Cisco UK & Ireland Blog

5 Steps to Protect Your Factory from a Ransomware Attack

February 15, 2017

The threat of downtime strikes fear into manufacturing businesses of every type, and with good reason – downtime inevitably costs money, and plenty of it. A recent analysis of downtime by sector estimated the cost of unexpected stoppages in the automotive industry at over £17,000 per minute. However, it’s no longer just malfunctioning machines and user error that manufacturers need to contend with in the battle to preserve productivity. Ransomware is the cyberattack of the moment, and it has the potential to send your productivity into freefall and it doesn’t discriminate –businesses of all sizes are at risk.

Ransomware involves businesses or individuals being taken hostage by malware that locks up critical resources. It uses traditional malware attack methods such as phishing emails and exploit kits to gain access to a desktop computer. Once there, it takes over systems and stored data, encrypting their contents, denying access, and holding them hostage until a ransom is paid. Ransomware uses well-established public/private key cryptography, so that the only way to recover the files is to either pay of the ransom or restore files from backups. Typically, if the ransom demand is paid, the attacker often, but not always, provides the decryption keys to restore access.

This is the most profitable type of malware in history, with every business or individual who pays to recover their files, making this payment directly to the attackers who are usually organised criminals. Anonymous currencies such as Bitcoin and Ripple offer attackers an easy way to profit with relatively low risk, making ransomware highly lucrative and self-funding. Cisco Talos research shows that a single ransomware campaign can generate up to $60 million annually.

Worryingly, manufacturers are right up there at the top of the target list for ransomware attacks, as shown by recent Fortinet research. If you’re wondering just how much of a risk ransomware is to your business, here’s the anatomy of a ransomware attack on a manufacturer (based on a genuine example):

  • Day 1
    • An employee in the ‘carpeted’ factory office falls victim to a social engineering scheme when clicking an email attachment which has been made to look genuine, but is actually laced with malware.
    • Cryptowall malware gets on to the employee’s computer and quietly propagates throughout the company network, encrypting accounting data and files critical to several production systems as it goes.
  • Day 2
    • Hack is discovered when a colleague on the plant floor is unable to access production files and a message flashes up on screen warning him that the system and all files within it have been locked. The company has only 72 hours to pay a ransom to unlock it, or lose the files forever.
    • Production cannot be started, leaving the whole production line inactive and operatives with nothing to do.
  • Day 3
    • Downtime continues. Costs rack up.
    • Frantic activity between company IT and outsourced service provider.
  • Day 4
    • After two days of downtime, the manufacturer opted to pay the ransom to decrypt the system and bring in external consultants to clean the network.
  • Days 5-7
    • External consultants work round the clock but are unable to uncover 100% of the lost data as the hackers did not fully unencrypt all of it and the company did not have up-to-date backups.
    • Significant damage to brand and reputation as the manufacturer was unable to meet agreed deadlines and unable to communicate clear timescales.

So why are manufacturers at such high risk from ransomware attacks, and what should you do if you are a victim?

Two key factors make manufacturers an attractive target for cyberattackers. The first being the perfect storm of digitisation, which is driving manufacturers to connect their factory systems with their enterprise networks to drive a range of improvements ranging from efficiency to flexibility to profitability while also relying on legacy Industrial Automation and Control Systems (IACS) which were never conceived with security or IP connectivity in mind.

The second factor is a marked lack of preparedness, where manufacturers are behind the curve in security because they have not been held to compliance standards like those introduced in financial services (e.g. PCI) or the healthcare industry. This means there is a lower investment in cybersecurity and adoption of critical information security practices such as penetration testing across the industrial sector.

To defend against ransomware attacks, having a robust architecture designed with security in mind is only the beginning. To recover well and with the minimum impact to your operations, it’s essential that you know the critical priorities for your factory, and whether they can be impacted if your systems are locked down.

Check out our top 5 tips for a rapid return to ‘business as usual’ following a ransomware attack:

  1. Ensure you have good backups. If you do weekly backups, transition to daily; if you do daily, consider hourly or real-time
  2. Develop a good disaster recovery plan. And ensure that it is regularly tested and updated as the business grows and changes.
  3. Carry out security awareness training. Identify all of the people, processes, and tools necessary to handle a critical disruption or event. Perform drills to test these plans on a regular basis.
  4. Develop a comprehensive baseline of the applications, system images, information, and your normal running network performance. These give you visibility into changes on your network, enabling detection of the unusual.
  5. Standardised images of operating systems and desktops allow for easy re-imaging to recover infected infrastructure.

Next steps:

  • Read the previous blog in this series ‘4 Reasons Why Industrial Cyber-Attackers are Targeting Your Factory’
  • Watch our video on how to achieve connected factory security
  • Learn about the Cisco Ransomware Defence Solution
  • Check out our infographic on Connected Factory Security
  • Visit our web page to read more about Cisco solutions for manufacturers
Leave a comment