Create a free Manufacturing.net account to continue

Avoiding Shutdowns from Ransomware Attacks

A strategic approach for protecting OT networks.

Rees Machtemes
Apr 24, 2024
Manufacturing Infrastructure Cyber

In only five years, criminal ransomware has become the dominant cyber threat facing manufacturers. Waterfall’s 2024 Threat Report has found that in 2023 there were 68 deliberate cyber attacks in the public record, affecting over 500 sites, that caused physical consequences in heavy industry and critical infrastructures. Of those 68, over half (37, or 54 percent) impacted the manufacturing industry, causing production shutdowns, work stoppages, and logistical delays.

Since 2010, all but one manufacturing incident was ransomware-induced. Since 2019, attacks with real-world consequences have gone from a handful of annual incidents in the last decade, to yearly double-digit counts and have been growing exponentially. Staying ahead these days feels like a battle for survival against organized crime.

This trend shows no sign of slowing down or becoming less costly. In the past, production downtime following a ransomware attack might have been made-up for by restoring systems from backup and then running a few extra overtime shifts, resulting in no material impact to the bottom line at year-end. Today, ransomware criminals are getting more efficient at targeting everyone with money.

Feeling the Effects

Last year saw one of the costliest incidents to date, with MKS Instruments suspending operations after a ransomware attack, claiming $200 million in lost or delayed sales in a filing with the U.S. Securities and Exchange Commission (SEC). Their customer, Applied Materials, later claimed the incident would also cost them $250 million in lost sales because they were expecting supplies from MKS that did not arrive.

Meanwhile, Clorox reported to the SEC that a ransomware attack damaged their networks and forced them to take systems offline. This cost them $49 million, disrupted production for months, and their CISO left in the ensuing fallout.

The bulk of this sector’s incidents are being perpetrated by criminals after money, and not directly targeting industrial control systems. Many ransomware incidents have affected physical operations in one of three ways:

  • Only IT networks are affected by the ransomware, but OT networks and physical operations are shut down in an “abundance of caution."
  • Only IT networks are crippled, but OT networks are shut down because physical operations depend on IT services that have been affected by the ransomware.
  • There is no clear distinction between IT and OT networks, and when IT networks are crippled, so are OT networks and servers.

One way to address these issues is with the emerging cyber-informed field of network engineering. Network engineers are employing new design techniques that allow OT data to become available to IT systems, without allowing cyber attacks to propagate from IT network back into OT networks. These techniques include analog signaling, dependency analysis, and unidirectional gateway technology.

None of these techniques exist in traditional cybersecurity standards and guidance, such as ISO 27001, the NIST Cybersecurity Framework (CSF), nor ISA/IEC 62443. All these techniques are applied at what engineers call consequence boundaries – connections between networks with dramatically different worst-case consequences of compromise. Practically speaking, the consequence boundary for manufacturers is the interface between the production floor’s OT network and the IT and front office network, where the most common worst-cases are shutdowns, but which also include safety and environmental worst-cases.

Applying network engineering to the ways ransomware affects manufacturing can produce:

  • A much stronger IT/OT interface – one where ransomware simply cannot “leak” into the plant floor. This means we no longer need to shut down production on expensive production lines over an “abundance of caution.”
  • Dependency analysis shows us what parts of the IT network are essential to operations, so that we can update the design of our systems and networks so that those critical IT functions can be re-constituted quickly by incident response teams, and can function along with OT, independent of the remainder of the still-crippled IT network.
  • Flat networks, with no barriers at all between IT and OT components that need to be addressed – we can apply network engineering only at the boundary between networks with different worst-case consequences of compromise – to do this we need two networks, not one.

Criminal ransomware impacts on OT networks are unlikely to ever go away. The good news is that there are powerful new approaches - like network engineering. Yet, the ways that industrial shutdowns occur suggests an efficient security program should protect physical operations by reconsidering how networks are interconnected. Production can then continue even if business processes or third parties are impacted, and provide greater flexibility to respond and recover.

When everybody else seems to be going offline due to an “abundance of caution,” having great defenses might just be the edge that keeps you ahead of the competition.

