Illumio reveals a concerning trend: 47 percent of organizations do not operate with an "assume breach" mindset. This is despite the fact that 43 percent of organizations typically suffer unplanned downtime of a business-critical application due to a cyberattack at least monthly. With the average hourly cost of downtime for a business-critical application being a staggering $251,000, this is a worrying statistic.
The shift towards smarter OT systems and IIoT also requires a different approach to security. Legacy security models like PERA (Purdue Enterprise Reference Architecture), which focus on separating network layers using firewalls, are no longer appropriate as IT and OT systems converge. Everything is now communicating, so protecting only the network is no longer sufficient. Instead, manufacturers must create least privileged access for each of the systems and assets within their environment.
Security investment needs to maintain a balance between detection technologies and breach containment solutions like Zero Trust Segmentation. While detection and recovery remain vital, organizations should also invest in technologies that can limit the spread of an attack when a breach occurs. This is where Zero Trust comes into play.
Implementing a Zero Trust strategy
The mantra of "never trust, always verify" should be the guiding principle for network security policies in the manufacturing sector. A Zero Trust strategy ensures that the network continuously verifies, authenticates, and authorizes all users requesting access, whether inside or outside the network. This approach is closely tied to the "assume breach" mindset, as it operates on the assumption that threats can originate from anywhere, even within the network.
Identifying the biggest risks and prioritizing defenses accordingly is a critical aspect of a Zero Trust strategy. High-value applications and manufacturing assets should be ring-fenced and protected by restricting access to only that which is critical and necessary. This approach, known as Zero Trust Segmentation (ZTS), or microsegmentation, is key to limiting the progress of an attack within the network and containing potential breaches.
ZTS is the most comprehensive and convenient approach to segmentation compared to separating network components using static, legacy firewalls. This is because ZTS focuses on protecting the individual asset and applying security rules based on context and status, making the infrastructure more responsive in the event of an attack.
Going back to the TOMRA attack, the entire incident escalated because threat actors were able to exploit legitimate passwords, launch cold boot attacks, and install back door applications, all without raising any alarm bells. ZTS can prevent such escalation, as each network component or system would be isolated into different sub-divisions. So, the attack would be stopped in its tracks after the initial breach.
In conclusion, the cyberattack on TOMRA underscores the urgent need for manufacturers to rethink their cybersecurity strategies. It’s no longer about merely preventing attacks but surviving them with minimal disruption to operations. By adopting an "assume breach" mindset, planning for survival, and implementing a Zero Trust strategy with effective segmentation, manufacturers can significantly enhance their resilience against sophisticated cyberattacks.
Image credit: Rawpixel.com / Shutterstock
Trevor Dearing is Director of Critical Infrastructure at Illumio.