“U.S. Steel Accuses China of Hacking” — Wall Street Journal, 2016
“Russian Hackers Attacked U.S. Nuclear, Aviation and Power Grid Infrastructure, FBI and DHS Warn.” — Newsweek, 2018
Social engineering, phishing, spoofing, dropping USBs, pretexting, hacking, patching, change management, the “internet of things,” malware, viruses — all these and more can create network or system vulnerabilities. What are manufacturers and utilities doing to secure data within their factory networks and industrial control systems (ICS)?
Protection of assets is critical, not just for the bottom line but for the safety of employees. Unfortunately, security practices for these networks often have not kept up with the evolving information technology environment. Bad actors have learned to exploit these vulnerabilities to steal data and commit industrial sabotage.
On April 26, 2016, U.S. Steel filed an International Trade Commission complaint alleging that Chinese hackers compromised a senior researcher’s user account in 2011. This researcher’s account was weaponized, and ultimately many gigabytes of research data related to the production of U.S. Steel’s proprietary lightweight steel were stolen.
Not long after, a Chinese company began producing and distributing this same lightweight steel within the U.S. In 2013, U.S. Steel began to record a decline in sales that would amount to $5.153 billion over a two-year period due to the hacking of their intellectual property — and this figure does not account for any impact the theft had on production, employment, or local economies.
Industrial hacking can also have effects on the supervisory control and data acquisition (SCADA) systems used to control the power grid. Advanced persistent threats (APTs) are also a concern; they utilize a continuous hacking process organized by governments or political entities to further business, organizational, or political objectives. APTs identify governments or companies that have wanted information and then use stealth means and hacking to acquire it.
The FBI and DHS have identified that Russian APTs have targeted critical infrastructure within the U.S. since at least March 2016, including the energy, nuclear, aviation, and manufacturing sectors. Government alert TA18-074A released by the National Cybersecurity & Communications Integration Center (NCCIC) includes the social engineering threat vector of reconnaissance and an active spear-phishing campaign. (A threat vector is a pathway or weakness within the system that can be exploited, and spear-phishing is a targeted social engineering attack used to trick critical personnel into handing over account and password information. These campaigns lead to targeting of ICS.)
Understanding the stakes
For many manufacturers and utilities, securing the manufacturing network/ICS is an acknowledged problem. As technology advances, the industrial network becomes increasingly connected to the internet, thus opening the protected network to hostile actors. Implementation of firewalls and other technologies secure the perimeter. However, threat actors use a variety of techniques to bypass these controls to directly attack or exploit the industrial network.
The system designs for industrial networks have intrinsic vulnerabilities. Programmable logic controllers (PLCs) and ICS components — computer components within factories that are used to control factory systems — tend to lag modern security methodologies or simply were not built with IT security in mind. These controllers and components tend to rely on outdated operating systems and technologies with well-documented security vulnerabilities. Additionally, typical protection tools that are utilized for networks can conflict with or disrupt fragile components.
External and internal threats may have different goals in disruption. Theft of secrets often is not directly disruptive to internal day-to-day operations. Corporate espionage can have other lingering effects. It is best practice to perform regular backups of systems and the systems that control these systems to reduce the risk of data loss. Additionally, backups should be tested to validate that data can be recovered.
Keep tabs on the risk
Ultimate responsibility for securing the industrial network rests with management, which should assess whether enough risk mitigation has been implemented to address security concerns. Additionally, management should understand how its industrial networks are susceptible to threat actors so that appropriate security controls can be implemented.
KraftCPAs can provide several risk management and advisory services to help understand system vulnerabilities and develop a blueprint for mitigating threats. A risk assessment can help analyze potential threats and promote understanding of system vulnerabilities and cyber risks, as well as an evaluation of existing industrial network components, the IT controls protecting them, and how those controls are operating can be performed. To address social engineering, system vulnerabilities, and cyber risks, we offer network security vulnerability assessments, penetration tests, and physical and logical social engineering testing to identify system risks.
The KraftCPAs risk assurance and advisory services (RAAS) group has an in-house team that performs the role of IT security advisors. We help clients evaluate and assess the operating effectiveness of security controls they have in place to protect critical manufacturing and ICS assets. Our services include evaluation and assessment of operating effectiveness of network security, external and internal penetration tests, and cybersecurity assessment services.
Our professionals have the experience and relevant credentials — such as the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) — to develop a long-term plan to appropriately secure an industrial network.
We welcome you to contact us and learn more about the services we can provide to help secure your network.