Latest in Cybersecurity
General Cyberattack
CISA, FBI Release Secure by Design Alert
May 3, 2024
Financial Cyber
Ransomware Report Shows Fewer Incidents, Future Concerns
May 3, 2024
Manufacturing Infrastructure Cyber
CISA Releases Latest ICS Advisories
May 3, 2024
Ep92tn
Security Breach: Predictions That Hit
May 2, 2024
Related Stories
General Cyberattack
Cybersecurity
CISA, FBI Release Secure by Design Alert
Manufacturing Infrastructure Cyber
Cybersecurity
CISA Releases Latest ICS Advisories
Ep92tn
Cybersecurity
Security Breach: Predictions That Hit
Ransomware
Cybersecurity
Report Identifies Hidden Costs, Challenges of Ransomware
More in Cybersecurity
General Cyberattack
Cybersecurity
CISA, FBI Release Secure by Design Alert
The two agencies are urging manufacturers to eliminate directory traversal vulnerabilities.
May 3, 2024
Financial Cyber
Cybersecurity
Ransomware Report Shows Fewer Incidents, Future Concerns
The fear is that larger RaaS groups are exercising greater control over their affiliates.
May 3, 2024
Manufacturing Infrastructure Cyber
Cybersecurity
CISA Releases Latest ICS Advisories
Cisco, Siemens, Honeywell and Mitsubishi systems top the list.
May 3, 2024
Ep92tn
Cybersecurity
Security Breach: Predictions That Hit
A look back at Security Breach guest's most accurate and timely industrial cybersecurity predictions.
May 2, 2024
Andrew Witty, Chief Executive Officer of UnitedHealth Group, testifies at a Senate Finance Committee hearing examining cyber attacks on health care, and the Change Healthcare cyber attack, Wednesday, May 1, 2024, on Capitol Hill in Washington.
Cybersecurity
Change Healthcare Cyberattack Due to Lack of Multifactor Authentication
That's according to UnitedHealth CEO Andrew Witty.
May 1, 2024
I Stock 1311492607
Cybersecurity
ZAG Launches Cybersecurity Series for Food, Agriculture Sectors
Empowering agricultural businesses with the tools necessary to protect their digital infrastructure.
April 29, 2024
Ransomware
Cybersecurity
Report Identifies Hidden Costs, Challenges of Ransomware
Too many are paying, and the reasons range from understandable to infuriating.
April 25, 2024
Ep90
Cybersecurity
Security Breach: DMZs, Alarm Floods and Prepping for 'What If?'
The new factors impacting a growing attack surface, and how to evolve your cyber risk strategies.
April 25, 2024
Fleet Of Fed Ex Delivery Trucks In A Parking Lot 483290419 4500x3000 (1)
Cybersecurity
Transportation and Logistics Under Siege
A look at how this vital and increasingly targeted market sector is responding to more cyberattacks.
April 24, 2024
Industrial Cyber
Cybersecurity
5G, AI and More Are Changing OT - Why Zero Trust Could Be the Solution
Maximizing technology investments while maintaining security.
April 24, 2024
IEC 62443 is a key standard to reduce risk of cyberattacks in industrial workplaces.
Cybersecurity
How to Build a More Secure Connected World with IEC 62443
The goal is better efficiency, improved sustainability and interoperability, enhanced reliability and greater cost-effectiveness for system integrators, product suppliers and other stakeholders.
April 24, 2024
Ap24114558425503
Cybersecurity
UnitedHealth Says Wide Swath of Patient Files May Have Been Taken in Cyberattack
Screen shots containing protected health information or personally identifiable information were posted.
April 24, 2024
Coding
Cybersecurity
CISA Releases 7 ICS Advisories
Unitronics, Rockwell and Mitsubishi head the list.
April 19, 2024
Financial Cyber
Cybersecurity
Alarming Trends Reinforced in Ransomware Attack of Semiconductor Mfr.
Experts assess the fallout from the Dark Angel attack on Nexperia.
April 19, 2024
Industrial Cyber
Cybersecurity
Hexagon, Dragos Announce Partnership
The team-up looks to "revolutionize OT cybersecurity."
April 18, 2024